(Credit: Yubico)
T-Mobile is the latest company to adopt hardware-based security keys for its employees, buying over 200,000 of them from Yubico.
The carrier began adopting Yubikey security keys in late 2023, and has now rolled them out to all staff, vendors, and authorized retail partners, the company said on Tuesday.
“Once we had our YubiKeys in hand, we were able to get them up and running across the company in less than three months, and we’ve seen the positive results after just one year of having them,” says Jeff Simon, T-Mobile’s chief security officer.
The security keys address how digital-based passwords can be stolen, whether through malware infection, phishing emails, or even guessing the user’s login. To counter these threats, the cybersecurity industry developed hardware, often in the form of a USB drive, that taps public-key cryptography to authenticate the user’s logins.
The result will generate and store the private authentication key for a website or online service on the device, ensuring that the login credentials cannot be stolen or intercepted through phishing attacks. Security keys also usually start at around $20, making them an affordable solution for anyone looking to upgrade their online security. Sites including Google, Facebook, Apple, and Coinbase, among many others, support security keys.
(Credit: Yubico/T-Mobile)In 2017, Google bought security keys for all employees to stymie the phishing threat. Others, including Discord and Twitter/X, have also acquired security keys for all staffers.
In T-Mobile’s case, the company adopted the security keys after the carrier experienced several data breaches, including at least two that involved a phishing attack and stolen login credentials to access internal systems.
The company initially considered merely requiring multi-factor authentication (MFA) across all T-Mobile employee accounts as part of a deal to settle an FCC investigation into past data breaches. But in a Tuesday video, Henry Valentine, a T-Mobile senior manager for cybersecurity, said the company was still concerned about elite hackers finding ways to steal MFA codes from employees via their smartphones. So, the company opted for a hardware-based solution.
“With Yubico’s FIDO2 security keys, T-Mobile’s teams no longer have to change or remember their passwords, or type in OTP codes that could be intercepted by bad actors,” Yubico and T-Mobile said in the announcement. “They use their YubiKey to passwordlessly authenticate and verify their identity to gain access to the resources they need.”
That said, security keys can't stymie all hacking threats. T-Mobile has been among the US carriers that the Chinese hacking group "Salt Typhoon" has been targeting, apparently through existing software flaws. However, T-Mobile's defenses were able to stop the intrusion, which came through another carrier.