White paper: Bridge to Passwordless best practices
When we ask our customers why they chose the YubiKey, the most common answer is ease-of-use.
If you get a job at one of the large internet companies here in Silicon Valley, you are likely to also get a laptop with a YubiKey inside the USB port. But you may not know it’s a YubiKey. I learned that from someone I met at the local train station while waiting for the train to San Francisco. He was carrying his laptop under his arm, and I noticed the rounded golden edge in the USB port. When I thanked him for being a customer, he looked surprised; “Oh, I did not know. I thought it was the new Apple touch feature for the new Mac!” I am sure the YubiKey smiled after these words — there are not many authenticators out there that have been mistaken for an Apple product!
Some time ago, Facebook posted a video on YouTube sharing how they used YubiKeys, and why no other authentication technology matches its simplicity and speed for multiple login sessions.
After Google deployed U2F-powered YubiKeys for all staff, and provided support for Gmail users, their statistics showed that the login process was four times faster compared to Google Authenticator (their mobile authentication app). The process of picking up a phone, opening an app, and re-typing a code — not only is time-consuming but error-prone. With YubiKey, it’s just a simple touch.
However, the main reason Google deployed U2F-powered YubiKeys is security. One in fifty emails that land in your Gmail inbox is a phishing attempt. Although sophisticated spam filters block most of them, it is still difficult to stop individually-customized phishing emails, even with the one-time password from Google Authenticator. With U2F and public key crypto, Google has measured significant fraud reduction.
U2F also enabled Google to cut support by 40% compared to Google Authenticator. There may be a perception that paid hardware is more costly to deploy than free software. But when the industry-average cost for recovery support is approximately $30 per ticket, the reality can be different. With backup YubiKeys on a keychain, in a wallet and the USB port, users submit fewer support tickets and are at lower risk of being locked out than those who rely on a single phone app.
Many of our customers value that we allow them to easily program and fully control their own YubiKey secrets. Others like that one single YubiKey can be used with the range of authentication and cryptographic protocols. All like that YubiKeys are water- and crush-resistant (as demonstrated in the picture above). To learn more about the security, usability, and cost benefits of the YubiKey compared to other authentication technologies, see our chart: Why YubiKey Wins.
There may not be a silver bullet for strong authentication, but the YubiKey is getting close.