Yubico is merging with ACQ Bure and intends to go public
yubico.comThe problem with going public is that performance is now measured quarterly. This incentivizes mortgaging the long-term health of the company for short-term gains. Brand loyalty and trust become assets that can be profitably liquidated by diluting the quality of products and services.
By the time customers catch on and the company falters, the investors/owners that profited financially, and managers that profited on their resumes, from the short-term gains may have moved on. The party that's really hurt is the customer base.
I've seen this play out again and again.
I've been following Yubico since almost its inception so I'm happy for Stina and her team. However I agree that this will probably end up being bad for customers in the coming years. I hope I am wrong.
It's interesting she's now the "Co-Founder and Chief Evangelist"
> incentivizes mortgaging the long-term health of the company for short-term gains
Private company Boards can be more ruthless than public companies’. (Historically, this was the norm.) Much of tech’s myth of quarterly metrics and short-term planning in public companies comes from unfamiliarity, not fact.
The last years of public tech companies had zero discipline. Everything was long term. Right now, Apple’s investors are fine with decades-long secret plays while oil and gas companies have short-term investors. Managing your shareholder base is part of managing a large company, public or private, and as with so many thing comes down to the people involved more than any heuristic.
> The problem with going public is that performance is now measured quarterly.
Depends on ownership. When the insiders still own 80% (or control that much through super-voting shares), the minority shareholders’ interests (often but not always short-term) may still be ignored.
The market now measures performance regardless of ownership. Just because they retain a huge percentage of shares, or controlling interest, doesn't mean they'll accept massive declines in market value.
It means they can though. The tech world is full of examples of companies keeping their focus long-term due to dual class structure and/or founders retaining large stakes despite the vagaries of the market.
But, nothing lasts forever. Eventually the founders sell, the shares get converted to common, etc.
Facebook is, even now, entirely beholden to Mark Zuckerberg's willingness to accept falls in share price. He cannot be removed.
This is the zeitgeist, i get it- corpos bad. But it is such a simplified cliché to buy into so wholly. Public companies are capable of long term planning. Quarterly reviews do enforce efficiency. What you've seen play out again and again is good corporate governance from public companies, you just don't notice it and more's the pity.
You put words in my mouth (corpos bad) and then said it’s oversimplified. It is over simplified, but you over simplified it, not me.
I didn't put any words in anyone's mouth. I said you were manifesting a zeitgeist. But honestly you're manifesting another intellectually dominant school of thought. Whereby if anyone does anything less than word for word block quote it's: "i didnt say that. You're wrong." I can absolutely characterize your speech and identify it's meaning and regurgitate it all without resorting to quotes. In fact quotes are a pretty weak form of displaying understanding.
When you start a comment with "the problem is" and then also add "customers are hurt", well, I would say it's not unreasonable to infer you are expressing a negative opinion on public traded companies.
What I've seen play out time and time again is that a company with a good product goes public or gets purchased, and then their good product gets worse. Often much, much worse.
As a customer, I don't care why this is, but it is. That's why this is bad news every time it happens -- it's not that corporations are bad, it's that the products very often (but certainly not always) become undesirable.
To be fair, I think a lot of the time a company's initial product is developed/sold in a way that is unsustainable for profitability, in order to attract users/customers/etc. Think "growth hacking", etc. By the time such a company is bought, it's already at the point where they need to start focusing on long-term profitability anyway, which means cutting costs and actually finding a plan to make money. This always needs to happen eventually, and typically being bought (or IPO'ing, etc) is an impetus for this change.
I'm sure that's the case a lot of the time. But, as I said, as a customer I don't care why this effect happens. Regardless of the reason, events such as going public, etc., still mark an inflection point where the odds are decent that the product will become much less desirable.
But, as long as we're talking about possible causes, that startups do this sort of thing (catchy name like "growth hacking" or not) is a kind of deception that I object to anyway.
Releasing a product is a kind of promise, in a way. If a product is being released in an unsustainable way (growth hacking), the company should be calling that out from day 1.
> The problem with going public is that performance is now measured quarterly.
The company I work for did not IPO yet either, and we still do performance reviews every quarter. So idk if going public matters much in that regard.
There’s a difference though between you doing internal quarterly reviews and being held to account by Wall Street analysts and hedge funds looking for perceived weakness.
who defines your quarterly goals as a private company?
Or more importantly, how are you goals measured after the quarter? Public markets don't take and mitigating factors into consideration when your financials tank the way a private company does.
Your investors (and potential investors) have a take, certainly.
My bosses and their bosses and their bosses and so on. Probably the board as well, in the end.
I’m a simple Software Engineer, so I don’t really have much insights into that whole side of things.
but thats my point - its a much smaller group of usually highly invested people if your company is private (even with the quarterly reviews) - with a public company, there are a lot more investors with a lot lower stakes, which manipulates the goals and intentions of the company significantly.
Yep. Expect features to roll out nonstop but quality to drop and things to break.
I have an irrational concern about using security products from a company post-merger or acquisition. It has never ended well for me as an anecdotal user. Going public is taking that worry even further.
Make keys, sell keys. The end. What's there to raise funding for? Build yet another password vault?
This is not really a merger because the other company is a “blank check” holding company (a.k.a. SPAC). It has no operations, it just holds a bunch of money put in by investors who want to find a private company that wants to go public.
Doesn't change the fact that your incentives as a public company are different.
Also all the people who built the company in the first place will cash out. People can decide for themselves whether they think the product will become more or less secure from this.
The fact this is not only legal, but common practice baffles me ...
It's faster and cheaper, those are things that are generally considered valuable.
Faster: the finance markets have been extremely tenuous the past 4 years between pandemics, supply chain crisis, world wars, inflation, and so on. An IPO requires 12 to 18 months of work / process before listing. SPACs can be done in a quarter or 2. In uncertain times it is much less risky to get the listing done fast.
Cheaper: Startups pay much less in fees to investment bankers when going through SPACs, there is also less dilution for investors and employees and more valuation transparency. In traditional IPOs investment bank underwriters have some conflict of interest to get lower valuations to pass the 'pump' onto their high value clients or proprietary trading desk. Why should they benefit over the people who have literally built the company?
While it is true that there is room to better regulate SPACs, there haven't been horrible abuses yet. It is also true that SPACs have not had the best returns for retail investors over the past few years however drawing a conclusion that this is due to SPAC usage versus the complex macro economic environment of recent years is very difficult.
