Freedom of the Press Foundation protects press freedom with the YubiKey 

Protecting journalists from cyber threats to ensure a free press 

Protecting journalistic freedom means working to preserve and strengthen the rights guaranteed to the press, which the Freedom of the Press Foundation (FPF) does through its three pillars: advocacy, digital security training, and technology protections for journalists and their sources. 

“Journalists have always been, and will always will be, at risk for doing their jobs. A journalist’s job is to speak truth to power and that can be incredibly threatening. Freedom of the Press Foundation supports that mission by working to give journalists every tool that they need in order to continue to do that job.”

Harlo Holmes is the Chief Information Security Officer and Director of Digital Security for FPF. Holmes, a software programmer, activist and former contributor to the mobile security Guardian Project, works closely to understand the changing risk and technology landscape to evolve the tools and digital security training that FPF provides to newsrooms and journalists. With the help of Yubico’s Secure it Forward program, that includes getting YubiKeys into the hands of journalists around the world. 

Due to the high profile nature of their work, journalists are a target for attacks that threaten their personal safety, the safety of their sources and which undermine the freedom and integrity of the press. Spyware, surveillance, malware, and phishing attacks may compromise systems, reveal sensitive data, or reveal personal information about journalists in order to discredit, harass or intimidate them from covering stories (doxing). From their work, FPF has identified that most attacks against journalists and newsrooms can be traced back to phishing and the compromise of credentials.

As public figures, journalists cannot rely exclusively on the IT infrastructure of their newsroom for protection, but instead must take an active role in learning about and protecting their personal information and devices. “Many journalists don’t even use an office anymore, which changes the attack surface significantly,” notes David Huerta, Senior Digital Security Trainer. “That puts more responsibility on individual journalists to protect anything that could be a target, including their personal accounts.” 

Since its inception, FPF has always been a technology-forward organization, pursuing technical projects and digital security training to protect journalists and their sources. In 2013, FPF took over the development of SecureDrop, a free whistleblower platform used at more than 65 news organizations to facilitate secure communication between journalists and anonymous sources. 

FPF was also an early adopter and strong advocate for multi-factor authentication (MFA) and the YubiKey. The YubiKey supports phishing-resistant MFA and passwordless authentication, offering the highest level protection for a journalist’s identity, accounts and devices. Without having physical access to the security key, a bad actor isn’t able to access an account. “Helping journalists adopt the most secure form of authentication available is important in supporting our goal,” shares Huerta. “Our ultimate goal is a free press that acts within the autonomy it gets when it doesn’t have to fear repercussions.” 

“Nothing is more gratifying to me to know that I have, in some way, contributed to the information that’s out there in the public interest. Nothing means more to me than a free press.”

Digital security training addresses that not all MFA is created equal 

FPF has a team of five Digital Security Trainers who work with news organizations, freelance and citizen journalists around the world, providing in-person training, webinars and written guides. Digital security training is often triggered by a security incident, a specific need (e.g. supporting remote work), or a desire to learn how to use a particular tool or platform.

Due to the risks associated with credentials, FPF’s digital security training has consistently focused on the need for stronger authentication than passwords alone. “Phishing is cheap, can be done and it works. That’s why it’s such a problem,” says Huerta. “But two-factor authentication is also cheap, also works, and is the best way to combat these kinds of attacks.” 

Although source protection, online harassment and account security remain the foundation of FPF digital security programs, training is not fear-motivated, but instead based upon “making people excited about the opportunities that security tools can provide,” notes Holmes. While in 2015 it was “groundbreaking” to be speaking of multi-factor authentication (MFA), today Holmes and her team are working to educate journalists that not all MFA is created equal and that strong MFA can actually be easier to use.

Davis Erin Anderson, a Senior Digital Security Trainer at FPF, introduces journalists to the concept of “good, better, best” when it comes to MFA. While “good” may be getting a second factor through SMS and “better” may be using an authenticator app, both of these forms of MFA can still be bypassed by malicious actors, leaving

“We teach people that YubiKeys are their top priority among all the ways you can use multi-factor authentication.”

The YubiKey offers the strongest protection against account takeovers and helps pave the way toward secure passwordless login flows using passkeys. Passkeys, a new name for FIDO2 credentials, are designed to help replace passwords and can be stored on a device such as a computer, smartphone or security key such as the YubiKey. “I am excited to see security keys like the YubiKey and for strong MFA and passkeys to become more ubiquitous,” shares Huerta. “I feel the YubiKey will help massively solve the cyber attacks that we see.”

