a16z Podcast - a16z Podcast: The Hard Things about Security
Episode Date: June 6, 2018Here's the hard thing about security: the more authentication factors you have, the more secure things are... but in practice, people won't use too many factors, because they want ease of use. There's... clearly a tension between security and usability, not to mention between security and privacy (good security doesn't always come with great privacy -- what if you're a journalist or dissenter under a repressive regime??). And finally, there's a tension between the convenience and inconvenience of hardware given the expected convenience (but also dangerous connectivity) of software and mobile everywhere. So how to resolve all this? CEO and founder Stina Ehrensvärd found the answer to these paradoxes with her company Yubico, makers of the "ubi"quitous (ahem, no pun intended!) hardware authentication security key used by the top internet companies. They're also the pioneering contributor to the FIDO open authentication standards -- arguably as important as what the SSL protocol did back then between web servers and browsers, only now we're in a world where payments talk to browsers, and machines talk to machines. But how does open source fit into all this? How does one build trust as a newcomer? And how does one go from founder passion and founder-market fit to product-market fit, especially while straddling two cultures of innovation? Ehrensvärd shares hard-earned lessons learned on going from big vision to practical reality, from managing communication to design and more in this founder/maker story episode of the a16z Podcast (in conversation with general partner Martin Casado and Sonal Chokshi). It's not just luck, it's making your own luck... especially when it comes to seizing opportunities and help in unexpected ways and places.
Transcript
Discussion (0)
The content here is for informational purposes only, should not be taken as legal business, tax, or
investment advice, or be used to evaluate any investment or security and is not directed at any
investors or potential investors in any A16Z fund. For more details, please see A16Z.com slash
disclosures. Hi, everyone. Welcome to the A6NZ podcast. I'm Sonal. Today we have one of our founder
stories episodes. You can find others on our website under A6.Z.com slash founder maker stories.
our guest today is Tina Aronsward, CEO and co-founder of Security Company Ubiko, makers of the
hardware authenticator Ubiqui. In this conversation, co-hosted by General Partner Martine Casado,
we cover everything from the broader trends in security and authentication to the seemingly
eternal tension between usability and security to the role of open standards and open source in
trust and adoption. And finally, we discuss the challenges and realities of the long, hard,
slog startups face, with some advice for entrepreneurs shared in between.
But first, we talk about regional differences in innovation and how this company got started.
Jacob and I were working for a company doing clinical trials, and we asked them if we could
develop a new intelligent pharmaceutical packaging that would remind the patient, you know,
the compliance information directly on the package.
I think we did everything wrong there because we were trying to solve a super big problem.
of a pharmaceutical packaging
and the whole ecosystem
but it actually led to what we do today
because how do you then send the information
between the pharmaceutical packaging
to the computer in a secure way?
It's sort of indirectly led to what we did.
Isn't it funny how all those things make sense
in hindsight and retrospect?
Yeah, that's great.
Actually, it's something I've always wanted to ask you
is one of the biggest differences
being a Swedish entrepreneur in Silicon Valley.
Swedes are in generally more frugal
and more cautious.
There is this saying that a Swede think
that a million dollar is a lot of
money. I like what Sweden offers in terms of sort of social welfare. And, you know, we haven't had
war for 200 years. But here, there isn't any limit of how big a dream could be. Sweden actually has
proven to come up with a lot of great inventions. So I'm not saying, but the reaction I got when I
came here, oh, that sounds cool. How can I help? So I don't think there is an idea or a vision that
is too big for Silicon Valley.
The first time I connected with the internet, I fell in love.
I just thought, this is the most powerful thing mankind has ever invented.
I actually felt it was almost like a spiritual experience.
Here's this place we're all connected, where we all have this endless information that we
can tap into.
And then when I learned that it was vulnerable, that the security wasn't great.
I don't know, but there was this calling where I just felt.
I cannot let this fantastic invention fail.
It's just one of those things that someone need to be there to protect.
Like the bear mother is protecting her kids.
That's what I felt.
That's amazing.
And then the first time I logged in, I was registering to an online bank.
The bank told me that I would be safe with the username and my password
and the software that I downloaded on my computer.
But I happened to know a former white hat hacker who told me it would take him a day to write the code
who would empty my bank account.