We’ve seen pre-revenue companies that promised flying cars and other obvious scams go public via SPACs. If you don’t consider that SPAC abuse your bar is a lot lower than mine. These are companies that had no chance of surviving the more serious road show due diligence that the likes of GS demand when they take startups public.
Instead we saw popular podcasts push their SPACs on gullible retail investors, based on fuzzy concepts like disruption and TAM. Subsequently these SPACs lost 90% of their value and the insiders made bank. I hope to see jail sentences for the more shameless SPAC pump and dump players.
Index ETFs have been around for 15+ years now, and the advice is widely known that if you are an uneducated investor without inside information or some type of edge, you should stick to sub 0.15% expense ratio index funds. It is so easy nowadays that all you have to do is figure out the year you want to retire and buy that year’s target date fund and forget about it.
If people want to gamble, then that is their problem.
I'm not sure what your argument is. Sophisticated investors don't invest in obvious scams. That's tautologically true. Does that mean we should just watch and do nothing while people get scammed?
The thing is, nobody is born sophisticated and there are many ways to get hurt in financial markets in the absence of scams even if you're intelligent and do your homework.
You mention index trackers, but they are no silver bullet. Their mechanism is basically to buy more of stocks that go up, and to sell those stocks that stumble badly. The more people rely on index trackers (exchange traded or not) the more volatile they'll become, and because index funds use such a simple trading strategy it's easy to front-run or otherwise exploit them. Furthermore, index trackers depend on active investors for price discovery, and the fewer active investors you have the worse index funds will perform. Relying on a vanguard ETF might continue to work, but to assume that it will is hopelessly naïve. It's no coincidence that ETFs got so popular with interest rates at 0 and a fed that made stonks go up.
> Sophisticated investors don't invest in obvious scams. That's tautologically true. Does that mean we should just watch and do nothing while people get scammed?
Imagine I buy a chainsaw which is clearly labelled as something that can cut your hands off, it's widely known and obvious to everyone that chainsaws can cut your hands off very easily, not just in the specialist financial press but also on comedy shows and from TV news pundits and loads of other sources - I'm a mentally competent adult, I'm informed about the substantial risks, I want the chainsaw anyway so I can chop down lots of trees fast. Then I chop my own hand off by mistake.
Was it society's responsibility to protect me from my own mistakes, even when I was fully informed of the risks?
40% of the US workforce has a 401k
It's like giving 40% of the adult population a chainsaw that they have to use if they want to retire at a reasonable age. The outcome is predictable and they would be wise to invest in a prosthetics company.
Does it help if we re-frame SPACs as a mechanism for transferring wealth from rich idiots to startup founders?
You can buy a 2x levered daily vix ETF. You can buy 0dte options. You can buy options on the aforementioned ETF. You can go to a casino and put all your money on the roulette wheel. What is so risky about spacs that they need special attention?
Should publicly listed companies should publish their financial results every quarter? Do they have to use GAAP or can they make up their own financial metrics? What do you think would happen if we removed the regulations surrounding financial disclosure for public companies?
The questions are rhetorical. Companies will rob their shareholders blind if you let them. You can't just be "lol caveat emptor".
(Casinos also cheated players shamelessly in the good old days before regulatory oversight.)
Yeah I can just like I am about all those other great ways to lose money that I just posted.
But, I'm really not getting your point here. SPACs have to report financial results just like any other public company. They aren't allowed to commit fraud any more than any other company.
SPACs are basically an incorporated bag of money, so yes, while they technically have the same disclosure requirements as any other public company the disclosures won't tell you anything. There is no Form S-1 for SPAC acquisition targets.
A conventional IPO has a number of roadblocks for fraudsters. First they have to convince a reputable investment bank (like Goldman Sachs) to take them on as a client. Then the CEO and CFO of the company have to go on a grueling road show where they talk to groups of sophisticated investors, present their business prospects, and answer difficult questions. The IPO doesn't happen if those investors aren't willing to pay up, or if the investment bank feels like management is not transparent about their realistic business prospects.
With a SPAC you have none of that. You can have a slide deck and a webcast and make outrageous claims and nobody will call you out on it. The company and SPAC sponsor can dump their shares on retail investors who think they are investing alongside the executives and SPAC sponsor, when in reality they are their exit liquidity.
Do you have an example of a SPAC where the.target was a scam? I'm not aware of any, and I follow this stuff more closely than most people.
Nikola Motor went from a 34bn market cap to near bankruptcy in 2 years. Their tech was a sham and the founder got prosecuted and convicted for defrauding investors.
Lordstown Motors. Faked their order book. Blatant securities fraud.
There are many others.
>> Instead we saw popular podcasts push their SPACs on gullible retail investors, based on fuzzy concepts like disruption and TAM. Subsequently these SPACs lost 90% of their value and the insiders made bank. I hope to see jail sentences for the more shameless SPAC pump and dump players.
> Index ETFs have been around for 15+ years now, and the advice is widely known that if you are an uneducated investor without inside information or some type of edge, you should stick to sub 0.15% expense ratio index funds....
> If people want to gamble, then that is their problem.
So what? It's also well known that the IRS doesn't take payment in iTunes gift cards. So do you think if people get scammed, it is their problem for not knowing better? Should we just repeal all the laws against fraud and scams, because caveat emptor?
The behavior described in the GP post is unacceptable, and the fact that someone theoretically should have known better doesn't excuse it.
I don't think you can avoid the conclusion that this is a legal loophole. It's "easy" to get listed as an empty shell because there's nothing there to check. Then you buy an actual business and everything is just dandy? Seems fishy to me.
“Faster and cheaper” isn’t really the goal when selling stock to retirees and pension funds. Going public is supposed to be a rigorous process of assuring your grandparents that this company meets a minimum bar of compliance and financial quality. Finding a back door to avoid scrutiny is a flaw, not a feature. I get that we all want to avoid the paperwork and red tape in life, but there are certain things that we have seen burn too many people too many times that we as a society demand you slow down and dot your i’s and cross your t’s for very good reasons.
No one is forcing, or even recommending, retirees and pension funds to invest in SPACs.
>> The fact this is not only legal, but common practice baffles me ...
> It's faster and cheaper, those are things that are generally considered valuable.
For the company. It's also faster and cheaper for the company to just to ignore all regulatory requirements (financial reporting, product safety, pollution, labor, etc.), but that's usually illegal for good reason.
It's seems pretty dysfunctional that companies would be allowed to do an end-run around pre-IPO scrutiny like this.
