[jrochkind1]

Uh, so was that last article about how these keys prevented phishing attempts at google just marketting for this product?

[pvg]

What exactly would warrant such 'marketing'? You think Google is going to make mad money selling little USB doodads to uber-nerds?

[tylerl]

Cost.

This tech should be bread-and-butter security for enterprises and consumers alike, just like TLS is today. The main reason why it's not is the crazy device cost.

And like the early CAs with SSL in the 90s, Yubico is charging way more for entry than the underlying cost would justify. Based on the teardowns, it looks like they have a 10x or higher markup above standard "profitable" hardware patterns on these devices. Like 90s Verisign charging more for key length, Yubico is selling the security delta. They're free to set their own prices, of course, but that pattern makes real security a luxury rather than an expectation.

What eventually made SSL more than just an enterprise luxury was competition, driving the price down to only $100/cert initially, and eventually lower as volume became a factor.

If Google can bootstrap adoption by bootstrapping price competition, that will encourage more manufacturers to build u2f devices, driving prices lower still. Eventually this tech will become an expectation rather than a luxury.

[tptacek]

It's a little frustrating to read analyses like these, which sort of seem like they're premised on the COGS cost of the parts they sell.

In fact, the marginal cost of one U2F token has probably not much to do with the price Yubikey assigns to its tokens. Yubi has to pay not just for the hardware, but for their engineering team and for the cost of educating the market about using these things, which remain super-niche products that we're barely even able to get Congressional campaigns to adopt, let alone a significant fraction of the Github user base.

Also, I don't know what teardown you're looking at, but it sounds like you're saying you can buy an NXP MCU that can do ECC operations for under $2, which sounds... low... to me. The one-off BOM cost for the NXP MCUs they apparently use for the Neos looks to be something like $40.

[yjftsjthsd-h]

They could market it not because they want money, but because they want to make everybody secure.

[tptacek]

I think that's what most of us think they're trying to do.

[krn]

The article makes the product look to be directed at Google Cloud customers, thus increasing its unique selling proposition over AWS and Azure.

[tptacek]

AWS and Azure should provide direct support for U2F, too. It's an open standard; nothing stops either provider from doing that.

[krn]

Sure. But the message I get is, "Now I can use Google's phishing resistant 2FA device to protect my Google Cloud account". It's like accessing Gmail via Chrome: you know, that it's the "official way".

[pwinnski]

Yep, clearly.