Published on: March 26, 2025 Updated 2 times since publishing
As cyber threats grow more sophisticated, the demand for simple, effective, and phishing-resistant authentication has never been greater. Yubico, the company behind the widely adopted YubiKey, has been at the forefront of this evolution—championing hardware-based passkey security that protects both enterprises and individuals. In this interview, SafetyDetectives spoke with Ronnie Manning, Chief Brand Advocate at Yubico, to discuss the company’s vision, its role in shaping passwordless authentication, and what’s next in the fight against account takeovers and identity theft.
Can you introduce yourself and talk about your role at Yubico?
My name is Ronnie Manning, and I am the Chief Brand Advocate here at Yubico. I’ve been with the company for about 12 years. I’ve seen all the growth and the changes in the market for the positive — the maturing of our ecosystem, from partners to integrations, to everything that now supports YubiKeys. It’s been a very fun and interesting ride.
Yubico has been at the forefront of hardware-based authentication for years. What was the original vision behind YubiKey, and how has it evolved to meet modern security challenges?
When the company was founded in 2007, hardware authentication had a legacy of being difficult, cumbersome, and not easy to use. The YubiKey was invented to flip that around — to introduce something that delivers the highest level of security for hardware authentication but is extremely easy to use.
The word “YubiKey” actually comes from the word “ubiquitous”; the founders wanted to build a physical security key that wouldn’t have a singular purpose. It wouldn’t just work for one application or service — it would work across the board: across operating systems, mobile devices, and so on. So one key could secure many apps, services, and operating systems – effectively securing your “digital life.”
The YubiKey is all built with the end user in mind. For example, you don’t want them to have to pull out another device when logging into an app or service. When the YubiKey is plugged in, when logging in an application, you’ll be prompted to touch the key to prove you’re human — you touch it, and it sends the credential back to the application to verify that it’s actually you trying to gain access to the account and not some remote hacker who stole login credentials. If you’re using it on a mobile or an NFC-enabled device, you simply tap the YubiKey to it and it authenticates you.
With the rise of passwordless authentication, how does YubiKey fit into the broader shift toward a password-free future?
As a founding member of the FIDO Alliance, we have a long history of creating and co-authoring the FIDO authentication protocols which is the backbone of the modern passkey authentication we use today. We first introduced FIDO Universal Second Factor (U2F) back in 2014. That evolved into FIDO2, which is the protocol that allows for passwordless authentication.
Passkeys in YubiKeys have been supported since discoverable credentials were added in the WebAuthn/FIDO standards in 2018, included in the launch of the YubiKey 5 Series. Since then, we’ve continued to work closely with the FIDO Alliance and industry leaders like Microsoft and Google to enable passwordless login globally through device-bound passkeys. This removes the dependency on the weakest form of authentication — a username and password.
With FIDO2, when I go through a passwordless login flow, I enter a PIN to unlock the key, press it, and it sends the credential to log me in. If you’re using one of our YubiKey Bio keys, the fingerprint replaces the PIN and logs you in. We’ve built this technology to be a major tool in the passwordless progression we’re seeing.
Phishing-resistant authentication is becoming a necessity for businesses and individuals. How does YubiKey protect users from evolving cyber threats like phishing and account takeovers?
Phishing-resistant MFA can be categorized into two flows: legacy Smart Card logins and modern FIDO-based logins– both of which are supported in the YubiKey, including being able to use a YubiKey as a Smart Card. The beauty of these is that there are no credentials that can be extracted via phishing attacks.
In scenarios using SMS or OTP apps, hackers don’t need to hack in — they can simply trick someone into handing over a code and then log in. For example, through social engineering, someone might pretend to be from IT support and ask for that code over the phone or email. If that code is accessible, it can be used to gain access to the account.
But with YubiKey, there’s nothing extractable. If someone called and asked for a code, I don’t have one. I touch the key, and that logs me in – there’s nothing I can give away.
Many large organizations and even governments have adopted YubiKey for security. What challenges do enterprises face when implementing hardware-based authentication at scale?
As companies have grown and embraced hybrid and remote work globally, getting physical hardware to the individual employees became a challenge.
To make this process easier for organizations, in 2020 we introduced YubiEnterprise Delivery, which lets us send keys directly to employees in over 70 countries and counting across the USA, Canada, Europe and Asia-Pacific – including many remote areas. We’ve also expanded YubiKey as a Service, giving organizations more flexibility in how they purchase and deploy keys to remote workers.
Last year, we added Yubico FIDO Pre-reg — which we first launched with Okta and are now working with Microsoft – with plans to support more identity providers. It combines YubiKey as a Service with Yubi Enterprise Delivery and pre-registration capabilities for IT teams to more easily manage and distribute YubiKeys to a global workforce.
For example, if I’m a new employee and the company I’m joining using Okta, my laptop and YubiKey can be sent to me at home. The key will already have my credential on it, and a temporary PIN can be sent out-of-band. When I plug in the YubiKey and enter the PIN, it securely logs me into Okta. I can then change the PIN, and from that moment, I’m using phishing-resistant authentication.
Next time I log in, I use the same YubiKey. Our best practice is to have two keys — a primary and a backup — so if one is lost or misplaced, you can still access your account. We’re focused on securing the entire employee lifecycle with a frictionless, user-friendly experience that will create phishing-resistant users across the organization.
What’s next for Yubico? Are there any upcoming innovations or new features that users should be excited about?
We’re continuing to build out the ecosystem with Yubico FIDO Pre-reg and working closely with our partners to make getting YubiKeys as seamless as possible — especially for large, dispersed enterprises.
There’s growing awareness on the consumer side as well. While we sell a lot to enterprises, security is becoming just as important for individual users.
We’re seeing more companies encourage employees to take their YubiKeys home and secure their personal accounts too. You can use one key with thousands of services — so it makes sense to lock down core accounts like Microsoft, Apple, and Google, which are often used for single sign-on. The same goes for social media — you can use the YubiKey to protect those as well.
We did a Global State of Authentication survey late last year and found that the most compromised accounts were on social media, payment apps, online retail, messaging, and banking. That’s basically your entire online identity. Securing those accounts with YubiKey technology is a great step to protect the ‘digital you’.
We’re also seeing younger generations grow up entirely online. For them, security isn’t a “nice to have” — it’s a must. We’re really focused on helping people secure their personal and professional lives together.