Welcome, everyone, to Yubico's Investor Day. My name is Alexandra Bagnanski, and I'm the Investor Relations at Yubico, and I'll also be your moderator for the Q&A sessions later today. Just for some practicalities, this presentation is live-streamed, but it will be available afterwards on our Investor Relations website, as will the material. The presentation is largely split into three parts. We will have a Q&A session after each section, so if you have any questions for the speakers, please hold your questions until then. Now I'd like to welcome Mattias Danielsson up on stage to kick off the day and talk us through the agenda. Welcome, Mattias.
Thank you, Alexandra. Can you hear me all right? Great. Before diving into today's agenda, I'd like to make two observations. The first one is, you saw from the heading here that this is talking about building safe digital identities for future generations. We will take a very high-level look at the market, the product, the company, to explain what position we're in, and then we'll talk about some of the things that we're seeing happening in the market and how we want to position to make sure that we're relevant in that emerging new world. We will be high-level talking about our view of the market and our strategies. We are aware that we released the Q3 report last week, so we'll, of course, be happy to take questions on that too, but we'll focus primarily on long-term trends and strategies.
The other kind of obvious observation is that I'm trying to speak English. Yubico was started in Sweden, and we're proud of that, but the reason for speaking English is that we have a very diverse and international crowd and a very diverse and international company. I think you'll notice that with today's presenters, it's only Stina and I who grew up speaking Swedish. If you feel more comfortable asking questions in Swedish language, we'll be happy to take them in Swedish, translate them, and respond back in English as best we can. With that, I'll dive straight into the agenda. We will start by explaining how we see the market today and the position that we've built. Jared will start with that, talking about it from the product and technology perspective, and then Yubico CRO, Carl Helle, will take us through some customer journeys.
We're very excited and proud to have two fantastic representatives of major customers of ours who will be talking about their journey and where you can ask unfiltered questions, of course. That is the Q&A session. There will be a short break, and then we will do more of a deep dive into technology. Yubico's CPTO, Chief Product and Technology Officer Albert, will take us through that part. To kind of summarize the position we're in today, Snejana, Yubico CFO, will walk us through the numbers, how to interpret the business models that we have, how to map out that. We will not be sharing any new financial numbers, but we will hopefully provide some color and some detail for you to better analyze the position that we're in. That will actually also go for the more forward-looking sessions that we will then continue with.
We won't be sharing, sorry, we won't be sharing any new product news or any new targets today, but hopefully we'll be able to provide a little bit more color on where we're heading. We'll start with, I'll start that session with talking about our go-to-market, how we get from the position that we're in today, and how we can build on that foundation to reach new customers and solve new use cases. Of course, the foundation for all of that will be our product offering. Again, Jerrod will join me on stage to talk a little bit about what we're seeing happening in the market. Albert will follow up to see what's our response to that, what's our strategy to what we're seeing in the market.
We are then fortunate enough to have one of Yubico's co-founders, Stina, join us on stage to talk a little bit about the partnership we have with a new entity that she has set up, which is the Sirius Foundation. That is going to be exciting. We will end that session too with Q&A, and then we will wrap it up. So far, we are pretty much on time. With that, I would like to hand over to Jerrod, who has been my colleague for the last 12 or 13 years, and he will take us through the market.
Thank you so much, Mattias. Thank you. Today I'm going to give you a big overview on how we look at the cyber landscape. As Mattias mentioned, we are a global company. We see these trends not just in one country or one region, but we see this everywhere. The good news is that we see this everywhere. The not-so-good news is that it's the same problem that everyone has. This is a snapshot of news that you see all the time. This slide that we created was just the first two weeks of October this year. We say to customers, now how should we think about cybersecurity and attacks? There are two camps: a company that has been breached and are working to protect themselves, and a company that doesn't know they've been breached and will have to protect themselves.
It's an interesting fundamental change, which is you have to assume the organization is breached and what are you going to do about it. The number one way that companies get breached today, organizations get breached, is through an account takeover. The number one way that you do an account takeover is a phishing attack. We've seen this rapid acceleration over the last five years, but it has been happening steadily over the last decade. It's just going to be increasing because of new techniques and the thing we call AI. I wanted to walk through a little bit of what that means today with some of the techniques that we've seen. A little bit of audience participation. Two emails, one written by a human and one written by AI. Take a few seconds to read it.
How many think that the first one, example A, was written by a human? A few folks. How many think that example B was written by a human? Example A was written by a human. 30% got it right. Example B was written by AI. The fact that anyone even raised their hand for example B means AI is doing its job, right? Because all it takes is one person to compromise an organization. The lines are really getting very blurred. The phishing attacks that you see today are just the tip of the iceberg. We will go through a little bit about how advanced some of these things are going to be. It is clear asking a human to figure this out is an impossible task. There is no amount of training that will get you there. I want to take a step back a little bit.
What is all these phishing attacks all about? We've been using technologies to log into systems more than three decades now. The industry has used different techniques over time to try to prevent some of these attacks. Just let's take a quick look at what is happening behind the scenes. I've just mentioned AI can generate a lot of phishing emails with just a click of a button. What they typically do is to get you to click on a link and redirect you to a fake website, which looks exactly like the real website. Bank website, government website, your doctor's website. Anything that you do today in a legitimate way can be turned around and be used to attack you. You put in your login, username and password, which is the most common form of login authentication.
The AI agent, or in this case, the human, will just take those credentials. They will then use those same credentials and log into the real website. At this point, you say, well, what can I do about it? Over the last decades, there are many different types of additional authentication factors that people use. One of the most common is SMS. At this point, you say, aha, no worries, I gave my password, but you still did not get my OTP credentials or the SMS code that came into my phone. At this point, the system is expecting the SMS OTP code. It will send out the SMS OTP code to the user. The user says, okay, great, I have got my code now. Now you cannot get in still.
In this same situation, because you're on the fake website, you actually type in the real SMS code to the fake website. That's how the attackers get in. Because of the way this is set up, and you are already believing the fake website is a real website, you would do everything that you would normally do on a real website. That's how the attackers get you. This technique, when I first presented this scenario here, this was actually back in 2016, same diagram without the AI pictures, but 2016, I presented at one of the hacker conferences, Black Hat. Nothing has changed. Nothing has changed. The big thing that's changed is the scale, the speed, and the accuracy of these attacks.
I want to show you something really quick, not necessarily to scare you, but to just give you a sense of how the techniques have evolved rapidly over the last year and a half or two years with both generative AI, as well as soon you will see a lot more agentic AI in the picture. This is a tool that we actually found at the same conference, Black Hat conference this year. It is open source. Anybody can use it. People use it to test their readiness, but you can be assured that the attackers are using some version of this to actually do real attacks. We try to trick ourselves, Yubico. We try this too. We put in our company name, and it will check whether this is a real company. Yubico is a real company.
It checks online, various systems, who are the people working there, and we have our employees. We got permission from them to use their names. What it is doing today is, or this sequence is that it is grabbing their LinkedIn profile and everything to do with who they are online. This is all public information. The tool then parses out all the information about the individual, professional development, professional information. It creates two different types of email. One is generating feedback on maybe something that they care about, and the second one is to have another email to persuade them to share something. When we get this pretext email from the AI, it knows right away. It writes, Daniel, it is actually from Latin America. You can see Latin America there. He works with a lot of different companies there.
The AI just generates everything based on the LinkedIn profile so that it's relevant for Daniel. Patina, who works in channel marketing or channel sales, has something similar. David, who works in our customer advocacy program, has something relevant for what he wants to know. The time I'm used to explain this to all of you, the tool can generate millions of emails to employees, customers, suppliers, and so on and so forth, without us doing anything. They use the same techniques that we use for productivity. This tool actually used one of the top AI engines for free to generate these emails. As you look ahead, it's not a great scenario for what we call the defenders, right? A lot of us are in defending our organization, so helping our customers defend the organization. The good news is that there's actually a solution to this.
I'll change a little bit of the perspective on how we look at the market, because what we've identified in terms of these attacks actually has been solved. We've been working on this thing, and now we call it passkeys. I'll explain that a little bit. We're working on this technology that fundamentally changed this attacker and defender paradigm, which is to eliminate this industry problem. The origins of passkeys was the work that we've done with Google, almost now more than a decade ago. This case study is really remarkable because when Google wrote this case study, it's not just impressive stats that we realize. These are stats that are unheard of. The number that you want to key in on is zero.
Why is it that we have this technology for more than a decade, but yet we have still all these breaches? Maturity, right? Maturity of a technology takes time for people to understand and learn and then implement and adopt. This has been existing for more than a decade to solve all the things you just saw in terms of the attacks that Yubico actually co-created. What is this passkey conversation that a lot of you ask? It is the FIDO standard that Yubico co-created. It is the version two of the FIDO standard implementing passwordless authentication. Unfortunately, the industry did not do a great job trying to help educate all these names that the techies create, right? We had FIDO One, which was FIDO, we called it Universal Second Factor. We had Web Authentication. We had FIDO Two, and now we have passkeys.