So I called up the customer service at the bank
and asked them what they wouldn't do about this
and they said, can you please tell your friend to not do that?
What I didn't tell the bank was that the former white hat hacker
who, by the way, never did anything criminal,
is also my husband.
And the father threw my three children.
And I needed to figure out something that he couldn't hack.
He knew that any software that's downloaded on a computer or on a phone
can sooner or later be hacked.
And that's the reality we're seeing.
So secretly your plan was to just see if you could beat him.
The only thing that was really secure
and it's still fairly secure with smart cards.
But they're just so difficult to deploy.
That doesn't work.
I mean, Google realized that.
And we knew it.
Jacob, my husband, was an electronic computer engineer
who built his first computer when he was 15.
We started dating when I went to college
and studied product design
and he built the working prototype
for one of my designs.
And when we knew we wanted to develop
a security solution that could scale and was not hackable.
My first question was, you know, these smart cards that needs drivers, why do I need a driver?
I can just plug in my keyboard and I don't need a driver.
And then Jacob, that simple question actually resulted in our first invention.
Which was?
Is a security key that generates one-time pass code through the keyboard interface.
It actually acts as it was a keyboard.
So when you touch it, it generates a long encrypted code through the keyboard.
key, but I don't have to retype. In fact, it's not unlike how Yubiki works right now. So just to
quickly explain for people what Yubiki, the hardware token, hardware authenticator,
obviously and give you my layperson's experience of it. I have like a little USB stick looking
thin, black little device, which has gold prongs. And by the way, because of that, I've
turned it into a bracelet charm because it's really annoying leaving my keys behind in my bag. So I actually
often wear it on my hands as a bracelet in order to log in. And where before, we still log in
through Octa, which is like our unified browser login for the firm. Now, instead of using
a text password or like a little app on my phone, I now insert my Ubiki into my USB port,
just stick a little button in it just instantly logs me in. It takes like less than,
not even a second. So security is top of mind and it's been top of mind, you know, certainly since
I've started computing, but especially now. I mean, you hear it all the time with all the account
takeovers. It used to be like, okay, there's some hacker that's going to kind of break into your
computer remotely, and more and more the type of threat really is something where I will become
so and I'll take over your Twitter for the purposes of, I'm going to post silly things to
taking over a bank account. I mean, like, if I can impersonate you and be you, I can have
access to those dollars. And we're seeing this more and more. I think this is the primary threat.
And so if you're in the security industry, two things come to mind. The first one is we're trying
to develop solutions for these. And there's only one that's kind of been really proven to work.
and these are harbor tokens and harbor roots of trust.
When I think of authentication, people talk about two-factor, three-factor, and two-factor
authentication is it something you have and something you know.
And oftentimes that something you have is like your cell phone and something you know is like your password or something.
And also you can have like a fingerprint sensor you and you can authenticate that way and that's like biometric or you can use your eyeballs or retinal scan.
And then I've also heard of things like three-factor and four-factor.
And how does this fit in that big picture?
So the more factors you have, the more likely it is to be secure.
Right.
But it also adds complexity to the user.
I believe that the PIN or a password or biometrics is about the same level of security.
In addition to that, something that you have or actually you know with something that you are, like a fingerprint or your eyes,
should ideally be combined with a hardware authenticator that's in your pocket that's not connected to the Internet.
and has a very small attack vector.
And why is that?
Because I would imagine that it's easier, bluntly, to steal a hardware authenticator like a little object
than it is to steal a password out of someone's head or their fingerprint.
What's the rationale for that?
Well, a fingerprint is something you can copy.
The best hardware authenticators, they generate new passcodes every time they're used.
Like old school VPN keys.
And the best one actually use public key crypto, that is the ultimate encryption method.
that is really, really difficult to hack.
So every time it's used, it's new compared to your fingerprint, which can be copied.
There's also privacy concerns with sending information about your fingerprint over the net.
Right.
But just sending strong, digital numbers over the net is the more secure way to do it.
Here's kind of the way that I think about this, which is there's many ways to try and do security, right?
One of them is pure software.
But the problem with pure software is it's kind of turtles all the way down.
What do you mean by turtles all the way down?
is like you've got software, protecting software,
if there's nothing that I can physically do to protect that.
