YubiKeys secure Civil Rights Defenders against AI-powered phishing attacks
Highest assurance passkeys allow human rights defenders in Stockholm and around the world to continue activism securely
Civil Rights Defenders is an international not-for-profit and non-governmental organisation, defending human rights in some of the world’s most hostile and repressive environments. In 2024, the organisation supported human rights defenders, civil society organisations and movements in over 34 countries.
Key results:
Industry
- Non-profit
At a glance
- HQ in Stockholm
- Presence in 50+ countries
- 300+ partner organisations
Protocols
- FIDO2 (Passkeys)
Yubico solutions deployed
- YubiKey 5 NFC
- YubiKey 5C NFC
“My advice for all NGOs considering YubiKeys is to go for it— it’s very easy to roll out and maintain, and will increase your digital security.”
Defending Democracy in the World’s Most Hostile Environments
Civil Rights Defenders aims to proactively strengthen the skills and capacities of human rights defenders, so they can do their work securely and effectively, and use their rights to promote democracy and justice worldwide. Their Emergency Fund provides rapid assistance to human rights defenders who are in danger— offering legal aid, temporary relocation and psychosocial support.
“What attracted me to Civil Rights Defenders was the sense to do something bigger and better for the world,” says Ana Maria Mendoza, Programme Lead in the Security and Innovation Department. “We are part of a global movement, holding individuals, governments and non-state actors accountable for human rights violations. The idea of providing tools tailored to those that need them, so they can do their work effectively, really attracted me.
“We live in a world where both physical and digital threats are very present. Providing security measures is no longer just about the physical stuff. We need to step up on digital measures as well.”
Decline in Democracy Raises Cyber Threat for Human Rights Defenders
The stakes for those supported by Civil Rights Defenders couldn’t be higher. “We have helped human rights defenders that faced death or risk being tortured— we take them out of those situations,” says Mendoza. Increasingly, threats are not only physical, but digital. Civil Rights Defenders provides guidance on security measures when human rights defenders are targeted online by governments, or if their accounts have been compromised.
Jordan Pleiter, IT Officer at Civil Rights Defenders1 , sees a link between threats to democracy worldwide and increased cyber threats to human rights defenders. “You can see it all around the world,” says Pleiter. “We’re seeing targeted attacks from both governments and political groups who oppose the work we do.”
AI is now being used by adversaries to easily create phishing emails at scale, compounding the threat. “The biggest challenge is the more sophisticated phishing emails,” says Pleiter. “Some do slip through the filters, so it’s on the user to be the final line of defense. They are getting much harder to spot— much more real.”
Pleiter sees the primary risk of cyber attacks as account compromise. If a malicious attacker were to successfully access Civil Rights Defenders’ system, they could ‘do a lot of damage’. An attacker would not only be able to access sensitive data, but could also impersonate their victim and contact trusted partners to expand the breach. As a result, a single compromised account can jeopardize an entire network.
“We take security so seriously, because if our work is compromised, it’s not only us—it could be our partners, their communities, and whole movements too. That’s why we also encourage our partners to increase their security measures.”
Moving Beyond Legacy MFA to Phishing-Resistant Security
“One thing that has not changed with artificial intelligence is the targeting of humans. We are the first target when it comes to digital threats.”
The threat posed by cyber attacks and phishing emails means that Civil Rights Defenders has sought to adopt higher assurance security for accessing their systems. Multi-factor authentication (MFA) is required and while Microsoft Authenticator is permitted, the use of YubiKeys is encouraged to establish a higher bar for security. Historically, SMS authentication was an option, but is no longer supported due to its vulnerability to man-in-the-middle attacks.
YubiKeys, phishing-resistant hardware security keys that require a physical touch or contactless tap to authenticate, block even the most sophisticated AIgenerated phishing and man-in-the-middle attacks. Developed, manufactured and programmed in Sweden, YubiKeys can store up to 100 passkeys, as well as Smart Card credentials and more, offering important flexibility for organisations of all sizes.
Civil Rights Defenders were able to receive YubiKeys free of charge through Yubico’s Secure it Forward programme, which donates YubiKeys to non-profit organisations, human rights defenders and journalists around the world, helping those most at risk improve their security posture
“A strong positive of the YubiKey is that it’s phishing-resistant. Malicious attacks can compromise legacy MFA. YubiKeys are a physical key, so they can’t be intercepted. This makes YubiKey very strong for authentication.”