We did not do a good job trying to educate. It is the same fundamental technologies that can eliminate phishing attacks and prevent account takeovers. Now, today passkeys exist in various devices. This is intentional. This is not because we said, okay, this is a way that this is to work, and it only has to work in one way. On the bottom left, the three basic types of devices that we all as users use to put passkeys. A purpose-built device like a YubiKey, purpose-built, which just all it does is security. A general purpose device like a laptop or a phone. The way you unlock using the passkey credential is something that you remember like a PIN or who you are like biometrics. This has been pretty well established in the market for many customers that have been using the technology this way.
Now, how does this actually prevent what we just talked about in terms of the attacks? Same phishing attack. You go to the fake login page. You put in a credential. They take your credential. Before they can actually move forward, this technology requires you to show that you have this device in your possession. There's no typing of codes. There's no codes involved. If you don't have this device, whether it's the YubiKey or the phone you have, you're not getting in. It essentially stops it at its tracks. The way this technology works as well is that it knows the difference between a real website and a fake website. There's no user training. It works out of the box. That's the whole point.
You don't want the users to think about which website to click and which website not to click. To go further, possession of this device requires a human presence. You can't ask an agentic AI agent to go and touch your device on your behalf. What we call human verification is part of this technology that we created or the protocol, what we call the standard we created. That was way before any AI agents ever existed. Today, the way that a lot of our customers use it is actually together. You actually need a very strong foundational piece of purpose-built device to anchor all the other devices. The reason we say that is if you don't have a password, how do you get back? How do you reset anything? There's nobody to call to reset anything. You just have a device.
You actually use the trusted device to then what we call bootstrap other devices. This is a very fundamental conversation, which is if you bought a house and you got a house key, you do not just have one. You have one that you can then use and then you have a backup one. It is very, very physical. We live in a physical world, and these concepts are very much the same when you apply these techniques to the logical world on the internet and when you try to apply it to login. One other area of maybe putting some color to what we do at Yubico is to drive an entire industry around this. As I have mentioned before, we co-created FIDO with Google. That was 2012.
You notice over this period of a decade, we actually had to have two other big technology giants as part of the standard. Why? If all of us are using devices that get internet to do something, there are only three big players in the whole world today that are the gateways to the internet: Google and all their Google Android phones, Microsoft and all their Microsoft operating system laptops and tablets, and Apple and all their devices. Actually in 2022, Apple made full support for FIDO within their ecosystem, which means the three big players implemented the technology that we co-created. This is intentional because they have to support everybody in the world.
Our goal at Yubico was to make sure that we could create the type of protection that can be applied for everyone on the internet, which is one of our missions, which is our mission to protect all users on the internet. It was not just that we got the standard and we got the three tech giants to embrace and use the technology. We had to push the entire ecosystem. Everybody else that used the systems and more services had to also implement the standard. This is just a glimpse that we have hundreds of thousands of services obviously implemented FIDO today. Obviously, all of them can leverage the operating systems and the devices that are already built in by Google, Microsoft, and Apple.
The other thing that we also did was to make sure that corporations and businesses understood the difference between the different types of category of using FIDO, but also that industry analysts accepted this technology that we created. This is a report from Gartner, one of the industry analysts, to talk about authentication and digital identities. You can see at the very, very far right, FIDO security keys, which is an industry term for YubiKeys, are the very highest type of authenticators to use. All the other types of FIDO authenticators on the phone or the software come before that. We work really very hard to make sure that the industry analysts recognize the standard that is out there. That is why you see a huge proliferation of the technology. It took a decade.
The last point I wanted to help shape some of the views of what Yubico does was it was not enough to build the standard, drive the ecosystem, convince the industry analysts. We also had to drive policy because many businesses will say, "This is a great technology. That's great." Until the government says, "I have to use it, I'm not going to use it." Or until the government says, "Okay, and I may get fined, then I'll do it." We have been driving policies and regulations in the entire world for FIDO to be accepted as a gold standard for authentication. Actually started back around the time I presented to Black Hat in 2016, where we talked to some of the individuals in the standards bodies in the U.S. Of course, that has grown significantly over the last, I would say, two years.
Huge uptick in the Asia-Pacific region, which is mandating FIDO, mandating phishing-resistant technology as part of just hygiene, right? Citizen hygiene. You see this word, which is good hygiene at home really helps create protections for corporations and, for that matter, nations. I will leave you with a video of how a YubiKey works because we have been talking a lot of things that Yubico is doing and a lot of things that we have helped shape the ecosystem. I wanted to share with you how it all works.
You are curious about the YubiKey. Great. Now, what is it and how does it work? In short, just like your house key secures your house and everything in it, the YubiKey secures your accounts with everything in them. This is a security key that ensures that you and only you are accessing your accounts. This is not weak SMS or mobile-based authentication.
YubiKeys work across all modern operating systems and mobile devices supported by all of your favorite applications. As an example, let's look at how a YubiKey would work with your Google account. Once you've registered your YubiKey, including a spare key, you can securely log in with ease from anywhere. Insert, tap, and done. There's a lot of magic happening here, but it's the same simple user experience regardless of the app or service you're logging into. Better yet, for most services, once you've logged in, your device can stay trusted, meaning you don't need to use your YubiKey every time you get in. If anyone was to get your credentials and try to log in, they wouldn't be able to because they don't have your physical hardware security key. YubiKey authentication provides phishing-resistant MFA, keeping your data secured and giving you peace of mind.
We all misplace things, so it's best practice to register multiple YubiKeys to your accounts, ensuring you have a spare key just like you do with your house key. Want to dig deeper? Great. We're here to help.
This is a quick overview for what we've been doing with industry and what we've been doing behind the scenes to drive the open standards. With that, I wanted to hand over to my colleague who is going to tell you a little bit about how we accelerate our go-to-market motions.
Thank you, Jerrod. I appreciate it and nice overview. Good afternoon to everyone in the room. I appreciate you all being here and to all those online. Welcome. My name is Carl Helle. I'm the CRO for Yubico, and I've been in this business over 25 years now. I know I don't look it, but believe me, I've been here a while. Today I'm going to talk to you a little bit about the economic impact of what's happening in the market. I think Jerrod did a really nice job painting the picture of how it happens. I'm going to talk to you a little bit about the economic impact, customers' challenges, why they would choose Yubico, and then we're going to take you down the customer journey. Let's get started. This slide just illustrates that bad actors are not letting up. Over the course of time, these numbers continue to rise. At this point, industry analysts say that it's over a $9.5 trillion problem across the world. That is massive. It's going up roughly 15%.
To combat that, of course, companies, organizations, government, you name it, have to continue to spend on technologies, applications, people. That is also rising at roughly 15%. This trend has been going on since I've been in the business. What is interesting is Proofpoint actually illustrates in their study that the CISOs, the top-level security person in the organization, and the board of directors, along with CEOs and CFOs, are now becoming more aligned to fight these issues. There are more conversations than ever before to understand what's happening and what the organization is doing about it. There is a lot of pressure on the individual security teams and their staff to answer the question of, "What are we doing to protect ourselves?" Breaches from stolen credentials are at an all-time high. When those breaches happen, believe me, the bad actor doesn't stop there.
They find their way in. Many times they'll rest for long periods of time, sometimes even months. They'll just watch the traffic move within the organization and then find their path to move laterally in that organization. They might breach a staff accountant that would not appear to be a critical spot in the organization. Because they breach that person, they move laterally into higher levels of the organization to systems and data centers and applications that host the most sensitive data within the organization. That is where the problems really begin. The increase of cyber attacks is going way, way up. The average impact in 2025 is over $5 million per breach. If you think about that, most medium to small businesses are unable to sustain even one attack. Studies report that six months after an attack, that small business is out of business.
The stakes are really high. It's important that you all can understand that. The bad actors, as you saw from Jerrod's presentation, they don't break in. There's nobody brute-forcing systems anymore. I mean, they might, but that's a very old technology or old way of breaking in. They just log in. They just simply steal your credentials and log in as you. When that happens, they're easily able to migrate to other areas of the organization. Companies are pouring billions of dollars into trying to stop these types of attacks. It's really time to rethink security and identity security. It's an imperative that companies try to protect these three elements. One is business continuity. For large organizations, a breach may only take down a portion of it. We see it in the news all the time. Jerrod showed you some articles there on that.