So remember, when you connect to the internet,
every sociopath on the planet has access to your computer.
And if they have access to your software
and you have no physical recourse whatsoever,
then that's what I mean but turtles all the way down.
They can do anything they want because they own the software.
Interesting.
And that's why we've moved from software to hardware.
Now, a very common thing to do for two-factor authentication
is go to cell phones.
But even those aren't something that you can really protect because somebody could walk into a T-Mobile store in Idaho and they could show a fake ID from our team.
They could port my phone number to their phone and then they could use that to reset all of my passwords.
So a phone number is not something I can put in my pocket or put in a safe and protect.
But if someone steals my physical key, what do I do?
I get another key.
What if someone steals a biometric?
You only have one body.
You can't let get surgery.
Right.
So this is actually a really big deal.
It's actually seen from Minority Report.
by the way, where Tom Cruz replaces his eyeballs.
It's exactly right.
Remember the breach for OPM?
Office of Personal Management.
Yeah.
The government breach, right.
So that had a database of fingerprints.
And for those of us, like myself, I used to work for the government that had our credentials stolen, we can't even do global entry anymore.
I have no idea.
Of course, because we can't use our fingerprints anymore.
So the problem with biometrics is if that's you're using for your credentials and someone steals it, that's it.
That's it.
You're done.
Right.
Now, a harbor token that's independent of that, you can protect it.
And so I feel very strongly that the solution must be physical.
It must be independent of the physical body and something that you can put in a safe if you want to.
Historically, security and privacy has not been a good fit.
You know, good security has always come with not so great privacy.
We started giving away some of our keys to dissidents and journalists around the globe.
The most touching of all was a journalist from a non-democratic country who sent us an email with the email head.
Thank you for saving my life.
They needed a solution that was not tied to their real identity.
Right.
That's something that was them.
They were the same person coming in again.
They were the owner of the account that they had set up,
but they didn't disclose any personal information.
I love that you mentioned that security and privacy aren't the same thing
because I think a lot of lay people sometimes conflate those two terms.
Security is, I'm safe.
Privacy is I'm disclosing information about myself.
of private information about where I live, my phone number, my age,
and it could include health care records, things that really should not be public.
Well, security is basically a lock,
and it doesn't necessarily need to have anything about you.
It's just a good lock on a door.
The world is seeing an interesting war right now over the Internet.
Historically, we had cannons and tanks and machines to kill each other.
Now we only have to hack into each other's system.
on the government level, on a personal level,
to do damage that can be part bigger than what we're doing with.
Well, it can also be physical.
My friend Kim Zetter wrote a book on Stuxnet.
The idea that something digital can actually affect something physical,
like a nuclear factory, is insane to me.
That just goes to show there's a larger attack surface with software.
Well, the thing with software is if someone gets in the software at all,
any piece of it, then basically they control the laws of physics.
Google was struggling with fishing, not the old-school fishing, where you still use
and even password, but the more modern attacks that hijacks a session and tricks the user
to do stupid things.
And they were seeing quite a lot of problem with this.
It was growing.
And they realized there was no technologies out there that could solve this at scale.
And we approached Google with this idea of one single key to any number of services.
At the time, smart cars were the only technology that would solve the problem.
But smart cars are complicated.
They were designed 30 years ago.
They were not designed for the web.
They need readers, client software, drivers, and not for the phone.
It doesn't work for the phone.
So we said, what if we would combine the simplicity of the Ubiqui,
this was initially just a one-time password device,
with public crypto and NFC.
So we would work over mobile and then build in the client software and driver
directly into the browser.
So it unites the public key with the NFC, the near field communication, with essentially the hardware is all within the browser in a weird way because it's not requiring special hardware.
I would say the middleware or the client software that the smart card had been struggling with.
We would just put it in the browser.
You turned it into software.
And if you put it into the browser, it's much easier for the user.
You don't have to do anything.
And the risk of having to download something that may be a compromise is mitigated.
And that became FOTOF, and since Google deployed this for all staff and contractor, they had zero fishing attempts.
So I think it's fair to say over the last few years, Fido has become the standard for authentication, which is really significant.
I would love to hear how this came into being.
So it started just named U2F, which stands for universal second factor.
And then we contributed the code to Fido Alliance.