I mean a few years back I was told by my accountant that I made too much money to contribute to a Roth IRA, but it was 100% kosher to open a traditional IRA and immediately convert it to a Roth IRA. The fact that this was legal also baffles me.
When you convert your traditional IRA to a Roth you immediately owe taxes on the amount. Then, presumably, due to your income, you can no longer contribute to it. Makes sense to me.
It was a while ago, but IIRC you only owe taxes on the pre-tax contributions (which, in this case was $0). But I couldn't make a post-tax contribution directly to a Roth, just a post-tax contribution to a traditional, then convert...
[edit]
Some googling[1] implies my memory was mostly correct.
1: https://www.investopedia.com/roth-ira-conversion-rules-47704... See particularly the part about "backdoor
The point is that there are income limits for this process:
1. Take N dollars of post-tax money.
2. Put it in a Roth IRA.
But the same limits don't apply to this process:
1. Take N dollars of post-tax money.
2. Put it in a traditional IRA.
3. The next day, convert the traditional IRA to a Roth IRA.
When you do the conversion, you only owe taxes on any additional earnings (not your post-tax contribution) during the one day that it was a traditional IRA. So the second procedure accomplishes almost exactly the same thing as the first one, but it legally gets around the limit designed to prevent rich people from getting Roth IRA tax breaks.
It's probably going to be made illegal, or at least a lot more heavily regulated, any day now. The SEC has indicated that they're not happy with how SPACs are being used to skirt IPO disclosures.
Although it's not illegal, I thought exchanges used to delist companies for this. At least NYSE. Maybe someone has more insight
It’s a more transparent and less predatory than venture capital.
Is it? VCs don’t raise money from “mom and pop and Reddit” retail investors, but SPACs have enabled insiders to sell stock at $10 that often ends up being worth less than $1 or even bankrupt just a year or two later. These often included a social media pump like the SPACs promoted by “SPAC king” Chamath Palihapitiya.
However the companies that go public via SPAC are mostly VC-funded, so in that sense you’re right that they’re also profiting from the SPAC con by being able to dump their holdings in these companies that were not actually ready to go public.
Not this SPAC, https://www.avanza.se/aktier/om-aktien.html/1206860/acq-bure... It's mostly owned by Swedish Pension funds.
Yubico is originally Swedish, this makes sense.
That's even worse.
> This is not really a merger because the other company is a “blank check” holding company (a.k.a. SPAC).
This reads like a non sequitur. The corporate structure is irrelevant if there is a radical change affecting how strategic decisions are made regarding their products and their userbase.
> I have an irrational concern about using security products from a company post-merger or acquisition. It has never ended well for me as an anecdotal user. Going public is taking that worry even further.
I wouldn't call that an irrational concern, since it's in fact pretty rational. Stock market investors demonstrability do not value computer security over financial performance, and once they control a company, its focus will shift to their priorities.
I mostly agree with your point but I would say the exception is when the success of the company is closely tied to their security practices or their security features are their business. Okta being a good example, when it took a 10% drop after the breach last year.
> I mostly agree with your point but I would say the exception is when the success of the company is closely tied to their security practices or their security features are their business.
The problem is bad security practices don't become clear until it's too late for the customers. A company can coast on reputation for a long time, while its stuff fails to keep up in non-obvious ways.
I don't think it's irrational, it rarely improves the service
> Make keys, sell keys. The end. What's there to raise funding for? Build yet another password vault?
Liquidity for employees who exercised their options and investors who funded them before they had significant revenue, presumably.
Besides raising funding, a reason to go public is to give the investors a pay-day. Inasmuch as some of the investors are also founders/key people, them "cashing out" can involve them being less involved.
I agree with this as well. Capitalist influence creates a powerful conflict of interest.
When it cuts down to it, which master will yubico serve? The customers or their shareholders?
Now Yubico has a fiduciary responsibility to their shareholders.
I frankly can't think of very many companies that are able to resist this core capitalist corruption. Even Costco is implementing shareholder over customer policies. 1Password? Google's "do no evil." Are there good examples of companies that stay customer first after going public?
This is not a matter of going public, but I note that when MS bought Github, there was a lot of concern over whether that would degrade the service's customer-friendliness. So far, that doesn't seem to have happened? You don't need a MS365 identity to set up a github account, for example.
Also not going public, but Fastmail was bought by Opera in 2009 I think but then bought themselves back out again, and they've continued to offer excellent customer service (including yubikey support of which they were an early adopter) all the time.
So I'd say there's precedent for companies staying customer-focused under capitalism if the stars align: it has to be a place where (1) staying customer-focused is a clear net positive for the domain they're working in, even from a revenue perspective and (2) the people running the company understand this.
I imagine this is much more the case for companies where the customers are specialists / power users (think: developers) or other businesses, rather than the general public. I hope that means yubico of all places is lower risk. Although I consider them one of the best if not the best in the market, were they to go under, there are alternatives (google's own titan keys are ok replacements for the end user, though obviously they don't have the yubico back-end infrastructure). FIDO/U2F etc. are standards and come with certifications, so I'd hope there's only limited room for maneuvre for any new yubico owners to mess up, and a sufficient threat of losing their business that they are not incentivised to try anything too shady.
"Has GitHub Been Down More Since Its Acquisition by Microsoft?" - https://statusgator.com/blog/has-github-been-down-more-since...
"...What does the data tell us? In the two years since the acquisition announcement, GitHub has reported a 41% increase in status page incidents. Furthermore, there has been a 97% increase in incident minutes, compared to the two years prior to the announcement..."
This may mean active internal changes, especially in the infrastructure. These may enable something great, or remove some internal source of pain.
The stats are not enjoyable though.
> You don't need a MS365 identity to set up a github account, for example.
Slow AIs ^W ^W Corporations work on a different scale than people. For example, you _do_ need a MS365 identity to play Java Minecraft now, nine years after Microsoft bought Mojang.
Those look very much as an exception to the rule
For personal use, I just tried to buy a few pre-SPAC units, just in case. But they seem to no longer sell any plain non-NFC USB-A keychain models.
Unless you're price-sensitive and want to avoid the NFC for tat reason, I don't see how the NFC version is worse. If you don't want NFC at all, a bit of foil or even wire should physically block it.
It is possible to disable the NFC function, if that would be satisfactory?
>pre-SPAC
?
Referring to the yubikey merger with a SPAC company called ACQ.
Before this ACQ Bure deal, in case quality, features, trustworthiness, or pricing change.
