Exclusive: Yubico's Geoff Schomburgk discusses future of passwords
Passwords, as we know them, are on their way out. Yubico's Regional Vice President for Asia Pacific and Japan, Geoff Schomburgk, sees a future where passwords are replaced by more secure alternatives, but he acknowledges the transition won't be swift.
"We've been using passwords for 60 years," he explained to TechDay, during an exclusive interview. "We'd love to think that we'll get that 80-20 rule soon, but I expect for passwords, it'll be a long tail."
In an era where cybersecurity threats are constantly evolving, the need for secure and user-friendly authentication methods has never been more pressing.
Yubico, a pioneer in authentication solutions, is at the forefront of this change, advocating for the use of passkeys and hardware security keys like the YubiKey to replace traditional passwords.
Schomburgk explained the fundamental difference between passwords and passkeys. "A password is a certain length, complexity, stored centrally. Someone has it. It's a shared secret," he said.
"Whereas a pin is P for personal, it's a personal identification number. You don't share it. It's not stored centrally, and that in our world is a fundamental difference."
This distinction is critical in understanding why passkeys, which are unique to each account or service, offer a more secure alternative to passwords. Schomburgk noted that while some may argue that a pin is just a code like a password - the key difference lies in its personal nature and decentralised storage.
The shift towards passkeys is already underway, with major companies like Microsoft and Apple embracing the passwordless movement. Yubico has played a significant role in this transition, having been a founder of the FIDO Alliance, which has developed protocols for secure, passwordless authentication.
Schomburgk recounted the company's involvement in the evolution of these protocols.
"We invented the first one with Google, FIDO1, or FIDO Universal Second Factor, is its technical name. That was the experience. There was username, password, insert the key and touch the key. So that was the credential, confirmation of user intent, and the cryptography validated that." This laid the groundwork for FIDO2, the protocol that underpins the passkey concept, allowing for truly passwordless experiences.
For those wondering why they should consider using a YubiKey instead of storing passkeys on their mobile phones, Schomburgk highlighted the advantages of portability and cross-platform compatibility. "The YubiKey is portable," he said, demonstrating a mini version of the device. "If you store your passkey in your Apple ecosystem, it is not yet today portable across to Microsoft or Google."
This lack of portability across platforms is a significant limitation of software-bound passkeys, particularly for users who operate in multiple ecosystems. YubiKeys, on the other hand, offer a hardware-bound solution that works across different platforms, providing a seamless and secure user experience.
Schomburgk acknowledged that while software-bound passkeys are convenient and sufficient for many consumers, those who prioritise security will find YubiKeys to be a superior alternative.
While YubiKeys are primarily focused on authentication, Schomburgk mentioned that the company's technology is not currently designed for physical access control, such as entering buildings. However, there are use cases where YubiKeys could potentially be integrated with access control systems, provided those systems support open standards.
"We provide authentication. That's our existence," he said, adding that while there is a case study on their website involving access control, it remains a secondary focus.
One area where YubiKeys are making a significant impact is in retail environments, where speed and convenience are paramount.
Schomburgk described a scenario where YubiKeys could replace the traditional login process at point-of-sale terminals, reducing the time it takes for employees to log in and enhancing customer satisfaction. "The YubiKey offers that login experience that is at least four times faster," he said.
In a retail setting, where multiple employees may need to access the same terminal, YubiKeys provide a quick and secure way to authenticate. "You go up to it, you tap the key to the terminal with the NFC reader. It wakes up and says, 'Oh, you want to authenticate. Give me your pin.' You then enter the pin, and then you tap again," Schomburgk explained.
This tap, pin, tap process is not only faster but also more secure than traditional username and password logins, making it an ideal solution for busy retail environments.
Looking ahead, Schomburgk is optimistic about the future of authentication technologies and the role that Yubico will play in shaping it. With companies like Yubico leading the charge, the end of the password era may be closer than we think.
"For those that are serious about security, having the passkey stored on a physical device such as a YubiKey is seen as a superior alternative," he said.