FIDO Alliance is an open standards consortium, including Microsoft and PayPal and Bank of America and Visa.
I mean, 200 companies are there.
There are now working, developing this sort of idea, concept, and innovation that we contributed with, not only for authentication, but for payments.
I'm absolutely convinced that this will have as big impact on Internet security as SSL have had in the past.
Before SSL, you didn't have secure identity.
So you didn't know who you were talking to and you didn't have encryption.
And so everything was in plain text.
And with SSL, you got both of those.
So, for example, if you go to Wells Fargo, you know, you're talking to Wells Fargo
because someone has, they have a signed certificate that says Wells Fargo that came from
a trusted authority like Veracine or whoever it is.
And so it provided both security and privacy.
What's happening now that is all leading browsers and platforms are engaged in this open
standards work.
So today I can use my key to log into Google.
the same key I can log into Facebook and Dropbox and GitHub.
By end of this year, I will be able to log in to several banks,
to US government services,
and none of these services share any information about how my keys used.
There isn't a centralized service provider who sits on the keys.
It's not owned and controlled by the government, not by Google, not by Ubicle, not by Microsoft.
And that's really what's the game changer is, because now we can set up distributed
trust models between individuals and companies and do things.
It's sort of in the same vision of blockchain.
You know, how do you secure things that are distributed and not centralized?
The top internet companies, the best security people I know, all are doing this,
but you have like a lot of legacy businesses that really haven't caught on.
How do you reconcile this discrepancy?
Are they just behind?
Things take time.
Standards work take time.
And changing people's behavior also take time.
I mean, we're so used to using them in passwords.
We're starting to get used to the SMS two-factor, but to introduce something else, it just takes time.
I am very optimistic that things are moving in the right direction.
Google published a report not long ago where they said that they were able to cut down support to 92% compared to a phone app.
After that, the other internet companies came on board.
So I feel like the world is getting educated.
These big banks don't have to have special hardware and special things they have to do.
You don't have to worry about that layer.
So now the challenge to overcome is simply time of adoption, cultural barriers, behavior, as you said.
But you've mentioned now a few times this sort of tension, I would argue, even though they're complementary between usability and security, because you make certain tradeoffs.
They tell you you you're not supposed to use the same password everywhere, but people are lazy, not even just lazy, they're human.
So tell me about how you went through that balance between great security and great usability.
So we started with that sort of just one touch user experience that didn't have the ultimate protocol.
because we needed native support in the browser.
And then, in order for this to work just everywhere, we need all browsers.
So Google was the first.
Mozilla is coming on board.
Microsoft is coming on board.
Brave.
I just got to say, it's totally my new favorite browser.
It's amazing.
So you had to go through the browsers first.
In order to make it really secure and really easy to use.
Yeah.
Another way, someone need to download a software, which add complexity and a security risk.
So I think that's this awesome.
And, you know, the reason why Google was able to cut.
down support was because they gave everyone two or three keys. I mean, if you have a login
technology through your phone or through a token or through a card, you will sooner or later
lose it, just like a car key. The reason why we have an extra car key or an extra house case,
it's good to have an extra. This technology allows you to set up multiple keys.
So where does this go as far as protecting more broadly computer systems?
The next evolution of the fighter protocol is to make it passwordless, where you can combine the
Ubiki with a fingerprint or biometrics or geolocation or something else because you always want
to have an extra factor just like your ATM card. You have that pin. So that's the good
evolution happening. In parallel, the same protocol is getting into payments, payment in the
browsers, into IOT, into encryption, user-owned identity. Okay, so this is an area near and dear to
my heart. I mean, we see drones that plant trees. We see autonomous vehicles. So how does our Roots of Trust
play into that environment.
Same authentication encryption protocol, but not between a user and a server, but between
devices, between servers and servers, between a phone and a service.
And there are, what is it, 75 million, 100 million servers out there.
So it's not only users who need to be protected.
There are other systems.
And today's quite costly and cumbersome to protect them.
So if we just move out the really sensitive parts, the login credentials, and some,
of the things we really want to encrypt, not everything, we have minimized attack vector and
we have significantly up the security.
You know, Google has made it public that they have a special purpose piece of hardware
on all of the servers called the Titan chip, a trend to using hardware on every server
to protect them as well.