Okay, but the YK5 was available before this acquisition and is still the same key after. Not sure how the NFC part factors into your assessment. I assumed SPAC meant something technical about the key.
building a legal team to fight shareholder lawsuits!
I really hope this does not affect their current mode of operation. The reason I bought my Yubikeys in the first place were the one off purchase cost and the promise that the keys would do their job without me having to interact with Yubico from that point onwards. This has worked great so far!
Now with shareholders in the mix I fear they will try to find recurring income models to increase profits. I guess we'll just have to see.
As somebody who just bought some keys last week for the same exact reasons, I share the same exact concerns. Why this need to always make more and more money?
Do one thing, do it right, keep your customers happy, get your money, enjoy your life...
This “why” is the ever expanding nature of capitalism.
Don't you expect to make more and more money as throughout your life as well?
In real terms, I make enough money. The only reason I want to make "more and more" is to cover inflation.
If you asked me to choose between that while remaining customer focused, vs 3x what I make while screwing over my customers, the choice is easy. Other than providing for me and my family, I like creating things that make other people's lives easier over buying fancy cars and vacation homes.
My goal is to do less work for enough money. Letting yubico chug along without growth would accomplish that for me if I was the owner.
Yubico is pretty well owned by VC firms that want their money back. By taking outside money, you're beholden to outside influence. Yubico can't buy out their investors, so they have to raise money some other way in order to do so. In this case, public markets.
I expect to continue working as I continue making money, though.
It's not like I put out a thing and expect it to support me forever with some magical recurring stream of milking whomever.
Of course. But additional compensation, sometimes brings forced compromises in the form of increased risk, or tramping the core values that made you start in the first place.
Do you expect your retirement savings to earn a minimum of x% per year? What is that x%?
I expect a company to turn and stay profitable, by doing their core business, prioritizing product quality, customer service and sustainable development. Not to end up as an over leveraged financial construct riding on extracting more and more of their customers. Optimize the business quality not the shareholders returns.
Would you (or do you) invest in that company over a different one whose share prices appreciate by a greater amount?
Would you accept less compensation if your employer cannot keep up with competitors?
This is a strange argument. A profitable company that isn't growing (selling more stuff, hiring more people, etc) can have a stable (low) P/E and still pay a nice dividend.
The point is that when you go to invest your money for your retirement, you are going to pick whichever business’s shares give you the highest ROI.
You, as a shareholder, are not optimizing for
> keep your customers happy, get your money, enjoy your life...
So why would you expect businesses to behave in a way other than maximizing ROI?
> So why would you expect businesses to behave in a way other than maximizing ROI?
If I had invested in a company, I would prefer them to maximize my return over a span of decades, not over the next quarter by inevitably undercutting their long-term performance. For some reason, the market currently favors short-term gains in a way that inevitably compromises long-term results.
Because maximizing ROI hurts their business long term? Only CEO's on a short stint of 2-3 years, with compensation based on stock market valuations go for maximizing ROI...
Reducing R&D investment is maximizing ROI in a way...
Plenty of people, myself included, don't pick investments based solely on what has the highest ROI. Some even pick investments based in part on whether or not they agree with the way the company is run.
This is true but all the same is true for privately owned (eg VC backed) companies; maximising return (within whatever risk parameters shareholders are happy to accept) leaves plenty of room for disagreement about what the right way to do that is.
But often a change in ownership can also mean a change in risk tolerance, investment horizon and potentially in management incentives or management team. Some of these changes could align negatively with some customer interests and therefore caution from customers (especially those who worry they might not be seen as future core customers) is understandable when what has changed is unclear.
An excellent teardown of modern capitalism.
I comment on the decisions of the company management/ownership, not on the investment criteria of users of the stock market.
Yubico is free to do what they want with their business model. As an existing Yubico customer, I will be taking my business somewhere else, if they deviate from my priorities. They had a nice thing going on, and I am suggesting they consider their next steps. I know I will now keep them under increased scrutiny.
> I comment on the decisions of the company management/ownership, not on the investment criteria of users of the stock market.
The purpose of my questioning is to shine light on the fact that these two things are related, which answers your original question of
> Why this need to always make more and more money?
I am sure Yubico’s owners and employees also want to maximize their compensation, but the fact that there are many investors in the public market pretty much only looking at ROI is what enables the business model of milking users.
I would stop buying from a company that "decides to go public" (for me, it's just code for "we're now OK with whittling our product's quality to make profits for some people that have found a captive market").
Yes, I tend to do this as well, for the same reason. Also, equivalently, when companies get purchased by public companies, holding companies, investment companies, etc.
How would that model work considering the key is a piece of hardware, built to implement an open standard (at least for the U2F mode)? There's no "key phone home" phase in U2F.
Also, though I would miss yubikeys if they went under like this, in practice I could switch to google titan or something else and it wouldn't be the end of the world.
The current keys will of course work as before. It is more that their new offerings might change this model all together by tying authentication of the key into some cloud service requiring non-standard drivers. Probably unfounded fears as this would make the keys less attractive to their user base.
Yes, there are competitors. But I really don't want to be reliant on Google as a company. I guess Solo Keys and Nitro Keys could be good alternatives, but I really feel Yubico has a great reputation as far as hardware token companies go.
> I really feel Yubico has a great reputation as far as hardware token companies go.
They do. Or did. With this move, though, the "reputation score" has to reset and be considered neutral until we see what the new behavior will be.
Cross key syncing service.
You plug both yubikeys in. Authenticate on both keys using the tool and then you're able to transfer/backup.
Corporate management offerings around Yubikeys, inventories, call back home to renew an expiry if the yubikey itself when touched should give out the information.
Trust me, if Yubikey hires me and goes IPO it is all downhill but the company will make a boatload more money.
Every company I have worked for I've found significant ways of increasing margins and EBITDA.
> Cross key syncing service.
Can’t work with FIDO/U2F, I’m afraid.
The protocol works a little differently than most people expect, which is what allows the hardware token to “store” an unlimited number of auth credentials.
What really happens at auth time is that the server (the one you are trying to authenticate to) sends a crypto package including the challenge and a key used to sign the challenge to the token. (That signing key was generated at enrollment time and encrypted using the token’s private key). The token then uses its internal private key to decrypt the signing key sent by the server, sign the challenge and send back the signed challenge.
So there is no way to transfer credentials because the credentials literally aren’t in the token (they’re stored—in encrypted form—on the servers you log in to). The only way that transfer could maybe work is by copying the token’s private key… but that kind of defeats the purpose of a security token.
