By the time customers catch on and the company falters, the investors/owners that profited financially, and managers that profited on their resumes, from the short-term gains may have moved on. The party that's really hurt is the customer base.
I've seen this play out again and again.
Private company Boards can be more ruthless than public companies’. (Historically, this was the norm.) Much of tech’s myth of quarterly metrics and short-term planning in public companies comes from unfamiliarity, not fact.
The last years of public tech companies had zero discipline. Everything was long term. Right now, Apple’s investors are fine with decades-long secret plays while oil and gas companies have short-term investors. Managing your shareholder base is part of managing a large company, public or private, and as with so many thing comes down to the people involved more than any heuristic.
Depends on ownership. When the insiders still own 80% (or control that much through super-voting shares), the minority shareholders’ interests (often but not always short-term) may still be ignored.
As a customer, I don't care why this is, but it is. That's why this is bad news every time it happens -- it's not that corporations are bad, it's that the products very often (but certainly not always) become undesirable.
The company I work for did not IPO yet either, and we still do performance reviews every quarter. So idk if going public matters much in that regard.
Make keys, sell keys. The end. What's there to raise funding for? Build yet another password vault?
Also all the people who built the company in the first place will cash out. People can decide for themselves whether they think the product will become more or less secure from this.
This reads like a non sequitur. The corporate structure is irrelevant if there is a radical change affecting how strategic decisions are made regarding their products and their userbase.
I wouldn't call that an irrational concern, since it's in fact pretty rational. Stock market investors demonstrability do not value computer security over financial performance, and once they control a company, its focus will shift to their priorities.
Liquidity for employees who exercised their options and investors who funded them before they had significant revenue, presumably.
When it cuts down to it, which master will yubico serve? The customers or their shareholders?
Now Yubico has a fiduciary responsibility to their shareholders.
I frankly can't think of very many companies that are able to resist this core capitalist corruption. Even Costco is implementing shareholder over customer policies. 1Password? Google's "do no evil." Are there good examples of companies that stay customer first after going public?
Also not going public, but Fastmail was bought by Opera in 2009 I think but then bought themselves back out again, and they've continued to offer excellent customer service (including yubikey support of which they were an early adopter) all the time.
So I'd say there's precedent for companies staying customer-focused under capitalism if the stars align: it has to be a place where (1) staying customer-focused is a clear net positive for the domain they're working in, even from a revenue perspective and (2) the people running the company understand this.
I imagine this is much more the case for companies where the customers are specialists / power users (think: developers) or other businesses, rather than the general public. I hope that means yubico of all places is lower risk. Although I consider them one of the best if not the best in the market, were they to go under, there are alternatives (google's own titan keys are ok replacements for the end user, though obviously they don't have the yubico back-end infrastructure). FIDO/U2F etc. are standards and come with certifications, so I'd hope there's only limited room for maneuvre for any new yubico owners to mess up, and a sufficient threat of losing their business that they are not incentivised to try anything too shady.
Now with shareholders in the mix I fear they will try to find recurring income models to increase profits. I guess we'll just have to see.
Do one thing, do it right, keep your customers happy, get your money, enjoy your life...
Also, though I would miss yubikeys if they went under like this, in practice I could switch to google titan or something else and it wouldn't be the end of the world.
Yes, there are competitors. But I really don't want to be reliant on Google as a company. I guess Solo Keys and Nitro Keys could be good alternatives, but I really feel Yubico has a great reputation as far as hardware token companies go.
You plug both yubikeys in. Authenticate on both keys using the tool and then you're able to transfer/backup.
Corporate management offerings around Yubikeys, inventories, call back home to renew an expiry if the yubikey itself when touched should give out the information.
Trust me, if Yubikey hires me and goes IPO it is all downhill but the company will make a boatload more money.
Every company I have worked for I've found significant ways of increasing margins and EBITDA.
<quick search>
Yikes! I didn't realize Yubico was is such bad shape financially that this was their best (only) option.
Some early employees could want to cash out. Going public is a great way to do that.
Apple, Google, Facebook, Microsoft (especially recently), Nintendo, Tesla, etc.
The IPO is a statement to investors that the company believes it will grow bigger and seeks public market funds to accelerate growth. That doesn't always happen.
Some companies and investors see the IPO as merely a liquidity event, which is the wrong perspective to take. SPACs were clearly being abused for this.
Also Microsoft went public almost 4 decades ago, apple went public over 4 decades ago, the landscape looked a bit different there.
Microsoft - Ruining Windows to extract more value from customers.
Facebook - hardly anything even needs to be said here.
Google - slowly getting worse and rotting away.
Tesla - I’m a bit neutral here. Tesla has its problems, but it’s not clear that they used it be amazing and now are just trying to extract money from users.
Maybe Yubikey could do to PKI what Tailscale did for VPNs: make the whole process dramatically simpler and easy to use. Still sell Yubikeys, please, but set up a funnel to capture corporate recurring revenue by solving this problem better than the alternatives.