Another thing that people will talk about is like putting it in like a chip, like an Intel
chip, which is great.
One thing about security that I've learned over the years is you have to secure it every layer.
Like you need software security, and in software security, you need app security.
and OS security, you need hypervisor security, you need chip security, right?
But again, even if you're putting security controls within, for example, an Intel processor,
it's still on the same dye as all of the other functionality.
And then we see bugs that we had recently, like Meltdown.
So the idea is to have a separate chip, it's on a separate die,
whose 100% functionality is for security.
And now you have something that you know what it is.
You can trust it much smaller attack surface that you can use for whatever.
So you're basically arguing, if I understand this correctly, that there will be some kind of hyper-specialization around security at a hardware level.
Not only that, I'm saying Google has announced that they're doing this with a special-purpose chip.
So to have something that's a few hundred bucks that is part of the same model, I think is probably a disruption on the service side.
So on this whole discussion, we have to accept that we're not going to have a secure internet.
We will not be able to trust our software, will not be able to trust their networks, our Wi-Fi's, our devices, our devices.
either computers or phones.
So instead of trying to fix it,
we can just say,
okay, let's take out the really sensitive part
and move it from the Internet,
move it from the computers.
It's an unfortunate realization.
You know, in the perfect world,
we wouldn't have to,
but the way the Internet was designed,
going back to this beautiful invention,
it was designed for sharing.
It was not designed for security.
Instead of saying, oh, this is disaster,
we're going to see companies and systems that will very much challenge the large centralized trust models we have today.
Another one of the pretty remarkable things you've been able to accomplish is getting people to trust.
I mean, the security is so much about brand and trust, right?
The open standards, I think, is critical because then you're not hiding anything.
The future of security can't have this big black box hidden security.
Do you know what, just trust us?
We are strong.
We know it.
We actually share this is how it works, take it or leave it.
I want to ask the flip of that question then.
So what are the challenges to people getting on board with this?
I mean, besides some of the obvious things we talked about,
like they still use to a smart card world or they're still stuck on passwords.
Are there like other big things that are difficult or things that you have to overcome
to get people to more broadly adopt it?
I can answer part of that, which is some companies are much more interested in their image
than their customer's security.
and as a result, for them to adopt a solution that they didn't create is an acknowledgement
that they can't provide the security solution themselves.
And I think, like, for me, the crowning example of this is an Apple.
Any number of security vendors will tell you, like, when we try and provide a solution on top of Apple,
they don't want to admit that they're insecure, which is a shame because, I mean,
there was a big announcement of zero-day vulnerabilities in iOS.
So every company has insecurity.
and having a real security ecosystem around it makes a solution better.
One of the reasons that Ubikos has won the hearts and minds
and has been this kind of organic, you know, bottoms up phenomenon
is contributions of open source and so.
Well, that was a business plan that was set from a podcaster.
What?
I know, I want to go, especially if it's a podcaster, we're on a podcast and your document.
That's, like, really surprising.
I would like to have that influence on people.
Oh, okay.
This was a year after we had started Ubico, basically no investor.
I had a Swedish angel investor.
I had no customers.
I had very little money on the bank account.
It was another security company who invited me to a conference here in US at the RSA conference.
They wanted to license our technology.
They wanted to show our technology at this conference.
But they changed their mind just the day before we arrived.
And there I was.
You know, I had a handful of Ubikis with me.
I had a business card.
but I basically had no press release or no story to tell.
And it came to me that here I am at this big conference,
and there's probably a hundred journalists.
They're probably in the press room.
So where is the press room?
I walked up on an escalator.
And there I spotted my first journalist.
His name was Steve Gibson.
And I said, here's the UBKee.
I believe this is the key.
I can log into the cross-the-internet.
I just started this company.
This is how it works.
And he took the key, took my business card,
and two weeks later
this podcast went out where it said
it was a really bizarre thing
I was at this conference
and the last day of the show
I met this woman on the escalator
and she gave me a key
and he was the coolest new product on the show
and then
because it could have gone the other way
where he was like
who was this crazy person
who gave me this weird little black object
to stick into my laptop
and he had 100,000 listeners
and then he added
something that got me really confused
They said, and by the way, it's all open source.
And I had made it open source.
