Open Source Done Right: Interview With Yubico’s Fredrik Thulin


Choosing The Right License

The Powerbase:  For the low level libraries it looks like you’ve chosen to release them exclusively under the BSD licence. What was the advantage of going with BSD rather than the GPLv2 or even the GPLv3?

Fredrik: I do know of companies refusing to integrate any open source components thing with a less permissive license than BSD. They may be right, they may be wrong – it doesn’t matter.

The (2/3 clause) BSD license is short, easy to understand and permissive. I believe it makes people confident in using the code since they can easily grasp their future obligations in doing so. I’m happy to have these BSD licensed.

The Powerbase: Do you believe that licensing under BSD has helped get the Yubikey into applications and institutions that may have had trouble implementing it if the API been under a more restrictive license like the GPLv3?

Fredrik: Hard to say, but probably. I do believe that freedom sells more tokens, and I can’t see the reverse being true (that the use of GPLv3 would actively result in more use than BSD).

Implementing The YubiKey

The Powerbase: In a pre-YubiKey world, what would a developer have to do it they wanted to add secure two factor authentication to their application or service? How has the YubiKey changed that?

Fredrik: Although I’m utterly impressed with the amount of open source drivers and interfaces based on more or less reverse engineered products and interfaces there is, I think in the end the drivers that are most likely to work good is the open (!) ones officially backed by hardware vendors. Look at how well the open sourced Linux network drivers backed by some vendors work, compared to the “mostly working but you’d better not depend on it” binary drivers for some graphics adapters for example.

I think the real difference for a developer with the YubiKey is actually this difference in open, transparent, supported interfaces
for everything regarding the YubiKey – both what we call personalization (configuring your token) and validation. To me, that
is always assuring and I believe it is what will work best in the long run. There are a couple of other important differences as well that deserve mentioning, even though they are not necessarily relevant for the developer/integrator.

First, there is the cost. We optionally offer a free cloud based validation service with every YubiKey bought. You pay once, when you buy a token, and never again.

Secondly, and in one way most importantly, it is the security. If someone opt to not use our cloud service, the setup can easily be replicated (since we’ve naturally open sourced all the software comprising the cloud service) and the AES keys inside the tokens can actually be re-programmed so that it is guaranteed that no one else knows the secrets in the YubiKeys.

The Powerbase: What does it take to implement secure two factor YubiKey authentication into an application, open source or otherwise?

Fredrik: Most of the time, very little. To get started, it is easiest to use our cloud based validation service.

If there is a web API client available for the programming language in question, integration is easily done in a matter of a few hours. My brother works for Flattr and I recently helped them implement a PoC for YubiKey authentication. It was done in about two hours, and that involved a fair amount of database model and GUI work, not really related to the one time password validation.

If there is no web API client available, the protocol is documented and I look forward to hearing about any new implementations in new languages.

Looking Forward

The Powerbase: What does the future look like for Yubico? Any new advancements or products on the horizon that you’re able to speak on?

Fredrik: I won’t go in to future products besides stating that we’re set to continue innovating, but I’ll happily share that what we’re working on right now is expanding into the smart phone market.

With the rise of smart phones, the Universal Serial Bus stopped being universal but with the NFC standard allowing contact-less interaction with NFC capable smart phones we finally found an interface that would allow us to develop a YubiKey that answered up to our own high demands of simplicity while still being secure.

About a month ago, we launched the YubiKey NEO that features both a USB and an NFC interface. It is currently available as pre-production units intended for pioneers and developers, and we’re working on finalizing both the firmware and all the supporting software including already published code to use the NEO with the Android NFC stack (also available as an app in Google Play).

Hopefully we’ve got the timing right so that NFC will become commonplace starting about now in both smart phones and perhaps also in laptops.

The Powerbase: By offering the software and service for free and only making money on hardware sales, Yubico is a textbook open source success story. What advice could you give other entrepreneurs or companies who are looking to make a successful business out of open source?

Fredrik:  Right. For me, it is easy to see that open source makes great sense for a hardware vendor such as Yubico. Not everyone sees it that way though. Some people seem to think it is a liability to release code to the public, because you have to maintain it or something. I must admit that I don’t really get that.

If you do closed source, you know you will have to either reject or implement 100% of your customers change requests. If you do open source, there is at least a possibility that the number won’t be 100%. There’s even a possibility someone might contribute a great feature that you would not have been able to implement yourself at all.

For people that do not sell hardware, I would recommend really examining if the value you provide your customers is really in the source code, or in your knowledge around the source code and how it might be used? If there’s a chance someone will suddenly start offering something solving the same problem as your code does, but for free (can’t compete with free), I would recommend turning the ship to selling services instead of compiled code.

As a final advice, study other open source projects to see what it is that motivates contributors. That’s something you will want to pick up

Many thanks to Fredrik Thulin for taking the time to provide such enlightening answers, as well as the entire Yubico team. Between our experience with their unique hardware and time spent with the people behind the scenes, it’s clear to everyone here at The Powerbase that Yubico is a company strongly devoted to its mission and the open source community.

About Tom Nardi

Tom is a Network Engineer with focus on GNU/Linux and open source software. He is a frequent submitter to "2600", and maintains a personal site of his projects and areas of research at: .
  • Techni Myoko

    “We want to sell billions (10^9) of tokens”

    Shouldn’t the theoretical maximum be 7 billion? People don’t need more than 1.

    What I’d like to see is one of those keyfobs with a combination lock on it as well, or even a biometric scanner.

    • Dean Howell

      That’s a good observation, though you have to consider that some of us have several devices to secure.

      I mentioned the Yubico at work. If my company buys a Yubico for my desk computer, my laptop, and I but 3 for personal use… You see where I’m going… :)

  • Pingback: Linux Device for Retro Games, Raspberry Pi Pre-orders @ 350,000 | Techrights()