I've read about how some folks are using FIDO apps on devices like the Ledger Nano, designed to be crypto currency wallets. These allow the (FIDO) device identity to be exported and later restored onto a new device from the same product line. As I understand it, the experience would be a bit more like restoring a passkey on a new phone, but using a locally secured backup rather than a cloud vendor.
Since reading about that, I've wondered if the relying party in FIDO could or should know the difference. Would this entire product line get flagged in some FIDO registry as having exportable keys? If you really cared, it seems you would need to consider this a static property of the authenticator, whether or not a particular user has decided to make use of the export feature on their device.
Worse, as a software-defined feature, do you get any guarantees at all? Do they do some kind of secure-boot chain so that the FIDO app gets access to a manufacturer key and some other lower quality app cannot be installed to spoof the same authenticator solution?
On the other hand, those devices could be more secure in some practical sense than a Yubikey. They have a display and can show context during an authentication challenge, to reduce the chance that a user is confused about which relying part is asking for the next button press. There is also potential for secure entry of a PIN factor without trusting the host computer to relay this information.
> Since reading about that, I've wondered if the relying party in FIDO could or should know the difference. Would this entire product line get flagged in some FIDO registry as having exportable keys?
The standard actually anticipates you might want to do that, so the token’s manufacturer can sign the token so that a relying party can whitelist (or, presumably, blacklist) certain tokens.
I wouldn't trust any authentication key that allowed private keys to leave the device.
The protocol don't allow that.
But we are talking about the manufacturer: they can add a backdoor and sell the backdoor as a feature for subscribed user.
That is what gp is talking about.
Well, sure, but that completely defeats the purpose of a security token. The whole point is that you can’t extract the crypto secret, even if you ask nicely.
In fact, the sales literature brags about how the secret never leaves the device!
Does anything prevent copying the token's private key to another token right now?
Yes, the token itself most likely won't allow the key to be extracted. There isn't really a reason to allow it: safer to generate the key at manufacturing time.
In general cmvp compatible modules do sometimes allow keys to be exported but only if wrapped, i.e. encrypted to prevent unauthorized disclosure. However this is also explicitly forbidden in other standards, such as qualified signing in Europe (etsi-...)- keys are generated on device and never leave.
What do you do if you lose the token? Ideally you enroll two or three and just use another.
only the entire design of the product and standards around it specifically so it can do its job.
And how have SPAC mergers historically performed?
<quick search>
Yikes! I didn't realize Yubico was is such bad shape financially that this was their best (only) option.
> Yikes! I didn't realize Yubico was is such bad shape financially that this was their best (only) option.
Some early employees could want to cash out. Going public is a great way to do that.
Honestly, do any companies improve in the long term when going public? It seems like the business model is always to make short term profits and then slowly (or in some cases quickly) die about.
Lots of companies found greater success post-IPO.
Apple, Google, Facebook, Microsoft (especially recently), Nintendo, Tesla, etc.
The IPO is a statement to investors that the company believes it will grow bigger and seeks public market funds to accelerate growth. That doesn't always happen.
Some companies and investors see the IPO as merely a liquidity event, which is the wrong perspective to take. SPACs were clearly being abused for this.
Not talking about company being more successful but better to the actual customers. Google isn't exactly a good example here
Also Microsoft went public almost 4 decades ago, apple went public over 4 decades ago, the landscape looked a bit different there.
As the other commenter noted, I’m talking about value to the customer rather than value to the company. WRT your list, I would only claim Apple as a clear success in this regard. (I don’t particularly like Apple myself, but Apple does seem to be giving customers more of what they actually want.)
Microsoft - Ruining Windows to extract more value from customers.
Facebook - hardly anything even needs to be said here.
Google - slowly getting worse and rotting away.
Tesla - I’m a bit neutral here. Tesla has its problems, but it’s not clear that they used it be amazing and now are just trying to extract money from users.
You give Apple too much credit. The original Apple I and Apple II were a hacker's delight. They went public in 1980 and the Apple /// was a failure. Then came the closed architecture of the Macintosh. Ever since Apple has been known as the company least friendly to hackers.
I still feel butthurt and betrayed by Apple because of the Mac.
But in fairness to Apple, the Mac marked a point where they overtly wanted to ditch their (then) current customer demographic and switch to an entirely different customer demographic. Which they successfully pulled off. And they do seem to be giving those people what they want, they just don't want the likes of us.
But, back to the topic, I consider Apple to be an example of a company going public and having an excellent product ruined as a result.
Facebook is my main argument why IPOs suck. Facebook used to be a decent platform, post-IPO it's awful. Might be unrelated to the IPO, might not. But yeah, financially it might be "better", as they're more heavily exploiting their users' attention.
Seems like another reason not to use yubikeys, especially with the push for Fido. The cynical part of me assumes going public means they'll need to generate more income for investors. Fancy a subscription service to keep you yubikeys working?
So maybe I’m too much of an optimist but I’be been thinking about Tailscale a lot recently because of how much of a game changer their product has been for us. I shudder to imagine what our VPN setup would look like at work if I hadn’t discovered Tailscale a month or two before the COVID craziness all started.
Maybe Yubikey could do to PKI what Tailscale did for VPNs: make the whole process dramatically simpler and easy to use. Still sell Yubikeys, please, but set up a funnel to capture corporate recurring revenue by solving this problem better than the alternatives.
I don't think there's anything Yubico can do that affects the operation of the keys they've already sold. Any adverse product effects will be with new keys they will sell.
Open hardware security keys exist. Software should not lock themselves into proprietary hardware for security anymore than goobers locking themselves into Symantec's wrapper or only-our-app for basic TOTP which could be platform agnostic.
Possible Open Source alternatives are Nitrokey (https://www.nitrokey.com/) and Solokeys (https://solokeys.com/).
"Caroline af Ugglas, on behalf of ACQ board of directors commented: …"
This is weirdly enough a Swedish singer who had Eurovision Song Contest ambitions. https://www.youtube.com/watch?v=HE1Vy5lKuzw
She's part of the Swedish upper class – the Swedish wikipedia page lists her as "baroness" (friherrinna), further accentuated by her name ("af" is the swedish variant of the german "von")
Not the same person. The Caroline af Ugglas on the ACQ board is this person: https://www.acq.se/styrelsen/caroline-af-ugglas
This is the artist: https://en.wikipedia.org/wiki/Caroline_af_Ugglas
Well nice knowing you as a Company that cared for its user base.
