A keycard on a lanyard is a pretty outdated security measure, but at GoFundMe, YubiKeys never go out of style for employees, thanks to their freshly minted role in the company’s zero-trust strategy.
John Downey, CISO of the fundraising platform, told IT Brew that his “CISO card” would be revoked if he didn’t have a zero-trust initiative in place at his company and that he began implementing the industry’s beloved framework as a strategy after he settled into the role in 2021. A 2024 Gartner report shows that almost two-thirds of companies (63%) around the world have either fully or partially rolled out a zero-trust strategy.
“I remember an engineer was like, ‘Did you know you had to be on the VPN to access our systems and deploy our production even when you’re in the office?’” Downey said. “I was like, ‘Yes, that’s actually by design. Let me talk to you and explain to you why we feel like that’s a better mechanism.’”
That’s the key! The company has continued to invest and tinker with its zero-trust strategy, four years later. In April of last year, the CISO gave YubiKeys a more official role in the strategy, along with traditional multi-factor authentication (MFA), in response to an uptick in phishing attempts against the fundraising platform’s employees. While YubiKeys were always given to GoFundMe employees over the years, Downey told IT Brew that enforcement around use of the physical security device was loose.
“We were trying to do it when they started, but again, it’s your first day, right? You don’t even know where the bathroom is,” Downey said. “You’re given so much information and then we weren’t going back to the education. We weren’t re-hitting it.”
Challenges in enforcement were minimal, according to Downey. He estimated that initially, 30% of staffers were either losing, forgetting, or choosing not to use the security keys.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“We had a breakage rate that we had to go and solve, but now that…we’re past it, that big hump, it’s great,” he said.
In fact, these days, enforcement looks different for Downey.
“One of our bigger issues is we sometimes can’t get enough YubiKeys to [give] to new hires,” Downey said. “We have to keep a stock of them so that we [don’t] run out.”
Jason Meller, VP of product at 1Password, told IT Brew YubiKeys are the “gold standard” for security. However, he noted that the use of the device doesn’t always resonate with every company.
“If you are the type of company where you have the ability, logistically, to get folks replacements for lost YubiKeys…YubiKeys are a great choice,” Meller said. He added that it may be better to tap an alternative security method if an organization is unable to encourage a culture where employees actually use the physical security device or keep up with the logistical upkeep of the devices (e.g., replacing lost keys).
Zero to hero. The results thus far have been stellar for GoFundMe, which Downey says gets phished “all day, every day.” The company’s now stronger sense of identity ensures that even if an employee gets phished and an attacker attempts to use a compromised password, their actions are restricted.
“That’s exactly what you want, in an MFA context,” Downey said.
Downey told IT Brew that the strategy remains a work in progress and that his next focus in the strategy will be around mobile and protecting the company’s software-as-a-service tools.
“We definitely have places that we can continue to improve it, but I would say we’re pretty happy with it.”