I had told him that we're working to figure it out.
To be very honest, this was in the early days.
I didn't have any marketing department.
It was probably flaky and not so well written.
So he made his own interpretation.
And I had to make a decision really quickly because on my email, I now had 100 people who was listening to his podcast.
Yeah.
Sort of, oh, where can I download the open source software?
where can I build things?
And I talked to Jacob
and the little group around
there was Ubiqui at the time
and said we have a decision we need to make.
We can make it open source
or we'll have to go back
and correct this podcast
that has gone out to 100,000 people.
And I thought about this for some time
and said, let you know what,
I actually think this is a really good business plan.
We started with a lot of internet security,
open source geeks around the world.
They were our first.
They're the first adopters
for all the good stuff.
Yes.
Bluntly.
They see the future before anybody else does.
One of them worked for Google.
And that's how we got to Google.
All startups will sooner or later face challenges.
Well, some of your challenges will turn out to be your biggest blessings if you're there to
cease the opportunity.
I love that story.
So in addition to product market fit, you've clearly found founder market fit.
I am so passionate about this.
I really, really love my.
work. And then the other thing, that is quite amazing, I get help. There is a saying that if
you're bold and kind, mighty forces will come to your help. You know, once I got the opportunity
to meet President Obama. I was invited to be here at the Security Conference at Stanford. I was in a
panel in the afternoon talking about these standards. I got a message on my phone, says the
president wants to meet you. I got three minutes to pitch. And I was thinking, what does he care?
So I went in and said, we're working on new open identity standards that will help to protect 300 million Americans from being hacked.
And he smiled, his beautiful big smile, and he responded, I know, that's why you're here.
And then a few weeks later, I was invited to the White House to meet with his security advisors.
And I completely bummed that you need to go through an ID verification process to get into the White House.
So two hours before the meeting, I got a message saying, you can't come in.
But by the way, we can meet you outside at the local Starbucks.
When I was picturing myself in this Starbucks, like this is almost like a feel-good movie.
You know, all these crazy, fantastic, unexpected things happen.
To be an entrepreneur, you sort of need to have an extra battery of confidence because you're always challenged.
Some would even argue delusion in a good way.
Yes.
I do think I have a slightly warped self-confidence.
It came through my father.
I was born here in U.S. by Swedish parents,
and then the family moved back to Sweden.
And my father often presented me in front of friends of the family
as here is my daughter, Stina.
She's the only one in the family who can be the president of the United States.
It's actually even funnier because you actually met the president in the United States.
But bringing in the president was one of many options.
I was a little girl.
I climbed up in the highest tree possible, and my parents were never afraid I would fall.
They said, how is the view up there, Steena?
That gave me the self-confidence to take risks.
When I started the company, it was not easy for me to raise money because this was not a...
I'm going to secure the internet.
So I had to focus on getting customers and I had to focus on being profitable.
And I think this is a really good advice for any entrepreneur.
Once you have really great customers and you have a profitable business, the right investor will find you.
What Ben always says is this line that you control your own destiny.
you're in charge of deciding who belongs in your company.
And when you actually don't need investors, that's when they will come to you.
Everyone said no to me when I landed here because we weren't proven.
But I continued and eventually I got introduced to Ram Shiram, who sits in the board of Google.
And he had this Silicon Valley mindset.
After 40 minutes, he said, how can I help?
Is there a cultural difference between working with the U.S. and Sweden?
Do you have to like D Silicon Valley people or do you have to Silicon Valley eyes people in Sweden?
You have an R&D team in Sweden still.
In Sweden, there is a more flat hierarchy.
Every time I come to Sweden and meet the engineers,
we have 30 engineers in Sweden right now.
They are very open and frank to me.
They always question me.
They talk to you like a teammate, not their boss.
There is a slightly hierarchy here.
Yeah.
I think people often pretend like there is no hierarchy,
and I think that's actually very disingenuous.
There's clearly, there's a hierarchy.
There's a hierarchy.
Let's just admit that.
