Polhem Prize awarded to Yubico – The Hackers’ Worst Enemy

Jakob and Stina Ehrensvärd, founders of the cybersecurity company Yubico, have been awarded this year’s Polhem Prize by Engineers of Sweden. Their YubiKey, designed to protect against data breaches, is now used by the largest tech companies in the U.S., large corporations and governments around the world and helps to secure critical infrastructure.

Yubico was founded by the Ehrensvärds in 2007. Two years later, they managed to bring their idea from a kitchen table in Täby, Sweden, to Silicon Valley.

The idea for their invention, the YubiKey, was planted when Stina opened an online banking account in 2005. She quickly realized that password and card reader logins were not secure enough, prompting her to contact the bank’s customer service.

“I told them that a friend had said it would take him less than a day to write code to hack my account. The bank’s response was to tell my friend not to do that,” Stina laughs.

The friend she referred to was her husband, Jakob Ehrensvärd, a skilled electronics and computer engineer who had been working in IT security for years, including designing the security system for the Forsmark nuclear plant.

Stina, an industrial designer passionate about innovation, recognized a problem without a solid solution from that conversation with the bank. Hacker attacks on banks and companies were increasing rapidly, and 80 percent of these attacks stemmed from stolen identities. Available solutions were either ineffective or too cumbersome for the average user.

Discussions about secure login continued at their kitchen table, with Stina posing question after question to Jakob. She wanted to know the weaknesses of existing login systems and how smartcards, a secure yet complicated solution, functioned. These exchanges gradually shaped their idea.

Pitching a Journalist on an Escalator

A few years later, the first prototype of their YubiKey was ready – a physical security key inserted into a USB port. The device generates encrypted one-time codes, exchanged between the YubiKey and the service where you log in, such as a bank, making the login secure and protected against phishing and other threats.

A good idea is said to sell itself, but this wasn’t the case. Swedish banks showed little interest.

“My bank asked us to return once we’d tested it on 50,000 other customers. This was a challenging period, particularly financially,” Stina Ehrensvärd recalls.

The turning point came when she received an invitation to the world’s largest internet conference in the U.S. With a YubiKey and her business card in a small box, she entered the venue, aiming to reach the over 100 journalists in attendance.

“I stopped the first journalist I saw on the escalator, introduced myself, handed over the little box, and explained our security solution. Two weeks later, Steve Gibson’s podcast, Security Now, with 100,000 listeners, praised our YubiKey.”

Suddenly, orders started pouring in, and YubiKeys were packed in their kitchen in Täby and shipped worldwide. One of the orders came from a security engineer at Google.

In 2010, an email from Google arrived, requesting 20,000 keys. Jakob and Stina decided to go to the U.S. to arrange a meeting with Google.

Mediating Between Tech Giants

Google had recently experienced a significant data breach from China, with code stolen, and the company was shaken. They were determined to prevent this from happening again and urgently needed a new security solution.

“Google became our first big client, and the deal was our breakthrough. I often say that it was due to the combination of a good product and luck,” says Jakob Ehrensvärd.

Not only did Google want to purchase the keys, but they also wanted to work with Yubico to develop the technology into an open standard that would allow YubiKey to work for logging in across all online services. This prompted Jakob and Stina to move to the U.S. They rented out their home in Täby and, in 2011, relocated to California.

Over the following years, Yubico secured clients from tech giants like Microsoft, Facebook, Amazon, and dozens more. Eventually, they even persuaded Apple to support the security standard, now known as FIDO and Passkeys.

Jakob realized that Yubico, a small Swedish company, had certain advantages.

“The big tech companies were competitors, but we were independent and posed no threat. Sometimes we even acted as intermediaries.”

He recalls one instance where Apple needed to ask Microsoft a question but found it sensitive.

“Can’t you ask Microsoft for us?” Apple said.

Developing the secure login standard in partnership with the major tech companies presented one of the biggest technical challenges, and much work remains to make it simpler for internet users. Jakob also reflects on the challenging journey from prototype to industrial manufacturing.

“Many companies underestimate what it takes to mass-produce a product. Northvolt is a recent example of these challenges. It took Yubico 15 years to scale production, fully automated, with low costs and high quality. To maintain control, we chose to manufacture our YubiKeys in Sweden, over a million each month. I’m probably most proud of that.”

Today, over a thousand services support YubiKey and the FIDO Passkeys standard, opening up the market to private users.

A Women in Tech

In Yubico, the division of roles between Stina and Jakob has always been clear. Stina describes Jakob as the brilliant engineer, while she sees herself as the eternal optimist. While Jakob oversees technical development, Stina has taken on the roles of CEO, head of design, salesperson, and marketer.

Being a woman in the tech industry has been an advantage, she believes, and Jakob agrees.

“It’s a very dry, male-dominated industry. Stina has been like a breath of fresh air, bringing a different approach, and sometimes breaking down walls. It’s been successful.”

“Happy Happy to avoid spending time on Quarterly Reports”

Two years ago, the Ehrensvärds moved back to Sweden, and in spring 2023, Yubico was listed on the Stockholm Stock Exchange with a market value of around SEK 24 billion. Shortly afterward, Stina stepped down as CEO to focus on other projects.

“I’m passionate about innovation and glad not to spend time on quarterly reports.”

One of her current projects is the EU Digital Identity Wallet, a European project for linking secure login with identity. Stina describes it as a hybrid between Apple Wallet and BankID to combat fake identities.

“Millions of bots and fake identities spread conspiracy theories and work against democracy globally. Combined with stolen identities, this is today’s biggest cybersecurity threat,” Stina Ehrensvärd says.

Another initiative she’s involved in is Yubico’s Security It Forward program, which provides security keys to dissidents and journalists working for democracy and human rights.

Both Jakob and Stina feel honored to receive the Polhem Prize.

“We thank all our employees at Yubico, and together we will continue developing innovations to secure people’s digital identities. We will donate the prize money to the World Wildlife Fund, helping us protect land, water, and ecosystems, which are essential for our long-term security,” says Stina Ehrensvärd.