In an increasingly interconnected world, the landscape of cybersecurity is constantly evolving. Bad actors are becoming more sophisticated, leveraging tactics like phishing and ransomware to exploit human error and weak credentials. This makes robust cybersecurity a universal issue, impacting everyone from individuals to the largest global enterprises – especially those in high-stakes sectors like commercial aviation, industrial manufacturing and critical infrastructure.
While many organizations still rely on outdated practices like usernames, passwords, and legacy multi-factor authentication (MFA) methods, the need for phishing-resistant, device-bound passkeys like security keys has never been more critical. To explore these challenges and discuss the path toward greater cyber resilience, we recently sat down with Raphael Mayr, a strategic and business-focused cybersecurity executive with over a decade of experience building, leading, and scaling global security programs from the ground up. Most recently, he was the chief information security officer (CISO) at Volocopter, a German aircraft manufacturer and pioneer of urban air mobility (UAM).
Raphael has a proven track record of translating complex technical and regulatory demands in the EU (including EASA Part-IS, NIS2, and GDPR) into business-enabling strategies across sectors including aviation, finance, and nuclear critical infrastructure. Having built and led global security teams from scratch and championed modern security paradigms like Zero Trust, he holds a wealth of hands-on experience across cybersecurity. At Volocopter, Raphael established the company’s global cybersecurity strategy, which included architecting a Zero Trust identity program and deploying YubiKeys company-wide to all employees.
In our conversation, Raphael highlights the unique security challenges facing the aviation industry, the critical role of hardware-bound authentication amid rising phishing attacks (including best practices for implementing YubiKeys at scale), and his top recommendations for businesses looking to navigate an ever-changing world of cyber threats and regulations.
What makes you so passionate about cybersecurity and authentication?
Identities are at the heart of most corporations. People join, move, and leave – and having a strong, cyber resilient identity program helps tremendously in speeding up how a company can operate. It reduces friction for the helpdesk and security operations teams by enabling things like rapid provisioning of accounts on day one and immediate offboarding on an employee’s last day.
What shocked me most over the last few years is seeing large companies with mature security programs – which had been using phishing-resistant Smart Cards with X.509 certificates for over 20 years – suddenly move back to non-phishing-resistant mobile authenticators. In doing so, they unknowingly re-exposed their companies to a threat vector that had been solved long ago. The good news is that I’m now witnessing more and more companies moving towards FIDO2 security keys, which offer more capabilities and can help them return to their initial, sound security state.
What unique cybersecurity challenges did you face in the aviation industry at Volocopter?
When I started, we didn’t have a mature identity management program, and not all employees had a corporate phone – which raised the question of how to deploy MFA across our services. The labor union was hesitant about employees using private devices for authenticator apps. I knew we needed a solution that was not only phishing-resistant but could also solve multiple other challenges we faced.
Initially, some people were skeptical, thinking YubiKeys weren’t durable enough – but in fact they were all wrong. We had real-world experiences that proved their resilience and durability in the field: one employee forgot a key in his pants, and it survived both the washing machine and the dryer, coming out still working as flawlessly as before. Another dropped his keyring on the road, and a car ran over it – but the YubiKey kept working. These experiences helped us educate people on how resiliently built YubiKeys are, and how they can be trusted to last.
In your opinion, why is hardware-bound passkey authentication so critical for cyber resilience today?
Identities themselves are digital, but physical, hardware-bound passkeys like those stored on security keys provide assurance that a real human is present. The physical presence and capacitive touch feedback of a security key create a completely different, and much stronger resilience profile than software-based tokens on a mobile device, which could possibly be compromised. With a physical key, you can demonstrate to auditors and regulators that you must possess the key, be physically present and know the pin to gain access. Over the next few years we’ll see a broad adoption of passkeys which will lead to the extinction of the threat profile around account phishing.
Another big advantage is that hardware passkeys are far easier to explain to all generations. A great example is my dad and father-in-law: he likes using his YubiKey because it’s something physical he can hold. He knows only he can log in to his personal email or password manager with the key and a physical touch, and if a login attempt doesn’t work, he knows he is likely being phished. It provides an easy-to-understand security model in the form of security by design that helps protect everyone, including older generations.
Lastly, in the EU we’re also seeing legislation by governments to push for adoption of phishing-resistant tools like security keys – as highlighted in a range of requirements in the upcoming Cyber Resilience Act (CRA) as well as NIS2, the EU Product Liability Directive, PSD2, and GDPR. Even though it’s more easily said than done, most of the things asked for are around lack of quality and fundamentals in products, architectures, processes and knowledge. If all teams work crossfunctionally together, we will see good outcomes materializing in the near future to ensure cyber resilience against unauthorized access from credential phishing attacks.
How have you used YubiKeys to drive operational efficiencies?
The benefits are significant – a key factor for adoption was permitting employees to use their company-issued FIDO2 keys for their personal digital identities as well, which they were very happy about. In fact, employees rarely (if ever) lost them because they keep them on their regular keyring for their house and car keys.
Login times were also heavily reduced over 70% from over 80 seconds down to about 20 seconds, as people no longer had to type in their email, password, and then find an MFA token on another device. We also enabled phishing-resistant-MFA in clean rooms using NFC readers, allowing staff to authenticate with a YubiKey under their gloves – something that wasn’t possible before.
Crucially, we secured our code development lifecycle by storing SSH and commit signing keys on YubiKeys. This allowed us to demonstrate that no one could have stolen a digital signing key unless physical harm or bribery took place. In a regulated industry like aviation, this creates a legally defensible record of who did what and when, ensuring that code committed to a repository couldn’t be tampered with. The versatility of a single YubiKey supporting FIDO2, SSH CA Keys, and X.509 certificates was the sweet spot for us.
What are your top recommendations for businesses looking to achieve cyber resilience?
First and foremost, get the fundamentals right. Most breaches today happen due to a lack of basics. This means implementing strong, phishing-resistant MFA in security keys, having proper identity lifecycle management, and ensuring device hardening. Your processes need to be as rapid as the threat actors are, and employees must be knowledgeable about standard operating procedures.
Beyond that, foster a culture of cross-functional collaboration. When teams work together and put politics aside, good outcomes will materialize. Accept that the journey might not be smooth from the start, but have a strong will to change things for the better. Finally, enjoy working with people, upskill them, and build security into your products and processes by design and by default.