Business continuity has a major impact because if one end of the business is down, it affects the overall business, sometimes the economy. Brand protection is super important. As we all know, some organizations have a bigger brand than they do with revenue. It is super important to them, and they want to protect that. Last, of course, as Jerrod mentioned, achieving compliance because there is a hesitation to spend more unless there is a result at the end. Sometimes those result in fines and other things that are requirements based on the industry that the organization might be in. How are the companies keeping up today? This is the arc of kind of how they have been trying to keep up. Way back in the day, we just logged in. We just put in our name and company, and we would log into our systems.
Passwords became really relevant. We all put little yellow sticky notes, put our password up there so we would not forget. Anyone in here ever do that? Over time, it became SMS codes and authentication devices, authentication apps, and now biometrics all become part of this. They do not work. As you saw with Jerrod's presentation, they can all be intercepted through the power of AI tools. All of those ways can be intercepted. Imagine if you run a 20,000-person company and you are counting on every person every day doing the right thing every time. It is a huge burden on your employees and your staff. There is just no way to combat it with that. As Jerrod said, all the training in the world will not solve that problem. It results in partial protection around some of the people some of the time.
There are compliance gaps throughout the organization of any size. There is a new world to think about how we do this and how we come to try to solve for these issues. It starts with unburdening the user. We have to have user-friendly security. Easy security gets used. Difficult security gets worked around. We need protection for all. We need compliance that is built in. We need purpose-built passwordless security, and we need proactive prevention. Those are the elements that must take place. That sets up Yubico to be a really great strategic partner. Based on what we have done for years and years, we have demonstrated market leadership. We have worldwide distribution, and we have scale in production and delivery.
It's evidenced by the number of customers we have and certainly by the thousands of proven technology alliances that we've created over the journey of Yubico. We've been delivering on that promise for years. It is time to rethink identity security and how to go about it. That is what we're doing every day at Yubico. It's too common to have these kinds of messages end up in your inbox. A few weeks ago, I traveled to London, and I got this message shortly after. It basically was from my airline that said, "Oh, hey, by the way, the Dublin airport may not have lost some of your data. They may or may not have some of your information on your flights." Of course, I think, "Well, what else do they have?" That happens all the time for individuals.
People and companies are sick and tired of being sick and tired. They're starting to do things proactively to put measures in place so these kinds of things don't happen. Every user is a privileged user. As I said, anybody can be, their credentials can be stolen, and they migrate. Seven to ten years ago, when we were building keys for companies that were very interested in our technology, it was a bit complex. Many of the keys were custom keys. What that results in today is we easily do custom keys because we had to back in the day. Today, with FIDO2, which is Fast Identity Online, that's what that stands for, that standard has boosted the standardizations within the industry so that others can follow the same standard. It's a rule book, if you will, of how the technology should and could work.
Back in the day, we sold individual use cases to organizations, talked to them about their particular needs in the organization, and built keys, many times custom-built keys, for that organization. Today, that's changed quite a bit. I'll get back to that in a little bit. There's really two scenarios that organizations purchase YubiKeys. There's the planned event, which is organizations, both small and large, know that they have a situation or they know they have a need, and we do the typical sales process. We do some discovery. We meet with the customer. We bring our teams in. We architect a solution with YubiKey and sometimes our alliance partners. Eventually, we have a purchase. For large customers, that can be anywhere from 18-36 months, sometimes even longer. For smaller customers, that's usually three to six months to go through that process.
In the unplanned scenario, it's a little bit different. The hair's on fire. There's indicators within their systems that say, "Hey, something's going on. Doesn't look right. Doesn't feel right. We may or may not have a breach." In those cases, there's an escalated approach to this. Everybody's online. It's very urgent. They really look at it from a damage control and environment analysis. What's going on? What's been affected? What can we do? Many times, Yubico gets a call in these situations, and we get asked for help. Through all of that, we've developed a rapid response program that we implement where we get keys to customers very, very quickly. In cases where it's a relatively small customer, a few thousand people, those keys are out in a few days.
In other cases, large customers, it even might take a few months before they really get their arms around what's happening. Either way, there's usually a purchase at the end. Let me give you a couple of examples of how this kind of unfolds. We have a very large financial institution that we worked with in the United States. You would know their name. They were very interested in an enhanced biometric solution. We have biometrics, but they wanted the advanced pieces, parts, and we had to work with a lot of alliance partners. Our teams went in, did all the planning things, did the discovery, worked with alliance partners, and with many of our own in-house product and engineering teams to build a custom key for them.
That process was a good process for both and all entities, and it turned into a $7 million purchase of keys for 150,000 employees. A great win on Yubico's statute. In another case, a financial institution, real estate company, started seeing those indicators through their Splunk environment and brought forth the request to secure some of their most critical assets. In this case, keys were out in nine days to solve for that problem, begin to secure the company, letting them go buy new computers so that they knew they had a secure environment to do some analysis. Both of these end up being very, very relevant in terms of how people purchase YubiKeys. Do not let me just tell you. I am going to turn it over to Brian Bell here. Brian is with T-Mobile, and he is going to share his story and his journey with Yubico.
Thanks, Carl. Appreciate it. Thanks, everybody. I have a story to tell, but I feel like you guys already told it for me, so this is going to be a lot of repeat information here. As Carl said, I am a Principal Cyber Security Architect at T-Mobile. I've been there for multiple years now, 25 years. Hopefully, I don't look it as well. We struggled with the same battle that everybody has been talking about here today. T-Mobile was seeing account takeovers at a climbing, climbing rate, 100+ a week. We were losing employee data, which resulted in customer impacts. SIM swaps were happening. Accounts were being taken over. This was at business scale as well as individual customers. It was a huge issue for us, one that we needed to solve quickly.
We decided to make a cultural change at that point, and that's really what it took. In 2023, we brought in a new CISO and decided that account takeovers had to go from the hundreds to zero, something we had to stop immediately. We went through the process of strategy around this and said, "What can we do?" We needed a phish-resistant solution. Our passwords weren't working. Our MFA standards that we had weren't working. We needed a partner to be able to get us there. We started looking, and we found Yubico. We decided that we needed to have something quickly. It wasn't something we could wait on. We did a little bit of an escalation on that. I wouldn't say we were in the hair-on-fire situation, but we wanted to do something quickly.
We started in May of 2023, or sorry, March of 2023, reviewing our processes, saying what is it we wanted to do. By May, we had orders in place. By July, we started our deployment. Within four months, we had 170,000 keys deployed to users, registered to users, clearing out all their authentication factors that they had and starting from scratch, rebuilding every single person up. By February of 2024, we completed our deployment to over 200,000 accounts and continue to do that today, refining as we go, making things stronger and better. It did not come easily, though. That was something, as I said, was a cultural change for us. The new CISO came in, and we made this a pillar of our standards for the year.
We said, "Hey, security has to come first. We can no longer be something that comes up as a hindrance or just a compliance piece. We need to be working together with all of our teams to build this out and to know that every employee knows that security comes first." That's really what it took. As we went through looking at what it was that was going to make Yubico the user or the provider for us, we said, "Hey, how can you get us there?" They delivered. That strategy that we had to deliver that many keys was going to take a provider that could be there for us, that could help us with deploying not only locally. We took to our corporate offices. We had 46 regional business offices. We had users out in the field in the U.S. and globally. We deployed every single one of them.
This is our full-time employees, our contractors to our organization, service partners. We made it part of our contracts to say, "Hey, you have to have this. Yubico will be your standard. You will buy these keys. They will be part of your agreement with us." Everybody's kind of taken it back, right? It's a new thing to say, "Hey, I'm changing the standard on you." It has made a leaps and bounds change, though, about how they are able to access, how it makes their experience better with us at this point in time now. Getting to a passwordless standard has not only simplified the business for us, but it simplified the business for them in the long run. It's something that culturally, once that took hold, made all the difference in the world. Sorry. See how my slide very mad here. That velocity was huge.
As I said, Yubico came to the table with us. They worked with our VARs. We had deployments of 15,000 keys to 50,000 at a time. They met every single goal for us coming through. That allowed us to meet that global distribution. When we say that we deployed in that strategy, it was also very short windows. We would give our groups a 24-hour notice and say, "Hey, your key's coming. Tomorrow, you need to register that key." That's the precision that we did this at and the precision that Yubico was able to deliver for us. This is the kind of partnership that we needed to be able to not only get that out, but then sustain long-term.
As more use cases came up and more items came to the table, Yubico's been there with us along the way to say, "Hey, how can we help solve this?" If it's a remote access piece, whatever it may be, they were there with us in the trenches, working through the technology details and making sure they can supply us what's needed. The form factor availability is also a big key for us, as we talked about, that we're accessing on every type of endpoint. There's your virtual systems. These are mobile devices, part of our business. These are going to be laptops, desktops, whatever it may be. Yubico had something that fit every single one of those for us and made sure that legacy systems that we had to handle had the right type of access and made sure all the new systems were there.
