Trust in Yubico
Trust is earned through transparency and integrity. Yubico, founded in 2007, helped build open standards like the Fast Identity Online (FIDO) standard in collaboration with industry-leading organizations and companies. The information provided here is intended to provide transparency in how we approach security and privacy so that we may earn your trust.
Yubico’s hardware-backed authenticators rely on a global supply chain. We source our most sensitive component, the secure element, from a trusted and industry-leading vendor. Sensitive operations, like programming, take place at our facilities in Sweden and the United States. We also built a robust chain of trust that starts with our vendor assurance program and ends with programmatic validation of components. Additional information about our secure manufacturing practices can be found below.
Security is embedded in our software and hardware development lifecycle at Yubico. Our engineering teams employ secure development practices that include security training, design reviews and threat modeling. Our dedicated security team provides automated static and dynamic analysis and performs a manual code review and penetration test for major releases. We also work with trusted and independent third parties to review the security of our products and services.
We’ve established a Product Security Incident Response Team (PSIRT) and publish security advisories below.
Data Security & Privacy
Our customers’ data is important. Although the amount of data we handle is minimal, the type is sensitive and important. Data is protected throughout its lifecycle using industry best practices. Yubico uses a carefully selected range of methods to protect the information we store, including disk encryption, Pretty Good Privacy (PGP), Hardware Security Modules (HSMs), and a variety of platform security solutions offered by Google Cloud Platform (GCP), and Amazon Web Services (AWS).
Transport Layer Security (TLS) is used for encryption to protect information in transit. Where possible, TLS connections are mutually authenticated, to ensure that the identity of both the server and the client are verified prior to allowing access to that data. Multi Factor authentication with YubiKeys is used anywhere an employee can interact with systems handling customer data.
Yubico also uses shared responsibility and least privilege models to minimize the opportunities for abuse and unauthorized access. Administrative actions are immutably logged in a central location and monitored by multiple groups within Yubico. Alerts are used to report on anomalies and reviewed by Yubico’s operations and security team.
Your privacy is important to us. We always strive to minimize the information we collect and remove that information when it is no longer required. We also limit where this information is stored and who has access to it.
Our practices comply with General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), in addition to other legal requirements. Details about our privacy practices can be found at https://www.yubico.com/support/terms-conditions/privacy-notice/.
Data Retention & Removal
Yubico retains data only as long as necessary to operate our business and to comply with statutory and regulatory requirements. We do not use this data for any purposes other than the purpose for which it was collected to begin with.
Yubico follows NIST 800-88 to sanitize or destroy physical media.
Yubico’s services are deployed across cloud services providers and colocation facilities for YubiHSM-backed services.
We secure our colocated infrastructure in locked cages monitored 24x7x365. Access to these data centers requires two-factors of authentication at a minimum. Our colocation vendors publish a SOC-1 Type II report that attests to their ability to physically secure our infrastructure. Only Yubico personnel and employees of the colocation vendors have physical access to this infrastructure.
For our cloud services, we use Google Cloud Platform (GCP) and Amazon Web Services (AWS). Google and Amazon have both undergone multiple certifications that attest to their ability to physically secure Yubico’s services. You can read more about Google Cloud Platform’s security here and Amazon Web Services’ here.
Access to Yubico’s key programming facilities is restricted to only the Yubico personnel that require access. Access is logged and monitored.