Yubico bolsters APAC presence, touts device subscriptions

Swedish-American cyber security firm Yubico is expanding its footprint in the Asia-Pacific (APAC) region and touting its subscription service that makes it easier to deploy and manage phishing-resistant hardware devices used for securing user accounts.

The company, known for its YubiKey multifactor authentication (MFA) tokens used by tech giants such as Google and governments worldwide, is also building up its local presence, having established a four-person team in Singapore to serve as a hub for the region.

While APAC currently accounts for a small part of Yubico’s global revenue, its business in the region is growing faster than its overall growth rate, said Geoff Schomburgk, its vice-president for the region.

“The need for cyber security is the same in the APAC region as it is elsewhere,” Schomburgk said. “We will continue to invest and put Yubico people on the ground to support partners and enable them to do more to capitalise on the market’s potential.”

A key part of Yubico’s regional expansion effort is the YubiKey-as-a-service subscription model that bundles its hardware tokens with a suite of services, moving the purchase from a one-time capital expense to a recurring operational cost.

“We’ve historically just sold a YubiKey, and we don’t see you again because they don’t break, so we’re moving to more of a service model,” Schomburgk said, adding that the company has nabbed deals for the YubiKey-as-a-service model in Singapore, India, and Japan in the past 12 months.

Targeted at enterprises and government agencies with at least 200 users, the service includes benefits such as extended warranties, priority technical support and simplified pricing across different YubiKey models.

It also allows for factory-level customisations, such as enforcing minimum PIN lengths or disabling certain legacy functions to tighten security, as well as enterprise attestation, which ensures that a hardware token accessing the network is a genuine device from a trusted supplier.

More crucially, the service includes an annual replacement stock of up to 25% of a customer’s keys, enabling them to replace their devices at no extra cost when a new firmware is released. This addresses a common issue for users who must buy new hardware to get the latest security features, as a YubiKey’s firmware cannot be updated once programmed to prevent it from being compromised by potential malware.

The demand for hardware security tokens is expected to increase across the region as organisations grapple with AI-powered phishing attacks and as regulators, including the Monetary Authority of Singapore, advocate for the use of hardware tokens for more secure banking.

However, Schomburgh acknowledged that past experiences with clunky, battery-powered hardware tokens have left some organisations hesitant.

“Internally, we use the term ‘PTSD’, or post-token stress disorder,” Schomburgk said. “There is a residual bad user experience with some tokens that we have to address.” He added that modern standards such as Fido (Fast Identity Online), which Yubico helped create, have addressed the trade-off between security and convenience, allowing for a simple tap-and-go experience.

While Yubico’s primary focus in the region is on enterprises, it will continue to rely on its network of resellers to reach small and medium-sized enterprises (SMEs) across the region. For consumers, the keys are available through trusted e-commerce partners such as Amazon and the company’s own website.

To alleviate concerns around hardware integrity, the company manufactures YubiKeys in secure facilities in Sweden and the US, producing up to a million devices per month. Asked if Yubico has had requests for local manufacturing, Schomburgk said the main customer concern is the integrity of the delivery process.

“The most common question we get is, ‘How do I know that when they are shipped, they won’t be tampered with?’” he said, adding that Yubico works closely with its logistics partners to secure its supply chain.

There’s also inherent trust in the Swedish brand and what Yubico has built, negating any questions that customers may have about the company’s supply chain and product integrity, Schomburgk noted.