That standard is phones and devices, things that are involved. We've been able to evolve what products we're bringing in and making sure we have that up to speed as well. This resulted in us being able to do that elimination of account takeovers. T-Mobile is now in a zero account takeover status. It is not something we see anymore. It's not something that we worry about. We went from being the ones that were in the news for the bad things happening to us to the ones in the news saying, "Hey, bring it on. What do you got? We're not really afraid of you anymore." It's a weird place to be, but it's something that we pride ourselves on. That change, and it took a partnership like that to get us there. It also has made it better for our employees.
I talked a little about the user experience. Going passwordless has been huge. Internally, it cuts down our costs. Our service department costs for having to do password resets has dropped dramatically. That is a huge piece for both the employee as well as the end user, that is our person that is helping out on the technician side. Our ability to streamline how you log in is nice. I mean, you can go in there, and if you have never done this experience with a key, it is fantastic. You do not have to enter anything in. There is no email. There is no password. You just say, "I want to choose my identity," and you are off to the races and going. It makes things a lot smoother for that. The bootstrapping process has become more streamlined as well.
We've got endpoints from iPads and retail stores to those machines coming online, and we use the YubiKey as the first portion for that. Regardless of any other factors you may use along the way, Yubico is our standard for everyone. Our security key is the cornerstone of them setting up for everything. They can use that to bootstrap and bring other things online. If they want to use the passkey or Windows Hello for Business, they can. This is the piece we want everybody to have and know that it's going to be there and it's going to work every single time for every single use case that we have. This has also helped us with our business pieces. I talked a little about the account takeovers and the impacts that that had.
I look at our T-Mobile for Business as a portion of our organization that was really hesitant about this. They could say, "Hey, you know what? We can't have anything that's going to take us down, anything that's going to slow us down." By the time we started implementing this and getting through it, they were the first ones to come back to the table and say, "Hey, you know what? We've got this now. Our account takeover rates are going down. I can go out and sell to customers, these large-scale organizations that know that they can come to T-Mobile and no longer be afraid that they're going to see the news heading that T-Mobile's been breached, that their information's out there, that their account got taken over all of a sudden, and now millions of dollars are at risk." The benefits of that have been huge.
It allows our organization to grow. It allows us to be innovative and continue to move forward knowing we will always have security front of mind and we'll be good wherever we go to. I would say also that the acceleration of password—sorry. Lost my train of thought. Apologize. Long flight yesterday. The acceleration to this with passwordless verification is great for us to be able to move on in a—wow. I apologize, guys. I lost my wording. I'll just jump to the end here. Sorry. I will say that the partnership with Yubico is the strongest thing that we've had in moving forward with our enterprise standards. If you're a small business, enterprise-level company, having a partner in business is what's going to take you and go places. It's not something we can do by ourselves.
We know that Yubico is what's been able to help us deliver this new cultural change and help us move forward and know that we can be secure in a climate that's always out to get you and something that we value more than anything else we can say. We appreciate Yubico. I appreciate the opportunity to be here. Sorry, I stumbled a little bit there, but hopefully this is helpful and looking forward to the questions and kind of talking about our journey with you going forward. Yep.
You can see that customers count on Yubico. The reason they count on us is because they trust us. We've earned that right over the many years of work we've done in the industry and what we put forth as a company. Today, we continue to grow our relationships and our partnerships with both alliance partners and our end user customers in a really relevant, significant way. That will prove to be a winning proposition. We also know that there are a lot of other companies out there that trust our brand. This is just a small sampling of approved companies that allow us to put this up, but there are many, many more. You will notice a few of the key customers up here, others that are in identity security as well: Okta, Ping, Microsoft, all using YubiKeys as part of their solution to secure their environment. Those are significant mile markers where we partner with them, not to compete, but to partner for a better, safer internet.
We find that when we sell to a really relevant company or any company that has a good experience, that experience travels with them in their next location and their next job. Since I'm in charge of revenue, it's kind of important to have that as part of my go-to-market. Here's a customer that was not able to attend today, but I want to just share his experience.
The general cybersecurity landscape these days seems to be an increase in phishing attacks, targeted attacks through SMS. I first learned about YubiKeys when I joined Google in 2014. Google is doing an internal rollout of security keys throughout their employee workforce, moving from OTPs to security keys. Humans are prone to make mistakes. Humans get in a rush. They get emotional. Sometimes it's easy to trick a human, and you can't trick cryptographic algorithms.
In 2022, there was a targeted attack that was SMS-based. It was targeting employees based on the ability to create a page that looked exactly like our login page. The same thing for Twilio. There was a cloned page of their IDP login page. It then intercepted the username and password that was entered in real time. It attempted to also get the second factor. In our case, we had already made security keys or YubiKeys mandatory for every application. That was as far as they got. We had several employees that did fall prey to this, but that was basically the end. We had them rotate their credentials, and we were done. The main thing that blocked the attack was the fact that they did not have the second factors, which would be the YubiKey security key.
This prevented them from successfully logging in as the user and then compromising any applications. One of the benefits of the Yubi Enterprise Delivery that we found was our IT folks were not doing logistics anymore. We were having to do a lot of envelope stuffing and ensuring that we were shipping security keys to people on time when they were getting onboarded and things like that. One of the benefits of the Yubi Enterprise Delivery was not having to do that anymore. We were just putting in the dates and the addresses for when people needed to get the things, and they would just magically show up. I'm proud to work for a company that provides security for the internet because it's one of the things that I was looking for when I looked for jobs. I want to have an impact, and I want to have a sense of community in the company. I want to make sure that the efforts that I'm making are making a difference.
I think Derek illustrates it well how the technology moved with him from Google to now Cloudflare, one of the most significant internet providers for websites. I showed you this slide before because there are really seven use cases that kind of apply to all organizations that we talk to. What companies have transitioned to is instead of just protecting on a particular use case, many times it was the one on the far left, which was privileged access, the people that are in the most sensitive data in the data centers, accessing forms and information about employees. It has really moved to understanding that all their users are on the attack surface.
Because all users are on the attack surface, companies must protect all those users. It is changing very, very rapidly. Derek in the video kind of precursored this idea of what they are looking for in modern-day security requirements. They are looking for the protection for everyone in a simplified budgeting process with the highest level of identity security. That is a simplified order process and that the rollout goes quickly and efficiently for their organization. You heard from Brian how quickly they rolled out over 200,000 users within T-Mobile. As a company, we started to understand that not only is our security technology important because if someone buys a key, they have a product, but if they engage with Yubico and with our Yubico as a Service, it becomes a solution.
Wrapped around our technology and the good work that's been done for years and years, we have spent a massive amount of time, energy, and effort to make this rollout of YubiKeys that much easier. We provided organizations with a lower cost of entry, flexibility of choice of what form factor of key they would like to have for what type of computer, what type of phone. We've created a way for faster deployment through our Yubico Enterprise Delivery organization, and we're able to achieve that compliance company-wide much, much quicker. These are the kind of things that Yubico is developing. It's not only the technology, but it's the process, procedure, and the change management required by all of our organizations to roll keys out and deliver back to their end users that high-level protection. Once again, I'm going to step aside, and I'm going to let Joe talk a little bit about his journey with Yubico as a three-time CISO and former head of identity and access for Bank of New York. Joe?
Hi. Thank you all. I had the fortunate benefit of doing planned deployments across three times, right? Three different employers to go through and have planned, not fire burning episodes where we had phish-resistant MFA coming through. I've deployed YubiKey 4s, and that's usually the precursor to YubiKey 5 and the final standard that there's now, right? There's a transition of the ease of deployment has become easier and easier. Whereas before, we were doing U2F deployments and smart card authentication deployments. That meant deploying those is a little bit more technically challenging.
You had to bootstrap a lot of that with some of the YKMAN command prompt capabilities that Yubico provided as a community. As we started looking at this, I started looking at a line of business that I worked for at BNY. We started with a smaller deployment to prove that out. I was a CISO for their data analytics division. That is where we made our first purchase of YubiKeys, YubiKey 5 series for that line of business. We protected all the employees within that line of business and bootstrapped it to their identity platform, and everywhere was integrated. Some of the legacy systems that did not go through the IDP itself had deployment directly in the ecosystem that is supported by Yubico itself.
Having a wide breadth of vendors supporting YubiKeys is great for me as a practitioner because I know that if it cannot centrally deploy using an IDP, there is a very good chance that the YubiKey will be used and integrated well within the tool of choice. Going forward in the corporate deployment across the whole workforce, we started to look at the flexibility of YubiKey as a Service. YubiKey as a Service was interesting for me because we had the opportunity to look at the whole workforce and not make a deployment straight out across all 70,000. We started to look at how we are going to ramp the deployment and which particular audiences we would want to achieve first.
