In early March 2022, a security expert found a way to strengthen Ukraine’s cybersecurity by replacing one of its weakest links, passwords, with security keys.
Hideez CEO Oleg Naumenko recognized the need for a better authentication system for government agencies and critical infrastructure organizations early in the war. He asked Yubico for help in deploying the security keys to the Ukrainian government.
“We needed to have a lot of keys to deploy, but we didn’t have that many keys in our warehouse,” he said. “When we asked for help, we got an answer from Stina the same day.”
Yubico has currently distributed 10,000 keys and plans to donate 10,000 more.
Stina Ehrensvard, CEO and founder of Yubico, said the partnership with Hideez and the Ukrainian government combined smart card technology with FIDO security keys to create a single point of access for all services.
“A smart card lets you sign in to PCs, but you can’t sign in to G Suite or Twitter or cloud services, so we added both functionality on the same key,” she says.
The Hideez authentication server now supports smart cards, FIDO authentication and YubiKeys. The keys are used by many organizations, including:
- SSSCIP, State Service for Special Communications and Information Protection of Ukraine
- Ministry of Digital Transformation, responsible for IT modernization and next-generation government e-services
- Publicly owned energy companies and power plants
- Ukraine’s .UA domain management organization Hostmaster.UA
A cybersecurity manager at a power plant in Ukraine said in a blog post on the Yubico site factory operators could not rely on legacy or mobile authentication due to the advanced types of phishing and man-in-the-middle attacks, as well as the total number of cyber attacks.
“A key aspect of the YubiKey is that it is built as a multi-function and multi-protocol device, allowing us to use the same authenticator for PC login, VPN access, cloud-based productivity, email systems, ERP system, and mobile requests,” said the director.
Factory workers changed their passwords daily as an added security measure and because of the stress of working in a war zone.
“The YubiKeys have significantly improved security and made access to many IT systems faster and easier, which is a huge relief for our employees,” said the CEO. “We believe YubiKeys are just as important to our cyber defense as the body armor that protects the soldiers and others on the front lines of the ground war.”
Ehrensvard said 2FA over SMS and authentication apps is not strong enough to withstand the current level of cyber-attacks.
“We started this work ten years ago and this is proof that we’ve developed something that works, is scalable and makes a difference,” she said.
Stolen credentials are the biggest internet security problem, and the same is true during a war, Ehrensvard said.
“Half of the war takes place in the physical world and the other half in the cyber world, and if heating systems and communications systems fail, a country will not function,” she said.
Deploying security keys in a war zone
Hideez is a cybersecurity company specializing in authentication and identity management. The Hideez Key is an all-in-one digital key for wireless authentication, password management and RFID locks. Naumenko started the company when his bank account details were stolen along with his savings. Hideez has offices in Virginia and a development office in Kiev.
Yuriy Ackermann, vice president of war efforts at Hideez, said Yubico engineers have worked closely with his company and Ukrainian officials.
“We are dealing with very stressed people and the Yubico key fits this context perfectly,” he said, especially given the legacy technology that government agencies are using.
Hideez worked with Ukraine’s State Department of Special Communications and Information Protection to certify the YubiKey 5 series for use in government agencies.
Oleksandr Potii, deputy head of SSSCIP, said in a blog post on Yubico’s site that his agency has expedited a normal certification process of six months and more to get the YubiKey 5 series validated for use by all Ukrainian government and military agencies and their employees. . The agency is also deploying 3,000 Yubikey for its staff to use in its electronic document management system.
The SIPCC had a security policy framework for ministries and government agencies that guided the deployment of the keys.
Ackermann said that implementing the keys requires some user training, especially for people who are used to using passwords. Hideez and Yubico’s engineers have streamlined the enrollment process to make it easy to roll out.
“The key uses a PIN code on the device and this is a huge advantage because users only need to remember the PIN code,” he said.
Ackermann said traditional cybersecurity measures can be very expensive, while the Yubico keys are not.
“The reality is that the defense for authentication is much more critical and it’s not such a huge expense,” he said. “This work will be a great example of how to develop great defenses.”
Ackermann said people are starting to realize that the current state of constant cybersecurity warfare around the world requires a better solution than passwords.
“As we assess future security policies, not only are passwords bad for security in general, but they will actually cause more problems because employees are under a lot more pressure,” he said.
Ackermann said the war in Ukraine has placed cybersecurity work in a very different context, while this expertise is vital to defend national security.
Oleg said life in Ukraine changed completely on February 24, 2022, when he was awakened by a loud explosion. Despite the loss of homes, jobs and even family members due to the war, Ukrainians are determined to defend and rebuild the country, he said.
“We have a huge goal to build a new life and a new country in Ukraine,” he said. “A lot of companies change their business model as they start thinking about how to build a new country.”