This is weirdly enough a Swedish singer who had Eurovision Song Contest ambitions. https://www.youtube.com/watch?v=HE1Vy5lKuzw
She's part of the Swedish upper class – the Swedish wikipedia page lists her as "baroness" (friherrinna), further accentuated by her name ("af" is the swedish variant of the german "von")
This is the artist: https://en.wikipedia.org/wiki/Caroline_af_Ugglas
Soon you will be beholden to Wall Street. That means at the slightest controversy there will be calls to enable a back door to your product(s).
But even ignoring that, going public itself doesn't bode well for the product regardless.
Like, programmable key is cool as an idea but I need smartcard support and a button on it to confirm transaction to replace YK usage...
- they don't (yet) have all the features, or at least I couldn't find out how to do some of them without implementing them myself. Through due to the design of the TKey this can be added later without needing a new key or anything like that, you could even implement it yourself
- their design approach is a bit different from a Yubikey or similar, mainly it doesn't have any persistent (writable) memory. This has some drawbacks and some benefits. Benefits include that you can add applications later on, have endless many of them, and upgrade applications. E.g. a company handing this key out to 1000 employees and needs to switch to post quantum cryptography doesn't need to buy 1000 new keys, they just deploy an update and the users have to re-enroll their existing keys. Drawbacks include that you can't store anything on the key (TOTP, moving a OpenPGP key onto a Yubi key etc.) so for some appliances you need to have some metadata on the device where you want to use the key with (could be encrypted using the TKey, might just be a seed or similar to derive the right data using the TKey, etc.). Not a problem for typical enterprise use-cases, but a problem/inconvenience for your typical "private" user (which can be negated with support software).
Anyway I think I want to buy one.
> Tillitis is wholly owned by Amagicom AB and is a spin-off from the sister company Mullvad VPN
Their firmware is opaque, not shared outside the company, so is their hardware (important for RNGs etc).
(Full disclosure: I work for Tillitis.)
The construction quality of Yubikeys has been good in my experience.
I was just worried about the closed source proprietary firmware in a security product (including the random number generators, where issues were discovered in the past).
But Yubikeys are used in various companies and apparently in some branches of governments too, thus must have been vetted by their security teams (though there could be different lines of firmware or products for different clients. People say there is not much benefit to purchasing FIPS-compliant Yubikeys. Neglecting the approved algorithms and features, is the firmware the same as that in non-FIPS security keys?)
On this note, are Feitian still the OEM for the Google Titan keys?
Something tillitis key has. Tkey has a steeper learning curve because they're programmable, but they're also 100% open source software and hardware.
Passkeys will win the war for the everyday user, and Yubikeys will remain a niche IT item. Their focus on FIPS audiences is good though as that should provide a longer-term reliable source of sales.
I hope Yubikey survives long term because I like their tech implementation (a key must be present AND physically touched to activate). I travel much more confidently with Yubikey locked accounts. I know where my Yubikeys are at home and I don't generally take them out with me.
The war for better securing online accounts benefits us all though. haveibeenpwned hasn't gotten any smaller over the years :/
Wait... Passkeys are from the FIDO alliance and both Google, Apple and Microsoft have pledged to implement passkeys for auth no?
I don't think it's "Apple passkeys" any more than they're "Google passkeys" or "Microsoft passkeys".
Which is why it's so scary... It's going to steamroll all other kind of auth with these three juggernauts behind it.
We use them at work, but they aren't fundamentally more secure than the what's built into the computer.
[1] https://www.tillitis.se/tkey/
Otherwise, in a more traditional yubikey-replacement design, I've had my eye on the onlykey but their github has very little activity which makes me worried its a dead project.
Having hard-to-extract device keys isn’t “DIY hostile”; it’s critical to the attestation security model. If you want to build your own WebAuthn authenticator, then you can either form your attestation root (there’s no “blessed” vendor list that I know of) or simply ignore that part of the spec.
If some knobsite wants to insist on me using a "hardware authentication key" (similar to how many currently insist on using email/SMS codes), but I want to set it up so that secret is stored in my browser because that site isn't so important to me, setting my own security policy that directly contradicts their wishes should be my right. Their control shouldn't extend onto my own computers(s), with the demarcation point being the Internet itself.
The authenticator hardware that I use every day is a device I built myself.
Isn't this the same with all hardware?
And the documentation, at least when I received the keys, felt incomplete and hard to find; it did not give me confidence in the product.
I still use them as a backup key, but I decided to just by two yubikeys as my main keys.
https://www.nordicsemi.com/About-us/BuyOnline?search_token=n...
https://en.wikipedia.org/wiki/Special-purpose_acquisition_co...
There's simply no way they can line up the "here's how we get to 1B users and then mine all their personal data" business plan that some other tech companies can do.
The biggest killer was the fact that Yubikey NFC is so awful. I worked with tech support repeatedly, even bought two new keys, and it almost never worked right.
With AWS IAM Identity Center (successor to AWS Single Sign-On) - that's actually the official name, hopefully temporary - it seems well supported via WebAuthn. You can "even" have multiple keys assigned to your account...
On mobile, if it works at all, it should be NFC.
Equity is where the gold is, and each investor is an extra marriage partner who must be satisficed and can potentially upend everything.
Build a stable business, not an instant payday.
Just kidding. Hopefully this has no security or usability impact.