With YubiKey as a Service, we're able to look at how do we do that ramp, how do we deploy, and then also cater to the different use cases that folks have. They mentioned privileged access, mobile users. All of those use cases have their preference as to which form factor. We also worked with our help desk teams to look at, you know, what computers are out in the fleet and where are they in the tech refresh cycles. We would be scheduling the YubiKey deployments with what tech refreshes we would have. If it's going to be a USB-C versus USB-A form factor versus a micro form factor with it, that all helped us out, and we were able to essentially schedule and track that within the portal itself.
When it comes to some of the challenges that we had, not necessarily with YubiKey and deployment of YubiKey, but more so about what prompted us to look at YubiKeys itself as well, it's compliance. The financial services market is highly regulated and global. You have all regions in the world deploying their own policies and standards. Luckily for us, NIST and the major standards bodies agree with the alliance and FIDO, and we moved forward with deploying based on that assertion, and it served us well. We've looked at opportunities where you continue to advance the technologies that you have in place. Two-factor authentication is great, and I think everybody should be using that already, and there's many form factors to do that: OTP, SMS. Now the standards are also deprecating some of those because the attackers continue to advance.
You will see that SMS is a deprecated standard for side channel pass of OTP. You just continue to future-proof yourself by using technologies like passkeys and YubiKeys in that instance, where in the end, as policies deprecate what used to be good solutions, now all of a sudden you will be ahead of the game. This also allowed us to move towards a passwordless capability across our workforce. This was one of the core pieces of technology that we provided across the workforce for passwordless authentication. We deployed biometrics with Windows Hello for Business and others, and we gave users a preference to look, but the gold standard was the YubiKey for authenticating into all of our systems.
Yeah, and I'm more than happy to discuss any technical implementation details as well, but the YubiKey as a Service platform and the flexibility it offered us was nice to have because you had a schedule that was fluctuating with time, and the audience of where you'd want to deploy was also fluctuating. That gave us the agility to carve a nice path to deploy within a given time frame. Thank you all.
Thank you. Again, just another testimonial to some of the work that's been done over the many years at Yubico, and I think it's really beginning to pay off for organizations of large and small. I'm going to leave you with these three key takeaways. Organizations must protect all their users. I think we've beat that to death. You're going to hear a lot more about Yubico as a Service in future presentations this afternoon, and you're going to hear a little bit more about where we're headed with all that. Customer speed and propensity to act is accelerating. With the standard being so well adopted now and other organizations coming alongside of that, we're seeing a lot of interest around the FIDO2 standard, again, Fast Identity Online standard. Yubico is absolutely focused on surpassing the expectations and the needs of our customers. We've built trust with our customers. We've built trust in the industry, and they look to us to fulfill that in the future and continue to grow as a company. Thank you very much. Appreciate it.
Thank you so much, Carl, and our speakers. This concludes actually the first session or the first part of the presentation. I'd like to welcome the speakers back up on stage, including Mattias, to open up for our first Q&A session. There should be a mic going around the room. If there are any questions in the room, just raise your hand, and the microphone will come to you. I have a couple of questions actually from the web as well. Maybe just to warm up the room, I should start with those. Carl, to start with you, how repeatable are deals like T-Mobile and Bank of New York? Are they outliers, or are they the rule, would you say?
We focus a lot on the Global 2000 accounts, and there's areas that we do not sell to the Global 2000s, but there's about 1,600 Global 2000 accounts that we put a lot of focus on. Each one of those accounts represents unbelievable opportunity for the company and for Yubico. I think getting to them all is never easy, but we certainly are pursuing that every day. Many of those companies have deployed some keys over the period of time, so we're always after expanding that footprint.
A follow-up question to that. How long does it typically take from initial engagement to a signed contract?
Yeah, it depends on the organization. There's the planned and the unplanned. In the case of the planned, for a large organization, it's anywhere from a year to three years. I mean, you can pick a time. It depends how developed their team is. It depends how far down the path they are. In a small organization, it can be three to six months. If it's unplanned, hairs on fire, you got to act quickly. Those time frames get reduced significantly.
Thank you, Carl. A question for Jerrod. Could you actually go back to the concept of passkeys and how that fits into Yubico's solution?
Yeah. I think, again, the industry did not do a good job explaining passkeys and its relevance overall and how does it fit to the overall ecosystem from what the previous work was. You can think of passkeys as a way to log in passwordless. You can do this with a YubiKey as well. You can log in passwordless with a YubiKey. You can also log in passwordless to something like an iPhone, right? It is not so much about the passwordless experience. It is the technology behind the passwordless standard.
For example, what we've known to be passwordless is what we call the magic link, where sometimes you go to a travel site, this is, you want to log in, go click the link. There are no passwords, right? It's just a link, and you just click and you get in. It matters more about the technology behind the passwordless authentication. The reason we say that is that this particular passwordless authentication, passkeys, FIDO, is a proven, mature standard that interoperates between different operating systems. You get a consistent experience using this particular form of passwordless authentication, which is really important. Why do we know that? Because we at Yubico created it. It's not just passwordless authentication. It's standardized passwordless authentication that has been deployed at scale.
A follow-up question. Why do customers pay for hardware when software passkeys are free?
When we always look at the word free, it comes with a whole set of expectations and assumptions. It's never free. You always pay for something. If you look at the technology behind passkeys, you're storing that credential, that element for you to log in somewhere. You have to think about more than just the hardware because the phone is also hardware. The question becomes, what happens when you get a new phone? What is your process? What is your backup strategy? What is your recovery strategy? Do you buy three phones to back each other up? I mean, some people can, but that's not a good expectation if you want to solve this at global scale. I think the way that we think about the technology isn't so much about YubiKeys or phone, and I've described this a bit earlier.
You kind of need both because anything with one is a problem because if you lost it, you broke it, you upgraded it, and it does not work anymore, it is a huge problem. What we bring to the table is a consistent experience using a YubiKey, right? Apple would have one way, Google would have another way, Microsoft another way. Using a YubiKey creates a consistent experience, but also it is a consistent security model. I think testament to some of the companies that have described it. I can even give you user examples if you want how it has benefited us, right? In T-Mobile, I will give you two. Our retail organization, as I said earlier, uses iPads. That is our primary selling methodology. They are out on the floor. They are talking to customers face to face.
It looks very poor if the customer's there and all of a sudden the employee's pulling out their phone and trying to interact with that iPad. It may look like they're taking a picture of some sensitive information, something that seems unrealistic or something they shouldn't really be doing there. Having a key that's meant for that purpose takes away that whole conversation. It actually looks more secure to the customer. It makes everybody feel a little easier about the whole situation. Another piece would be call centers. We handle customer data in the call centers. They're global as well as United States-based. In those organizations, we don't allow cell phones on the sales floors for them just to make sure they can't have a way to take data out and make it unsafe for the customer. We have to have a key-based solution for them to be able to complete those logins where a passkey that's on a phone is just not viable.
Just from my experience, also for an enterprise deployment, software keys or syncable keys, you have to look at that key, that private material that usually sits on a hardware-bound device is now going to be living somewhere within an ecosystem of either Apple, Google, or Microsoft or IDP provider. Whereas if you have a hardware-bound device passkey, then that private key is stored locally on a device similar to the YubiKey itself. Syncable software passkey versus hardware, you actually know where the key material is. That is the root of the trust of that interchange.
We have a question in the room.
Okay. Question for Jerrod and from a customer perspective. How many customers get away with kind of a standard FIDO2 key? And how many customers leverage a particular proprietary feature on top of FIDO or some embedded software aspect to solve for an enterprise solution? Not talking about the company with 10 customers or 10 employees.
I can say from T-Mobile's experience, we did not go with anything customized. We are using it out of the box, not even the highest range five-series keys, and it works for the majority of our workforce. Certain use cases, we do have different keys that we use in areas depending on the form factor needed or other options that might be used for that user. I will say from an enterprise perspective, we deployed a standard NFC USB-C key, and it has worked for the majority of our use cases.
For me, I just added the example of YubiKey 4. We did smart card authentication. The YubiKey 5 has multiple protocols that could be deployed, FIDO, smart card. FIDO is the easier option of deployment across a wide broad use case. YubiKey 5s, for the most part, for our implementation, were FIDO-based that map back up to either an IDP that we had across our workforce. Smart card authentication is still available for YubiKey 5. We just did not deploy it.
