Ukrainian army relies on YubiKeys to prevent Russian hacks

The Ukrainian armed forces have been relying on Yubico’s passkeys to secure access to its key battle-management system Delta, according to reports.

The hardware authentication security keys, known as YubiKeys, were donated to the Ukrainian government several months after Russia’s invasion in 2022. The devices were distributed with the help of cybersecurity company Hideez, which offers passwordless authentication and MFA solutions. The donation included 30,000 physical security keys, including those from the YubiKey 5 series that supports FIDO2.

The donation of the final free passkeys was completed last week. Among them 22,000 are used by the military to access Delta, Bloomberg reports.

YubiKeys are being used as an extra layer of protection for accessing devices. Delta is used across all levels of Ukraine’s military, including its drone management system, and is frequently under attack from Russian hacks and infiltration. The system is used not just for collecting and exchanging vital information but also for planning operations and combat missions.

“It solves a lot of problems,” says Hideez CEO and Co-founder Oleg Naumenko, adding that a physical key instead of a typed password eliminates the risk of phishing attacks.

The war in Ukraine has put YubiKeys under the ultimate stress test. The military has found that using the USB stick version of the passkey tends to break laptop ports in the field, while physical keys tend to get lost.

The force has responded by issuing backups and introducing a newer wireless version of the Yubike with Near Field Communication (NFC) technology. Soldiers carry a software version on their smartphones.

The system also limits access for frontline troops, providing only the functions they need. If a fighter is captured, its fingerprints, passkey and other credentials could be used to access Delta by enemy forces. To prevent this, an AI system flags anomalous usage for field commanders who can shut down access for specific personnel.

Aside from the Ukrainian forces, the passkeys are used by the Ministry of Digital Transformation, the National Police, government-owned energy companies and power plants and other agencies. In addition to Hideez, Yubico has given devices to Polish cybersecurity firm ePrinus, who is helping to distribute keys for military tactics to support Ukraine.

The company also continues to serve private clients, including telecommunications giant T-Mobile, which decided to eliminate passwords altogether after a string of major cybersecurity incidents between 2018 and 2023.

Mark Clancy, T-Mobile’s senior vice president of Cybersecurity, recently told media that equipping all employees with YubiKey devices has not only increased security but also productivity.

Yubico showcases post-quantum cryptography passkey prototype

Although it is still uncertain how long the Russia-Ukraine war will last, Yubico seems to be preparing for a future where widely used cryptography could be broken by powerful quantum computers. The company has unveiled new passkey prototypes equipped with post-quantum cryptography (PQC) at the Authenticate Conference this week.

Yubico stresses that the prototype is not a finished product and that the demonstration is only meant to show its feasibility. In reality, standards for post-quantum products are yet to be defined, while the company will also need to design larger hardware, as PQ algorithms have bigger footprints.

“Adopting PQC across protocols and products will take time, but that’s a strength, not a weakness. Rushing crypto transitions has never ended well in security history,” says Christopher Harrell, Yubico’s chief technology officer.

The company also presented a new capability that enables credential signing flows from a YubiKey inside a standards-based digital wallet.

Article Topics

biometric authentication  |  biometric security key  |  biometrics  |  cybersecurity  |  passkeys  |  passwordless authentication  |  post-quantum cryptography  |  Russia  |  Ukraine  |  Yubico