Soon you will be beholden to Wall Street. That means at the slightest controversy there will be calls to enable a back door to your product(s).
ACQ Bure is a SPAC, so really what Yubico is doing here is simply "going public"; a SPAC is just a vehicle for doing that, as is an underwritten IPO or a direct listing.
A SPAC is not "just a vehicle" for doing that. It's an intentional dodge to let companies avoid scrutiny but still go public. The use of a SPAC to do this automatically casts a bit of shade over the company.
But even ignoring that, going public itself doesn't bode well for the product regardless.
Time to crank the monetizing tap, add a mandatory monthly subscription to everything and deprecate well-working gear
You could buy a programmable open source security key instead, they recently opened their shop. https://tillitis.se/ Some of the people behind Mullvad VPN are associated with it.
That site is fucking garbage, and there doesn't even see to be a dock on what it supports.
Like, programmable key is cool as an idea but I need smartcard support and a button on it to confirm transaction to replace YK usage...
> and there doesn't even see to be a dock on what it supports.
there is, at the bottom of the get started page
currently besides validating the key itself only ssh and git signing by ssh key is supported by them
Also directly from the main page the first noticeable thing:
> TKey’s design encourages developers to experiment with new security key applications and models in a way that makes adoption easier and less risky for end-users.
I.e. it's for now mainly for developers not end users (for now).
There is a "button" on it. (Which yes isn't mentioned anywhere, outside of some article you can navigate to by following multiple links).
Most important (and they could be more clear about it) it doesn't have (writable) persistent memory. Which has both some grate benefits and but can also have some major inconvenience. And depending on how/for what you use smartcard support I'm not sure it might ever support it.
Anyway the shop opened around 16 days ago so it's still very early days for TKeys (and their website, and documentation, etc.).
I'm looking forward to what it will enable.
But AFIK it's already a grate choice for certain kinds of companies for their employees.
There is a touch sensor that detects touch events. The signer application (used by the SSH agent and other things) for example detects user presence by waiting for a touch event before performing the signing operation.
Tillitis TKeys are very interesting but not yet a full replacement for Yubi in multiple aspects:
- they don't (yet) have all the features, or at least I couldn't find out how to do some of them without implementing them myself. Through due to the design of the TKey this can be added later without needing a new key or anything like that, you could even implement it yourself
- their design approach is a bit different from a Yubikey or similar, mainly it doesn't have any persistent (writable) memory. This has some drawbacks and some benefits. Benefits include that you can add applications later on, have endless many of them, and upgrade applications. E.g. a company handing this key out to 1000 employees and needs to switch to post quantum cryptography doesn't need to buy 1000 new keys, they just deploy an update and the users have to re-enroll their existing keys. Drawbacks include that you can't store anything on the key (TOTP, moving a OpenPGP key onto a Yubi key etc.) so for some appliances you need to have some metadata on the device where you want to use the key with (could be encrypted using the TKey, might just be a seed or similar to derive the right data using the TKey, etc.). Not a problem for typical enterprise use-cases, but a problem/inconvenience for your typical "private" user (which can be negated with support software).
Anyway I think I want to buy one.
They are not just associated with it. It’s a spin-off and is owned by the same company. From there FAQ:
> Tillitis is wholly owned by Amagicom AB and is a spin-off from the sister company Mullvad VPN
Anyone has insights into how trustworthy is Yubico?
Their firmware is opaque, not shared outside the company, so is their hardware (important for RNGs etc).
Very. They are a tiny Swedish company that pay for top talent, are quite active and hands-on in the netsec community. It's not a faceless corporation with a Chinese PO Box.
If you are looking for a tiny, Swedish company working in a similar area as Yubico, there is Tillits AB. Tillitis is a spin off from the Swedish VPN provider Mullvad. In contrast to Yubikeys, The Tillitis TKey as well as tools, device verification etc is 100% open source.
(Full disclosure: I work for Tillitis.)
The key costs 880 SEK. That's about 78 euros or 85 dollars. It's designed to be future proof, with applications being uploaded to the device by the host.
The website feels a bit cramped with all the large text on desktop, like it was only tested on phones
the background makes it badly readable on phones too
Good grief, the text on tillitis.se is obnoxiously large and the information density extremely low.
Interesting product, thanks for sharing.
Can it hold gpg keys and interface with gpg-agent? I couldn't find that information.
No and yes. ;-)
The TKey does not have any persistent memory available for applications to store things. The idea is that we measure (calculate a keyed digest using BLAKE2s) the application during loading. The keyed digest (called CDI) is used as a base secret, random value by the application to derive the secrets the application needs. The Ed25519 signer for example derive its keypair based on the CDI.
A PGP application could use this to determinstically derive a keypair.
The FW application loader will also accept a User Supplied Secret (USS), which is also used during the calculation of the CDI. This means that the keypair derived will be based on the specific TKey device, the integrity to the device application and the USS. One way to use the USS is to control which keypair to derive. For example for SSH, different USS can derive keys used for different servers.
Also, a device application may use the CDI to derive wrapping keys, and then use authenticated encryption to protect a cookie that can be stored on the TKey client machine between usage.
We are working on providing libraries and examples for app developers to do this.
And to the yes part of the answer: Yes, a TKey could talk to a PGP agent and be called upon when needed. This is similar to how a SSH agent can talk to TKey today.
Is the TKey tamper-proof?
No, not yet. Physical attacks are out of scope for the TKey1, even if we have some mechanisms in play which try to extend the time and effort required to perform a successful evil maid-attack extracting the Unique Device Secret (UDS). See the threat model for the release:
https://github.com/tillitis/tillitis-key1/blob/main/doc/thre...
The current casing is fairly tamper evident (it will break), but we do not yet use real, tamper evident sealing. We are looking at tamper sealing for future versions. And ways to further protect against physical attacks.
When you do, please think about a special price for existing customers ;-)
Tiny is a bit misleading. The turnover is about 100 MUSD. The company has about 300 employees, with offices in all regions of the world and a lot of R&D in the USA.
I wasn't aware they had grown that much. Thanks for the correction
Thanks for the info!
The construction quality of Yubikeys has been good in my experience.
I was just worried about the closed source proprietary firmware in a security product (including the random number generators, where issues were discovered in the past).