Just to give some color, we talk a lot about FIDO on the YubiKey, but the YubiKey also supports other authentication protocols. There was definitely a time many years ago where FIDO was not so mature. Companies had to use other technologies on the YubiKey to log in. We have always provided the next generation authentication protocol. A lot of our customers, when they started the journey with us, evolved with that. When the FIDO technology became more mature with the systems that they use, applications they use, they start to migrate, which is really a fantastic way to look at. You do not have to—the keyword for enterprise is you do not have to rip and replace, right? Because it is a very expensive process to just change all the systems to work because I need to do FIDO. Companies can take this journey over a period of time, as Joe talked about, as they upgrade systems. It is the same YubiKey that supports many different systems over a period of many years. It really creates this great partnership of them working with us, changing the technology stack, but the user experience really remaining consistent and really a great experience.
Adoption has been easier to do with FIDO keys, whereas a smart card authentication, you typically have PKI infrastructure, public key infrastructure that has to be maintained within the environment for any organization enterprise that maintains it. By moving towards FIDO and the latest generation of YubiKey 5s, you lessen the burden on current infrastructure to shift and maintain and deploy with the PKI infrastructure.
We had a question here in the front. Do you want to take that?
Hi, gents. Ramil Koria, Danske Bank. I'll show my complete subpar understanding of the business here by asking you about sort of the app ecosystem surrounding the YubiKey. How much of that is sort of bilateral in a sense, and how much stems from you operating within the bounds of the various protocols that you do have? A follow-up to that, to the customers on stage. You said that it covers the majority of your use cases. How important is it that it extends the entirety of the use cases? What are the second standard deviation use cases? How important are they to be covered here?
Yeah, I could start off with just legacy systems like mainframes, right? ZOS, IBM mainframes, things that have not evolved along with the modern authentication flows for passwordless. YubiKey fits directly into those. There is a module specifically designed to have two-factor authentication into legacy systems with YubiKeys. It is fully supported.
Very good. We have time for one last question, and I will take it to—Oh, sorry. Do you want to take it from the room first?
Yes, please. Thank you. To you, gentlemen, do you feel like you got a lot of security for what you paid? Did you pay just right or a little too much? Because based on your customer cases, it sounds like you get a lot of value. How do you think of all these projects in relation to the costs?
Yeah, I can take that. I think the cost of not being in the news and not having a breach and what it means to our brand has far surpassed anything that we paid for for our keys and our deployments that went along with that. I mean, looking at it, there is a cost involved to it, and there will be for any business that goes into this. The peace of mind that we get out of it and what that has meant to us has paid for itself, leaps and bounds over.
I could speak from a CISO perspective, right? Running security programs in general, you tackle the biggest problem being the identity problem. Now you have all the other problems in the security space to deal with. At that point, you've already tackled a big elephant in the room by identity with a golden standard like YubiKeys to have your team now focused in on the threats that are in the ecosystem.
Maybe just a quick follow-up. I don't know if this is to Mattias or to Jerrod, but how often do you think that either T-Mobile or Bank of New York should replace these keys to keep this high security posture?
We'll cover a little bit of that in terms of the evolving landscape for what we call cryptography. I think a testament to the design of our device and the standards we create, we're looking at it from two angles. The first angle is that if you want to use the YubiKey with a system that has not changed, you should have the right to use that YubiKey. That should not change. We cannot break people's way of working when it works, right? The other angle as well is that there are things changing around the standards. What we mean, Albert is going to cover a little bit of that, is that there is a whole new cast of technology and advancement, just like AI. In the world of security, there is this word called post-quantum cryptography that changes the dynamics of how you need to create protections and products. Independent of Yubico's leadership, when things around, we are in cyber, cyber has a lot of technicalities. When that whole evolution changes as a market, Yubico needs to be number one in terms of leading that change. As all our customers say, you're only as good as the next big threat coming to the industry. Rest assured, attackers are not going to slow down. We at Yubico look for those signs of change and shifts in technologies, AI included, to make sure that we can protect our customers.
If I can add a little bit more, less technical card to it. One of the things driving why we think YubiKey as a Service and the service and subscription model that we offer is superior to both parties is that that really forms that partnership. We work with the customers on what's most important to them, what they're seeing in the threat landscape, and make sure that we're the partner there to protect them, whether it's new threats or new regulation coming up.
Even from an experience for me, going from YubiKey 4 to YubiKey 5, right? You had a technical evolution and innovation with YubiKey and Yubico's where they went and supported FIDO versus the U2F protocol, legacy protocol. You still had U2F and you had smart card authentication with YubiKey 4, and that was the golden standard and did the job at the time. It could have stayed there. What compelled to go to YubiKey 5 was the support and broad support for FIDO authentication going forward. The evolution in the product line forces customers or compels customers to go that way.
Now maybe to the last question to our customers. Would you say that your employees typically use a YubiKey to protect specific accounts, or is it wider systems?
I can say this. It's a one-to-one ratio, of course, where every user has their account tied to that. They're accessing a wide range of customer accounts and things of that nature. They're protecting everything at that point in time once they're logging into those systems. That is the foundational piece. If it's them getting into their system and logging into their computer or their iPad and then getting into the tools within, it's all done with their YubiKey.
It's not only for the workforce, right? You have the workforce supportability, but also now when it comes to authentication mechanisms for clients, right? There are opportunities to open up passkey support for client interactions and client portals to authenticate as well using YubiKeys or using other passkeys within the ecosystem as well. Call that bring your own passkey, right? At the end of the day, we're not supplying passkeys directly to clients as of today, but those are opportunities where now clients, because they're using it in their personal lives, they have a YubiKey or they have other hardware-bound passkeys, could easily bring to the platform and authenticate it to the platform with a passkey.
Thank you so much, to all the speakers. This concludes the first part of our presentation, and now we'll take a short break for about 10 minutes.
Thank you.
Thank you.
Thank you. Thank you.
Welcome back. We're going to start the second part of our presentation. Now I'd like to welcome Albert Biketi up on.
Thank you so much. I'm really glad to be in front of you today to share a little bit about Yubico's technology journey and leadership. I will try to make this as accessible as possible to a wide audience. If I take some of the concepts down a little bit, I will try to make it accessible to everyone. What I am going to try and cover is a couple of things. One is what it is that Yubico is building and why we care so much about the way we build it, the way we are building it, and a little bit about our journey on innovation. I will talk about what is currently being built and how it is built and why that matters. At the end of the discussion, hopefully, it starts to be clear to everyone the foundation that we have laid for all the future innovation that we do for our customers because we are building our customer base because we want to give them even more innovation.
We look at this as a very long-term journey that we're on. All right. By focusing on what it is we're building and why that hardware architecture is such a winning combination for high assurance identity, hopefully, you'll be able to see that trajectory. Bear in mind this is a long, long-term journey in terms of just understanding all the layers that build on top of each other. All right. If you remember anything from this slide, it's that Yubico doesn't just follow standards. We contributed substantially in writing those standards. Then we built and shipped the authenticators, the hardware that makes these standards real and at scale.
When we look at the landscape and see everything that is changing, we have an eye to what that standardization looks like also into the future because Yubico's uniqueness comes from this combination of a very strong innovation ethos combined with the standardization that creates the potential for mass adoption. We co-lead in FIDO, the Fast Identity Online, in OpenID, in W3C, all these groups that defined collectively this massive move away from passwords to passwordless. We are continuing to define that journey for continuous authentication. When you see something that says FIDO or WebAuthn compliant, you are actually looking at something or dealing with something that has a little bit of what we made possible and we made part of that invention possible. This is important because this is all open standards.
The folks who control a lot of how the web works, so think about Apple, Google, Microsoft, are all able to interoperate cleanly because of some of these standards that we set. The way to think about it is Yubico is actually this hub that allows you to abstract away from those platforms as well and own your identity and own the root material for your authentication inside a key that you possess. This will become important later because there's big trends in the world around decentralization, particularly here in Europe. You'd appreciate why it's important to actually own that piece of your identity. All right. I don't know if anybody here was born in May. Can I get a show of hands? May? Okay. We got a couple of folks.
If you're very interested in passwordless, the first Thursday of May used to be World Password Day. For safety reasons, they changed that to World Passkey Day. That is because this shift away from passwords is real. It is deep. It has a lot of things around it that are fundamentally important. If we just look at where we are today, if I was standing here 13, 14 years ago, I would be telling you there's going to be billions of people using passkeys. Except for the people who really, truly believed and understood the path that Yubico was paving at the time, people would say, "Well, I don't know what you're talking about." If there's going to be perspective that you're able to take about what it takes to build things that have massive, massive adoption, that's the journey and that's the vision.
It was very, very clear that far back that passwordless adoption was going to grow to become this big. To give you an example, just from 2023- 2024, the adoption of passkeys in online accounts doubled to 15 billion. It is probably going to grow at about that trend for a significant period of time. Now, what is changing underneath all of this that gives us confidence that this is happening? One of them is platform readiness. The second is top-site adoption. If I look at the top 100 sites today on the internet, about 20% of them support passkeys. If you look at the top 250, about 12% of them support it, including Apple, Google, Microsoft, Amazon, PayPal, TikTok, etc. There is massive adoption going on and a lot of conversion happening.
