Protecting High-Risk Users One Security Key at a Time: Q&A with Yubico’s Secure it Forward Lead

At DDC we always say, “If you do only one thing, implement the strongest authentication and account security on the highest risk accounts.”  We say this because compromising your accounts is the number one goal of bad actors. 

Unfortunately, many people remain confused about what strong authentication is and the best way to secure accounts. 

We recently sat down with Andrea Tharp, Yubico’s Communications Programs Director and Secure it Forward Lead, to learn more about strong authentication and Yubico’s efforts to protect vulnerable populations one security key at a time. 

Q: What is Yubico and the Secure it Forward initiative?

Yubico is a global cybersecurity company  - we’re all about making the internet safer for everyone. We provide strong, phishing-resistant multi-factor authentication (MFA) solutions - like YubiKeys - that help protect people online. But we also know that some people are more vulnerable to cyberthreats than others. That’s why we started Secure it Forward in 2020. Through this initiative, we’re proud to donate YubiKeys to individuals and organizations at higher risk of digital attacks, ensuring they have the tools they need to stay safe. 

Q: You recently joined the Yubico team to lead the Secure it Forward program. What about the mission of Yubico and the program are you most excited about?

I’ve been in the corporate social responsibility space for over a decade, and what drew me to Yubico is its proactive approach to digital security and its belief that everyone - especially those most at risk - should have access to it. The internet connects us in incredible ways, but that shouldn’t come at the cost of personal security or safety. Through Secure it Forward, we’re working with amazing individuals and organizations around the world - people fighting for human rights, defending free speech, and protecting democratic integrity. And while we’ve already made a meaningful impact, there’s still so much room to grow. I’m excited to see what else we will achieve in the future!

Q: People may falsely assume that any form of multifactor authentication like SMS texts is good enough to protect their accounts. Why is this a bad assumption and what is strong authentication and why does it matter?

Any form of MFA is better than no MFA at all, but not all MFA technologies offer the same level of protection. Older methods, like SMS one-time passcodes (OTP) or even push apps, are vulnerable to phishing attacks - not just through intercepted codes but also because of social engineering.

It’s been said that hackers aren’t breaking into accounts anymore; they’re simply logging in. That’s because hackers can trick people into handing over their login credentials and authentication codes, making access easy.

Recently, the term "phishing-resistant authentication" has gained traction. This includes modern FIDO-based and smart card authentication, which eliminate the need for codes altogether. Security Keys provide the strongest defense against phishing attacks. When setting up authentication, the goal should always be to offer the highest level of security - protecting accounts, data, and individuals every single time they go online.

Q: Yubico is solely focused on strong authentication. What is a YubiKey? Why are they so secure? And how easy are they to use? 

The YubiKey is a hardware security key designed to work seamlessly with any service, application or operating system. The goal was to make strong authentication ubiquitous and over the years, we’ve added support for thousands of services, allowing users to securely authenticate with a single device across multiple platforms. One of the best things about a YubiKey is how simple, yet secure, it is to use. Instead of waiting for a code or opening an app, you just simply touch the device to authenticate and you’re instantly logged into your account. Plus, YubiKeys with NFC support allow for quick authentication by simply tapping your mobile phone or any NFC-enabled device.

Q: Who should use a Yubikey? 

Everyone! Our devices are trusted by some of the world’s largest organizations, as well as individuals looking to secure their personal accounts - whether it’s social media, banking, email, or cloud services like Google, Microsoft and Apple accounts. With a YubiKey, all of these can be protected with the strongest level of authentication available. 

One of the great benefits we’ve seen is that employees use their YubiKeys not just at work but also at home, securing their personal accounts. This creates a culture of strong security habits, helping people stay protected in every aspect of their digital lives.

Younger generations, in particular, are growing up in a digital-first world, sharing and storing more of their personal information online than ever before. A recent survey found that the most common services experiencing password breaches include social media, financial sites, email providers, and payment apps - essentially the core of people’s online identities. That’s why we want to encourage a security-first mindset from an early age. By using a YubiKey, individuals can take control of their online security, protecting their accounts, their identity, and their future.

Q: We are very grateful for our partnership with Yubico. In the 2024 cycle alone, Yubico donated more than 20,000 security keys to protect political campaigns, committees and state parties. We know that your work with DDC is only one of many efforts of Secure it Forward. What other initiatives do you have underway? 

Yubico was founded to help create a safer world while respecting all people and the planet. Beyond Secure it Forward, we’re also committed to reducing our environmental impact. Since 2022, we’ve partnered with Solvatten to offset our carbon emissions and provide clean water solutions in developing countries. Within Yubico, our Employee Resource Groups play a key role in building and fostering an inclusive community—something we’re incredibly proud of!

Q: Authentication is ever evolving. Just in the recent past we have seen the roll out of passkeys. What’s next in authentication and what should people be paying attention to?
Passkeys are gaining momentum and it’s exciting to see more adoption. But what exactly is a passkey? It’s a FIDO2 credential that allows for secure login - either as a second factor or in a passwordless login flow.

YubiKeys have supported passkeys since 2018 as device-bound passkeys - meaning they are stored on a dedicated security key built specifically for authentication. In addition, we’re seeing the rise of multi-device passkeys, which are stored in the cloud, further driving the adoption of phishing-resistant authentication.

While all passkeys improve security, we always recommend using the strongest protection by storing them on purpose-built security keys like the YubiKey. This provides the highest level of assurance for keeping your online identity and accounts safe.