But Yubikeys are used in various companies and apparently in some branches of governments too, thus must have been vetted by their security teams (though there could be different lines of firmware or products for different clients. People say there is not much benefit to purchasing FIPS-compliant Yubikeys. Neglecting the approved algorithms and features, is the firmware the same as that in non-FIPS security keys?)
US government had a nice little swedish cryptography company there for a bit too...
Do you mean Swiss (classic!) or was there another one?
Though started by the Swede Boris Hagelin.
Ah, true, I forgot!
They were a tiny Swedish company…
> It's not a faceless corporation with a Chinese PO Box.
On this note, are Feitian still the OEM for the Google Titan keys?
Today there are more trustworthy alternatives. Yubikey is great for a very limited set of uses. But it lacks programmability and openness.
Something tillitis key has. Tkey has a steeper learning curve because they're programmable, but they're also 100% open source software and hardware.
>But it lacks programmability
For a lot of us, that's a feature, not a bug.
Sure, I mean there will always be two main groups of clients on the market. Those who trust in openness and those who don't care, or even distrust it. So there will always be a place for Yubikey.
But afaik there is nothing else out there right now like the tillitis key, programmable, 100% open, and already shipping.
If you have a key that can't be reflashed, source code is irrelevant. It may as well be hardwired circuits. Even Richard Stallman agrees on this point. I don't want a field programmable key, because it expands the attack surface.If you like weakened security, that's fine.
I always wonder: isn't programmability a security risk? What if a malware puts a backdoor in my programmable key?
I'm curious how Apple Passkeys will affect the Yubico business. Competition for U2F products may increase drastically as consumers begin adopting it. This may be prescient timing to go public for Yubico.
Passkeys already work with Secure Enclave and across multiple devices. Yubikeys require a purchase and potentially multiple keys.
Passkeys will win the war for the everyday user, and Yubikeys will remain a niche IT item. Their focus on FIPS audiences is good though as that should provide a longer-term reliable source of sales.
I hope Yubikey survives long term because I like their tech implementation (a key must be present AND physically touched to activate). I travel much more confidently with Yubikey locked accounts. I know where my Yubikeys are at home and I don't generally take them out with me.
The war for better securing online accounts benefits us all though. haveibeenpwned hasn't gotten any smaller over the years :/
> I'm curious how Apple Passkeys
Wait... Passkeys are from the FIDO alliance and both Google, Apple and Microsoft have pledged to implement passkeys for auth no?
I don't think it's "Apple passkeys" any more than they're "Google passkeys" or "Microsoft passkeys".
Which is why it's so scary... It's going to steamroll all other kind of auth with these three juggernauts behind it.
Apple got first mover advantage on marketing Passkeys under that name, so a lot of consumers are going to call it an Apple thing just by Apple getting that jump on describing it to consumers.
Probably not at all? Yubico is one of two brands that Apple recommends for securing your iCloud account.
The keys in our phone and our computers are going to handle a majority of the use cases that currently rely on yubico.
We use them at work, but they aren't fundamentally more secure than the what's built into the computer.
Right, but you still “need” a pair of Yubikeys to secure the iCloud account that holds your Passkey credentials. So you’d use the Yubikeys less in day-to-day auth situations, but you still need to buy them.
That or another iCloud device. If you have a couple, that can be your security backup (afaik).
I do think the calculus changes for yubikey. Without built in security keys, every knowledge worker on earth should have a yubikey like thing, so their market is huge. With built in device security, then the keys might not be deployed at the same rate.
It's a good point though. I also think companies (at least mine) like having full control over the yubikey experience whereas the way apple manages the secure enclave is more obtuse.
I like Yubico but to me going public via a SPAC is a huge red flag.
Time for an open source u2f token.
Well an interesting new approach to security tokens just launched: the tillitis tkey[1]. It has open source hardware and software. Unlike other security tokens that are based around storing your key where it can't be read, the tillitis tkey doesn't have any persistent storage and instead calculates your private key by hashing the program you've loaded onto the key, a user-supplied secret, and a per-device random secret. I'm excited to see what people will do with it. I don't think a u2f application exists for it yet, just an ed25519 ssh agent so far, but it just launched this week.
[1] https://www.tillitis.se/tkey/
Otherwise, in a more traditional yubikey-replacement design, I've had my eye on the onlykey but their github has very little activity which makes me worried its a dead project.
I like the idea, but I'm worried about the FPGA being programmed to exfiltrate the secrets and re-flashed to the original program. With the Yubikey, it's mostly guaranteed that the device key remains on the device. Are there safeguards against this?
Due to the way the configuration state machine in the Lattice iCE40 UP device operates, we can't block a warm boot-attack, even though the FPGA bitstream is stored and locked into the on-die Non-volatile configuration memory. However we can, and try to, make it really hard to successfully perform an evil maid attack.
First: all registers and logic (LUTs) will always be cleared during the reset phase of the FPGA configuration. So any secrets stored there will be secure. We store the Unique Device Secret (UDS - the primary asset) in registers. Registers that can also only be read once between power cycling. The block RAMs (EBRs) however can be cleared or retain data based on the configuration <-- these are the ones to worry about.
Right now we have to touch the FW-RAM (implemented using EBRs) with the UDS for a few tens of cycles. After it being used, it is wiped from memory. So a successful exfiltration must trigger the warm boot-reconfiguration during that window of time. In order to make this harder (i.e. more time consuming) we do a few things:
1. We randomize when the UDS is moved to the FW-RAM and thus when the window to hit is. And we should not leak any indication when that is.
2. We use ASLR to randomize where and in which order the UDS is stored in the FW-RAM.
3. We use randomized data scrambling of the contents in the FW-RAM. And yes we do fill the memory with randomized, ASLRed data first.
The randomization control values are all stored in registers, and will be lost as part of the reset phase of the attack. So an exfiltration must:
1. Hit the window of time.
2. Extract the contents of the FW-RAM.
3. Be able to distinguish the random data words that make up the UDS from the other contents of the FW-RAM.
4. Descramble the UDS words and place them in the right order.
It is not an impossible attack, but it should take a long time. And it should not scale easily from one device to all other. One could automate it of course, but the work should be the same (multiple exfiltrations) for each device.
But we still think that the attack IS possible, and it is therefore out of scope of attacks that we mitigate for this version of the TKey. The next version will hopefully be able to keep the UDS in registers only. When we have that working, the threat model will be updated to reflect that.
>Currently we ship to EU/EEA countries, Norway, Switzerland, UK, USA and Canada
The idea of authenticator hardware is inherently hostile to DIY and open source because you cannot produce or extract a keypair to generate valid attestation statements. Unless you are part of the cartel of course.