This is a fundamental mega trend, and it's important to understand it in that kind of context. Consumer awareness and use is also going up. Just looking at some of the statistics that we look at, something like about 40% in 2022 had awareness. It's now doubled to about 60%. That trend continues. We're also seeing the data that we see this in the proof of behavioral changes and other things that support it. The conclusion I hope you all draw is that this is very well supported in user behavior. It's not hard to intuit why. It's because it's easier and it's safer.
Those two things in combination are magical for security because every time you build security that is an obstacle to getting to what it is you want to do on the other side, people find lots of ways to bypass it, and it's magic for the hackers. Making security easier to adopt is one of the fundamental goals of the passwordless movement, and it's been something that has been very, very successful. All right. Jerrod talked a little bit about this earlier and the power of the developer ecosystem that you've been able to build around FIDO. It actually goes to a question that was addressed earlier, which is how much of this is one-to-one versus how much of this is because of the standard. If you're building with FIDO and FIDO compatibility, you're able to tap into a massive ecosystem.
This is kind of the logical approach. There is going to be always support for a lot of legacy complicated things in the technology. The fundamental goal here is to make security easy and widely adopted in ways that you have a challenge response that gives you a high assurance of secure authentication without phishing. U2F was the first web-scale protocol that actually let a single hardware key be used across hundreds of relying parties. Relying parties, you can think of them as the folks who have a website that is going to be the real website that you do not want a phishing attack to impersonate. This relationship between relying parties and the relying party infrastructure and the YubiKey is a fundamental one.
One of the things that's sort of a neat innovation about it is you're able to have this key that can connect with all these relying parties, and none of them have to know anything else about any other place you authenticate. This was a really key piece of innovation about the way we did this. When you combine this with a very simple API for developers to write to, that's what turns this into a key that unlocks so many different services. Again, really important to understand that this mega trend and massive multi-billion user adoption is inevitable, and it is driven by foundations that are extremely strong and well supported. All right. This is something Jerrod showed also a little bit earlier that I'd like to emphasize. I hope you can still hear me clearly. Okay, good, because the sound changed.
What this slide shows is an independent assessment by Gartner that shows where on the continuum from very, very low reliability from a security perspective to very, very high. I mean, just go back three, four, five years. For a lot of things, the password is so, so familiar that when we show this slide, people are surprised just how low it ranks in terms of giving people high assurance of security. What this slide should make people feel is the urgency to get away and move as high as possible. That journey is not linear, and it's not easy. There are a lot of things that Yubico is doing to make that journey and that transition easier.
When Brian and Joe stood up here and explained to you the journey, there are many organizations where over time we've found the missionaries who are interested in making this journey work. What the missionaries do is they open it up to more people in their enterprise. Our job really, and what I'll show you, is how we take that and convert it into a much more scalable service to help people through. That combines both the physical and the logical delivery of that value. What does it mean to be at the very high end of this? It means you either have a FIDO2 security key or that X509 hardware token is basically the equivalent of, for example, what's used in the US federal government around kind of PKI-based credentials that are strongly linked to a physical device.
It would be called PIV/CAC in the federal government in the United States. Really, YubiKeys basically are able to give you this across a variety of environments. What we know is that in very, very high assurance and basically in any use case where you really, really care that you're going to be the right person doing the right thing, that YubiKeys are always going to be one of the solutions that is preferred for giving you that high assurance authentication. All right. I'm going to take you through the insides of the YubiKey for a bit. As I do that, I just want you to understand this magical device and how to think about it. This is a small device. I have one right here on my keychain.
The framing that I'd like you to have as you think about a YubiKey is that this is a piece of critical infrastructure. I say that again. It's a piece of critical infrastructure. Why do I say that? It's a piece of critical infrastructure because we are deployed in places where our customers are dealing with nation-state adversaries on a daily basis. In other words, somebody is trying to make sure that nothing works. This key sometimes sits in between that and the provision of normal services. It might be energy. It might be some other reliable thing that you need. Even in high conflict zones where people need cyber defense as part of defense, these keys are proving to be part of that high critical infrastructure. The reason why that's important is because we built them to behave like infrastructure.
If you look at the inside of the YubiKey, it has this single -chip design, and it's designed to be extremely resilient with a secure element that actually meets extremely high evaluation. Our supply chain is all based in Western countries with a supply chain that is very carefully selected with very secure manufacturing. We do write our own firmware. Everything on the YubiKey in terms of the firmware attestation chain is written by our internal engineering team. It's tested extremely well. You recall we mentioned that it has a touch sensor that makes sure that you can't impersonate touching it. It needs to be touched by a human in order for that authentication event to be complete. It has a whole host of certifications with it. It's built with a unique blend of glass and plastic around it so that it's tamper-evident.
It is actually sealed and has no moving parts or batteries. It does not actually need to have a power source built in it. It generates power from what it is connected to either over wireless or over a USB connection in order to work. That is fundamentally important because these things actually survive wash, rinse, dry cycles in dishwashers and washing machines, and people use them for years. They are highly, highly reliable devices. We have this variety of form factors. I will just mention the one right at the end. It is called the Nano. This is a typical YubiKey deployment that you would find attached to computers. It basically stays constantly plugged in. Every time you have an authentication event, you just touch it. Once I plug one in, I worked at Google before I joined Yubico. It is always plugged in. You just touch it.
That's part of the authentication chain. Now, we have our manufacturing and secure manufacturing here in Sweden, actually in Norrland and Småland. I've been to the factories, a couple of different factories, and kind of had a good look at what the capabilities look like. I'm going to play a short video. It's about a minute long for you to get a sense for what that manufacturing process looks like. Right. That just gives you a breakdown of why we built what we've built and why we care about it so much. We think about our mission every day as providing critical infrastructure because when people take over credentials, bad things can happen. In the spirit of talking about big things that change in the world, I'll shift and talk a little bit about what it means to go from classical to quantum-safe computing.
This can be a very dense and complicated topic. I was trying to think about a way to explain it that everybody understands. Today, we live in a world of classical computing. In classical computing, you have the concepts of bits and bytes, a one and a zero. In the quantum sense, you have this world where you have a superposition, where a bit or an object can be the zero or one simultaneously. That creates enormous power from a computing perspective, but it comes with a lot of problems. The best mathematical explanation I can give for why classical encryption algorithms break is because of a time architecture problem. The way classical encryption works involves factoring very, very large numbers and figuring out exactly what the solution is in them.
There just happens to be something called a quantum Fourier transform that can take even an extremely large number and figure out the mathematical pattern around exactly when you have peaks in certain ways that that number pattern forms. This makes the entire foundation of encryption we depend on vulnerable to basically breaking and being replaced by capabilities that quantum computers can do. We had to think about a way to actually create new encryption algorithms to replace this. Almost everything we know today in encryption will have to go through this transition to become quantum-safe. There are current attacks that you hear about, like, gather all the information now, store it somewhere, and then decrypt it later. It is kind of a big journey for people to go around in the next several years.
There's this term called QDAY, which kind of talks about what that looks like. We're not waiting around for that. We are solving that in terms of what an authenticator needs to look like and operate in this post-quantum world. Actually, the leader of the team that built that post-quantum YubiKey is here. I don't know if Alessio is here. Just wave; everybody can see him. Yeah, there he is. I'm incredibly proud about the fact that a month ago at the FIDO Authenticate conference, we showed what we're doing in this area. You're just going to see a short video, but I'll explain something about what this technology does in order to kind of stay ahead of this quantum resistance. You basically have algorithms called module lattice algorithms that make it incredibly hard for quantum computers to break.
In the break or in a follow-up, I can kind of give you a simple explanation for how they work. You can think about it as making it impossible to guess how many things you could buy in a grocery store that has like 1,000 dimensions. That is the simplest explanation I can give. This is a big deal because all of computing is going to change because of it. Yubico is at the forefront of making this safer in terms of authentication. Here goes.
Being Yubico, when we say that we are on a YubiKey, can that even be achieved on a very, very constrained device like a YubiKey where 1,000 bytes is a lot? After spending quite a bit of time on this, I think we can confidently say that the answer is yes. I would like to show that to you. You see the device starts blinking in the bottom corner. Voilà, we get a successful login in the bottom left corner. If you know a little bit about FIDO, you know that you get a container with a signature here. Since this is an MLDSA signature, the signature is very, very, very, very long. It keeps going. It exists today. It is here. It is real. Thank you so much for your time.
Earlier, two of our esteemed customers shared with you what this journey looks like. I will just touch on two parts of this journey. It is the user enrollment and delivery. Think about that as the logical and physical delivery. It is very, very important that the right YubiKey arrives in the right customer's hands.