So I don't think there is any country in the way.
world that has the higher sort of, if you go out and measure, where you're allowed to question
your boss as Sweden. So you have to sort of build authority and trust from sort of going from
the bottom. You can't just go and say, you do this. Because you have to build authority from the
bottoms up, you have to earn it. It's not bestowed. You have to work for every scrap of your credibility
with your team and the people you're working with. Yes. And that's also why Swedes are some of the
best software developers on the planet because they have the ability to work together,
but also question each other. And they will not take a crappy direction from a boss and just
go and do it. They will actually say, you know, I don't think this is a good idea. I think we should
do this instead. And so there is a interesting mix of daring to speak out and also collaboration.
It's a sort of social Democrat country where we're all sort of trained to work together.
By the way, what you just described is not just Sweden, but if you read any of the book,
and have experienced like a place like Bell Labs or any famous R&D center,
that's the secret formula of how they interact,
this collaborative environment in the combination of very healthy disagreement.
It is a healthy disagreement.
What Silicon Valley brings is sort of this bold, you know, everything is possible.
Let's go and do it.
And also being brave and strong about how to position yourself,
sometimes little too cautious about sort of positioning.
So I think with having part of the table,
team in Sweden and part of the team in Silicon Valley, I have the best of two worlds.
I have to ask, though, what about when it doesn't work? And that's a big part of building
a startup or any company is you also have a lot of friction and things that don't work.
I've noticed that when it doesn't work, it's when there's a lack of communication in some way.
So all the mistakes I have done, I think I can point them to me or someone else not communicating
clearly. There's a saying that the biggest mistake in communication is
the assumption that it has happened. It's so easy to believe that because you have figured it
all out and you know it in your head that other people will understand it too. What's obvious to
you may not at all be obvious to others. So as an entrepreneur to learn to communicate clearly,
especially when there is an issue, to your team, to your family, to your investors, to your
partners, to your customers. If you learn those skills and refine them, it's going to be so much
easier. One last question for you. We did not talk about design. I mean, the reality is, if you look
at it, it's not a fantastic design, but it's a lot of thinking, how do you make it flat, waterproof,
crust safe? You can fit it into an envelope so you don't have to ship it with anything more than a standard
letter. How can you produce this at the lowest cost possible with only robots? If you want
something that is really at mass scale and small and affordable, you have to, it's a lot of,
it wasn't easy to come up with the design. It looks super easy, but there is a lot of thinking
behind it. I do want to make a point of how unusual this is. Security has typically been
something that you sell to the enterprise, right? And maybe antivirus and PCs or something like
that, but certainly security hardware. They didn't really think about usability. The way that they
proliferated was through direct sales. You'd have a sales team and they sell it. And now design is
really important because you're attracting the users to these kind of great products. It's actually
very different. Security has always been this kind of like nerdy back office thing and they really
turned this into this like very consumer design exercise. I wanted these keys to work everywhere.
Yeah. To be everywhere. And to solve a global universal problem. The name origins from the word
ubiquitous. Well, you know, the phrase ubiquitous in the context of ubiquitous computing came from
Mark Weiser who wrote a seminal paper about it. And I think it was a early night.
90s, late 80s, I think it's early 90s. And he had a lot of interesting ideas, but some of them
included this notion that computing should be so ubiquitous and everywhere that if you left a
conference room and you left your pencil behind, you don't feel like, oh, man, I left my pencil
behind. Now, it's actually kind of interesting because the way it came about was through mobile
phones, where if we left it behind, we're actually more attached to them. But the concept of it being
pervasive and everywhere was a very much a strong idea. He actually said that the most powerful
technologies are those that disappear.
Yes.
So computing is now ubiquitous, and security also have to be ubiquitous and sort of disappear
too.
I'll tell you what I want.
I want a hardware root of trust on any computing device that I have.
Heck, man, I actually rely on my own, like, you know, I rely on my driver's license.
I rely on my credit cards and et cetera.
So we will put Ubiqui functionality into credit cards, and it's basically because it's a
small chip.
It's basically like a chip and the software on the chip.
It's not big.
You know, that can be integrated into a lot of different.
things. We will see it in the future. It was more than 10 years ago since we launched this
first product and I was at a conference not long ago or a guy came up to him and said, oh, I'm reading
about you because I just learned about your company and now I'm reading about it again. What an
overnight success. And I smiled and thanked him and said, yes, after 10 years, we are an overnight
success. Well, thank you for joining the A6 and Z podcast. Thank you. Thank you so much.