WebAuthn doesn’t require the RP to enforce any particular hardware attestation, and many sites (the overwhelmingly majority?) allow anonymous attestation, self-attestation, or simply no attestation at all.
Having hard-to-extract device keys isn’t “DIY hostile”; it’s critical to the attestation security model. If you want to build your own WebAuthn authenticator, then you can either form your attestation root (there’s no “blessed” vendor list that I know of) or simply ignore that part of the spec.
I am aware how attestation works and what problem it addresses. But I strongly believe the power imbalance it creates outweighs the benefits.
Especially with bullshit like CF using it as a captcha substitute. https://blog.cloudflare.com/introducing-cryptographic-attest...
I happen to agree that this is a bad use of attestation (as well as a pointless one, since it’s cheaper and easier for a click farm to do attestation with a bunch of yubikeys than to contact out CAPTCHA solves).
However, I don’t really think it’s an indictment of either WebAuthn or attestation more generally: as pointed out, most public services do not (and probably will never) require attestation. The winds are against it more generally: non-attestation flows are easier to implement, and WebAuthn adoption is increasingly driven by authenticators that don’t necessarily offer useful attestations (e.g. on-device and virtual tokens). Most future users of WebAuthn won’t have physical keys of the sort that Cloudflare’s scheme will require.
This fucking article.
CF, WHICH IS THE FUCKING SOURCE OF THIS PROBLEM, complains about the problem
The FIDO alliance offers up a JWT with attestation data: https://fidoalliance.org/metadata/
But I agree, I don't think there's any enforcement mechanism beyond whatever the RP decide.
Attestation isn't a necessary requirement of an authentication token, and is inherently hostile to user freedom.
If some knobsite wants to insist on me using a "hardware authentication key" (similar to how many currently insist on using email/SMS codes), but I want to set it up so that secret is stored in my browser because that site isn't so important to me, setting my own security policy that directly contradicts their wishes should be my right. Their control shouldn't extend onto my own computers(s), with the demarcation point being the Internet itself.
> The idea of authenticator hardware is inherently hostile to DIY and open source
The authenticator hardware that I use every day is a device I built myself.
> The idea of authenticator hardware is inherently hostile to DIY and open source
Isn't this the same with all hardware?
Like SoloKeys? The Solo 2 has a firmware written in Rust: https://solokeys.com
I purchased a few solo key 2s but have ended up pretty disappointed. Keys ended up being delivered with bent usb connectors which worries me that they will break prematurely.
And the documentation, at least when I received the keys, felt incomplete and hard to find; it did not give me confidence in the product.
I still use them as a backup key, but I decided to just by two yubikeys as my main keys.
Really like the SoloKeys... but once you go at the level of small or large MNC they do business with people like YubiCo etc only. Never with tiny shops. (Sad)
Anybody have a solokey, or have some feedback? I wanted to buy some, but the comments about bent connectors put me off, as well as the supply issues for usb-c
I backed their crowdfunding campaign back in the day. Due to $REASON I didn't test all of them when I got them, but when I got around to it two out of four were broken (the broken ones had USB-C). Their support didn't help at all (why should they? but they could have offered me keys for a better price...)
With that said, I had a Yubikey Neo die for me as well (NFC still worked, USB totally dead) - Yubikey offered me a new key for a discount.
Solo 2 fixed the bent connectors issue. Solo 2 USB-C has supply issues, you'll probably have to wait a couple of months to get one.
solokeys2 is physically better than solokeys1, but firmware is buggier
https://github.com/google/OpenSK works, it runs on something like this $15 board. Could do with a case though.
https://www.nordicsemi.com/About-us/BuyOnline?search_token=n...
Nitrokey, Solokey, OnlyKey.
(ACQ Bure is a SPAC.)
> A special purpose acquisition company (SPAC; /spæk/), also known as a "blank check company", is a shell corporation listed on a stock exchange with the purpose of acquiring a private company, thus making it public without going through the traditional initial public offering process and the associated regulations thereof.
https://en.wikipedia.org/wiki/Special-purpose_acquisition_co...
Why is that even legal?
Why should it not be legal? Exactly what is wrong with it and how would legislation that forbids it but allows other M&A activities look like? I don't see a problem.
If “Hacker” News was assigned as a regulator nothing would be legal
Interesting that Yubico is choosing to go public via SPAC. It’s lower scrutiny, it became more popular over the last few years, and then lost some popularity because of high profile duds. Why go with a SPAC in that environment if the business is healthy and profitable?
Because, as far as I know, the business is not hugely profitable and there's not much scope to change that. Yubico makes a product that is high quality, does exactly what it says on the tin, does not come with any integrated ads/AI or anything else like that, but in the grand scheme of things is fairly niche (I wonder how many people outside of the tech and perhaps gov sectors would even recognise the company name).
There's simply no way they can line up the "here's how we get to 1B users and then mine all their personal data" business plan that some other tech companies can do.
Congratulations to the Yubico team! It was nice while it lasted.
I was a big fan of Yubikey (I have 3) until fewer and fewer services supported them, instead switching to authenticator apps. Now I have zero hard tokens, but still four authenticator apps: Google + 3 for banking services that use their own.
The biggest killer was the fact that Yubikey NFC is so awful. I worked with tech support repeatedly, even bought two new keys, and it almost never worked right.
I think it makes a lot of sense for things like AWS developer/devops access.
With AWS IAM Identity Center (successor to AWS Single Sign-On) - that's actually the official name, hopefully temporary - it seems well supported via WebAuthn. You can "even" have multiple keys assigned to your account...
Services support Yubikeys through U2F / WebAuthn, not anything Yubikey-specific, right? If you're using services that don't support that, I take it the apps you do use are using TOTP?
This works with desktop / laptop where you can attach the key over USB.
On mobile, if it works at all, it should be NFC.
All three of my banks do not support Yubikey according to their tech support.
I'm not asking you what they don't support. I'm asking you what they do support.
Their own hard tokens and authenticator apps.
And this, ladies and gents, is why you never take investment money unless your business absolutely needs a capital infusion to build whatever it is immediately.
Equity is where the gold is, and each investor is an extra marriage partner who must be satisficed and can potentially upend everything.
Build a stable business, not an instant payday.
I swear if I need to drink a verification can to unlock my mail…
Just kidding. Hopefully this has no security or usability impact.
I literally just bought a Yubikey 5 yesterday... great.
Finally