Journalists create stories in a number of different ways using different technologies at different times. A journalist may use a fully encrypted offline laptop to protect source materials and drafts, requiring the use of the YubiKey and a secure PIN to unlock the disk. For drafts, the same YubiKey can be used to provide secure access to a cloud-based content management system (CMS) to collaborate with editorial staff.

The YubiKey provides journalists with easy-to-use high assurance authentication that moves with them across platforms and devices. “Anything that people control physically is a really strong way to let people feel that they have control over their security posture,” shares Anderson.

“Depending where in the story a journalist is, a YubiKey can jump in and provide different layers of protection.”

Getting YubiKeys into the hands of journalists with the Secure it Forward Program 

It is one thing to recommend the YubiKey to journalists, it is quite another to be able to put a YubiKey directly in their hands. With the help of Yubico’s Secure it Forward program, FPF can now freely distribute YubiKeys to the journalists they work with.

Yubico matches up to 5% of the number of YubiKeys purchased on Yubico.com, donating them to non-profit organizations, election campaigns, journalists and humanitarian workers around the world. Yubico reached out to Holmes to extend this capability to journalists who work with FPF. 

With the help of the Secure it Forward program, FPF is able to take its digital security training to the next level: providing at least one journalist in each training session with a YubiKey and helping them take the first step to set up MFA on at least one of their accounts. The Secure it Forward program has helped make an intangible topic about MFA into something more tangible. “The YubiKey is incredibly intuitive,” says Holmes. “Once people have it in their hands, they get it. It feels really great to give people a tool that they can use after they walk out of the training.” 

“I would carry my YubiKey around to training to demonstrate how they were used. Now, with the Secure it Forward program, I am able to put the tools that people need in their hands, introducing them to better workflows and better security.”

The Secure it Forward program has helped reinforce the FPF’s mission to support, defend, and empower journalistic freedom. “Journalists would walk into our training vulnerable to phishing attacks and other forms of account takeovers,” notes Anderson. “With the Secure it Forward Program, journalists can walk out protected, with accounts set up for MFA and the YubiKey. It’s a massive step forward in being able to protect the work journalists do.” 

During training, journalists may raise questions related to the durability of the YubiKey or what to do if a key is lost. The YubiKey is crush-resistant and water-resistant, surviving those situations when keys have been run over by cars or put through the washing machine (true stories). With reference to lost keys, FPF follows Yubico best practices, suggesting or giving a second key for backup, to be stored in a safe location.

“The Secure It Forward program has been really important to us because it is one way where we can absolutely put the best solution in people’s hands, and walk away from a training knowing we have done the absolute best for these journalists that we serve in order for them to continue to do the most important work.”

Protecting those who protect the press

When Holmes joined FPF in 2015, staff were already using the YubiKey to securely store encryption keys forPGP smartcard access to its systems. “Everyone knew about the YubiKey,” shares Holmes. Given the critical work that FPF does for journalists, in terms of advocacy and technology protections, it was a natural step for FPF to extend use of the YubiKey to protect access to its computers and applications. 

“We made a very conscious decision to incorporate the YubiKey into our onboarding for every employee, contractor and intern,” shares Holmes. “We teach our employees about MFA and how to secure every account—those we use together as an organization and also in their personal lives.” 

Onboarding with the YubiKey has consistently been easy. “The YubiKey is intuitive, right out of the box,” says Holmes. Users can simply plug a YubiKey 5 NFC into a laptop or tap it against a smartphone to authenticate. 

Aside from its work in advocacy and digital security training, FPF also works on technology projects to support press freedom, including its SecureDrop whistleblower platform, the U.S. Press Freedom Tracker, and Dangerzone, a tool that converts potentially dangerous PDFs into safe files. To make the code on these projects tamper-proof, FPF developers use the YubiKey for secure signing into the development environment. 

Future-proofing security

Looking to the future, for FPF and the press, Holmes knows that cybersecurity is always changing, such as the use of artificial intelligence to boost the effectiveness of social engineering campaigns. The YubiKey doesn’t just stop run-of-the-mill phishing attacks, but also these emerging and threatening social engineering attacks. 

For Holmes, the future of cybersecurity is not just about what takes place inside FPF or across the media industry as a whole, but also about taking steps to empower people, particularly women and girls, to seek out and embrace opportunities in cybersecurity. “We need to continue to create space where it’s safe for women to thrive,” shares Holmes. “Where women have access to information, networks, and people to know are not gate kept, but rather shared.”

“I’m always thinking about what comes next, what is going to be the future of cybersecurity and how those things may impact the press’ ability to do the work they do. The YubiKey puts us ahead of the curve.”