YubiKeys Offer Passwordless Access to the Microsoft Ecosystem
Civil Rights Defenders use highest assurance passkeys, those stored on YubiKeys, to secure Microsoft Entra ID, their cloud-based identity and access management solution. This offers staff passwordless access to their devices through Windows Hello for Business. The user experience is simple: staff touch their YubiKey and enter a short PIN. Crucially, this PIN is stored locally on the key itself, meaning it can never be intercepted.
Currently, Civil Rights Defenders requires YubiKeys to access admin portals, with plans to soon expand to all sensitive data across the organisation. As YubiKeys do not require internet access or phone reception, they also offer an essential tool for staff who visit areas where reception is unreliable, or who attend meetings where phones are not permitted for security reasons.
YubiKeys are also used at the organisation as an additional method of authentication for various internal web services, using FIDO protocols. Additionally, Pleiter and the IT team recommend staff use YubiKeys for personal social accounts, emails and password managers. This strategy mitigates the risk posed by password reuse, which can mean a single personal account being compromised leads to a chain of vulnerabilities.
Civil Rights Defenders chose to deploy the YubiKey 5C NFC, allowing seamless authentication to both computers and phones using either a USB-C port or a contactless tap. “The rollout for YubiKeys was quite easy,” says Pleiter. “To create the initial access policy didn’t take long at all, and to set them up as an authentication method is also very easy—and, it’s easy for users.”
“As an IT team, we can sleep easier knowing that devices are more secure. If the user does fall for a phishing link, the attackers are much less likely to get in thanks to the YubiKey.”
Case Study: Rachael Muthoni, Defenders Coalition
Rachael Muthoni is an ICT Professional at the National Coalition of Human Rights Defenders in Kenya, known as Defenders Coalition. The organisation’s mission is to champion the safety, security and wellbeing of over 8,000 Human Rights Defenders across Kenya.
“Human rights defenders in Kenya continually face cyber attacks. This has been on the rise since last year, where human rights defenders and activists used the online space to mobilise people to go on the streets and defend their rights.
Human rights defenders face phishing attacks through email, SMS and social engineering. At the grassroots level, the risks of man-in-themiddle attacks aren’t understood—we bring this knowledge to them and offer tools for better authentication. My role is to equip human rights defenders with the digital skills and tools they need for their safety, and for their work.
Since 2023, Civil Rights Defenders have provided YubiKeys to our team as well as for our digital security help desks, where human rights defenders can visit. Before YubiKeys, most human rights defenders had been using two-factor authentication on SMS for account access.
It’s a relief to know that I no longer have to remember passwords or use my phone for a one-time-password. Logging on to a device becomes very easy because it’s just Tap and Go—it’s easier and saves so much time.
Human rights defenders have really liked the YubiKeys, and have reported that their accounts have been safer. If you don’t have the YubiKey, you can’t log on to the account. It’s just a joy to see a human rights defender at peace and continuing with their work.”
Strengthening Online Security Across the Globe
“Knowing that Yubikeys are manufactured in Europe and following European standards is extremely important for us. We know that we can trust them, and recommend to our partners without fear of endangering or compromising their information.”
YubiKeys are also an important part of the ‘digital security toolbox’ Civil Rights Defenders offer to human rights defenders and partner organisations around the world—facilitated by the Secure it Forward programme. “It’s a great way to secure information and accounts, but also a very user-friendly, easy tool to use,” says Mendoza. “If Yubico didn’t have the Secure it Forward programme, there would be a gap in what we could provide.”
Training is provided to partners, demonstrating how to best use YubiKeys within their unique environments. “We let partners know about the dangers of cyber attacks and that strong MFA is a must,” says Pleiter. “The feedback we’ve received from partners has been that the YubiKeys are very easy to set up and use.”
Civil Rights Defenders continue to expand their use of YubiKeys, both for their own team and external programme. The next step on their roadmap is to deploy YubiKeys for all employees who work with their partner network—ensuring that everyone who is part of the fight for more democratic societies has the security and protection they deserve.
1 Position accurate as of March 2025.