Creating this life cycle is actually pretty difficult for a superhero or a missionary inside an enterprise because the typical person that you'll find will say, well, I'm running an identity and access management program. I want to move to passwordless. I have 5,000 employees in 33 locations. Am I going to attach this to the rollout of phones? What am I going to attach it to? What YubiKey as a Service is, is we created basically the capability to run this all in a way that feels seamless. You should think about the fact that we're doing physical and logical delivery as the first step in building a foundation for what comes next. What YubiKey as a Service then looks like is all of these capabilities, being able to deliver value over multiple years.
You can have provisioning for loss of keys and replacements of keys. You have a flexibility of form factors that you can procure. You have faster deployment. We work with you to understand exactly the challenges of what your deployment looks like. We will have a look to see that you are actually truly phishing resistant because there are many places that you can implement this that end up not being, you can leave open doors, and you can lock one door with a YubiKey and leave other places open. We want to help people do that so that they truly achieve compliance. This YubiKey as a Service serves as the foundation for us to be able to go out and serve a lot of our customers. I will let you watch a short video of what it looks like.
Defending against cybercriminals is demanding enough. The logistics of getting modern security should not have to be. Put YubiEnterprise Delivery to work instead. We will send YubiKeys directly to your users so you can focus on security. From global shipping and tracking to managing inventory, YubiEnterprise Delivery's turnkey approach handles it all. Manage everything in real time in our all-in-one YubiEnterprise console or integrate with your IT workflows for ultimate flexibility. It is the fastest, easiest way to protect your users and make them phishing resistant.
We do this in over 100 countries. That is the physical side. What this diagram shows, and I promise this is the most complicated thing I'm going to show, is how there's an interaction between the customer environment and the Yubico environment to either deliver a remotely pre-registered key so that's one touch it works, or a physically pre-enrolled key where the programming is done in the factory so that when the key arrives and the key is for Mattias Danielsson, it is the correct key and it works just for him. Being able to do that and deliver that reliably sets us up with an incredible foundation for what we're going to do next. Today, we're penetrated in about 30% of the global 2,000, about 5,000 enterprise customers, and continue to grow.
All of this actually sets us up because this is a user base that is increasingly moving to subscription because they see the value of what we're doing, and they want an ongoing relationship with us. They want to see that innovation come through. What this then sets us up to do is, once we start to eliminate these risks that our customers are facing and reduce that deployment friction and provide this turnkey solution, it ends up being the foundation for something really magical for our subscribing customers because we can come back and offer them what the future holds because passkeys are just the foundation. Passwordless is just the foundation for future innovation that we're going to show. Our customers are basically walking that journey with us. In order to explain how the magic works and how the financial model works around what we're doing, I'm happy to have Snejana, our CFO, come up.
Yeah, definitely, Albert deserves a lot of applause. Hi, great to be here. Let me try to give you some of the basics of how the business models actually work in our financials. Before that, I would actually like first to start with how we have developed since we went public financially. Taking a little bit of a longer-term perspective since 2022, and then we'll deep dive into the business models overview. We went public not that long time ago. We've had some fair challenges like in the Q3 now that we reported last week.
If we take a little bit of a longer term, we have seen actually quite good long-term growth both in order bookings and net sales. We do face some volatility quarter -over -quarter in our bookings, which is primarily driven by the timing of closing large orders. As Carl said, some of these large orders might take years to close from the start of the opportunity until we actually close it. We do have a very nicely accelerating YubiKey as a Service, both bookings and annual recurring revenue, which I will zoom in further. We have a very stable gross profit of about 80% over time. We see our operational expenses are growing with as we are growing. We expect them to kind of scale going forward. Our EBIT has really improved since 2022.
We are challenged, as we reported, by a little bit of lower net sales growth in the latest quarters. Still, we are generating positive cash flow since in the last three years, and it's been going very well. Just again, to take a bit of a longer term, bookings are growing with 15% CAGR on average since 2022. What we see is that really the YAS bookings, the YubiKey as a Service, is growing in a very accelerated way with 27% CAGR. We have a bit of volatility quarter -over -quarter in the order bookings. Why is that? If we look into our actually the deal size breakdown, and I'll pause a little bit on that, you see that we have the large orders that are above $3 million. They take longer time to close.
There will be volatility quarter -ove r-quarter, whether we actually close some of these big orders or they kind of go into the next quarter. However, our small-sized deals or small, small, very kind of the majority of our deals being under the $1 million, they are fairly stable. They grow very nicely over time. It is really the volatility quarter -over -quarter is very much driven by the large orders. If we look into the long term for the net sales growth, it is also growing with 14% CAGR. Again, here we see a very, very good acceleration in the YubiKey as a Service sales. It is growing with 33% CAGR since 2022, and it now represents 16% of total net sales. As a reminder, our long-term net sales target or growth target is 25% over the next five years. Our gross profit margin is very stable.
It's about 80% over time. Again, going back to what Albert showed, we have long-term standing partners and vendors. We work very closely with them. They are in Europe and Sweden. It's been a stable gross profit over the last over the quarters. One thing to note is that since our partners are primarily in Europe or vendors are primarily in Europe and Sweden, while the majority of our revenue is in USD, we do have a bit of currently negative currency impact. When we look into the OpEx, or the operational expenses, the majority of our operational expenses is actually the cost of our teams. In 2024, when we had a very successful sales year, we see that the operational expenses are scaling. We do expect this scaling to continue forward as we grow going forward.
One thing to note as well is that we have two-thirds of our employees in the US. Currently, as the SEK is strengthening or has strengthened versus 2024, we do have some positive impact on the cost. If we compare year-on-year the cost, you could see that some of our employee cost is decreasing, but that's not because we are decreasing teams. It's more the currency impact. With that, basically to recap, the EBIT has improved really from 2022 from - 3%. Now we have reached some quarters of 18%-19%. Currently, the LTM is 14%. It's really EBIT is impacted by our net sales number because gross profit is very stable. Our operational expenses are also very stable. We expect them to, again, scale forward looking forward as we grow further in our net sales, which will drive, of course, EBIT going up.
Lastly, just to kind of pause on the cash flow, we have generated positive cash flow since 2022 and really improved 2023 and onwards. If we look into our cash flow from operating activities, it is as well very, very positive. We have had some outlays or negative change in inventory. I just want to remind, though, why that is. In 2022, we had a capacity constraint of one of the major components of the secure element that, again, we showed in the previous videos. We had only 11% of inventory of the sales for the year. This was a very, very critical moment for us because it basically was a matter of business continuity and whether we would be able to deliver keys to our customers. At that time, we have actually secured capacity with our vendors for the next three years.
We are aiming to maintain inventory of about 12-15 months of sales. In Q3, as we have also discussed last week, we have received the last shipment of this capacity. We do have a little bit of higher inventory as of today. Going forward, we are having our secured vendors or our vendors that we work with. We will see some movement there. Still, our cash flow, basically net cash flow or both cash flow from operating activities and cash flow from net cash flow, is very positive. That is on our kind of long-term financial performance. Let's now deep dive into the business models that we have. We have two business models, the perpetual business model and the YubiKey as a Service business model.
These two business models differ in how we provide the product and how we provide the service, but also how we recognize the revenue and how our financials work in these two business models. The perpetual model is basically the customer orders keys, and more or less, they take care of the entire deployment with very limited support from our side. In the YubiKey as a Service model, Carl talked about it, Albert talked about it, but it's basically we provide, we are the technical and the solution partner to the customer in this model. The perpetual model was the original model that Yubico launched with in 2007. In 2020, we launched the YubiKey as a Service model. This was really driven by customer demand for having good support, technical support, service, and basically be with the customer throughout the journey.
How does it work? Just illustrative example. Perpetual model is very straightforward. We get an order. We report the order value as we get it. Typically, we are able to ship the keys more or less within a very short time frame. We recognize the cost. We recognize the gross profit. Typically, our payment terms are within 30 days, so we collect the cash. From order to cash, it is very straightforward. Order, revenue, gross profit, cash. Of course, this is the illustrative and kind of the ideal example. Real life is a little bit more tricky. There are a lot of factors that impact when we recognize the revenue. When do you see the dropdown from order booking into revenue? For example, timing of the order. If the order comes on the 30th, we do not have time to ship it on the 30th.
We will report the order booking in the quarterly report, but the revenue will come in the next quarter. The deal size. Some of our deals that are especially the ones that are above $1 million, it involves a lot of keys to be shipped. It might involve a lot of addresses to be reached and a lot of countries. The larger the order typically means also a little bit more complex logistics. Since we recognize the revenue when we have actually delivered the key, the timing of delivery will determine when we recognize the revenue. Again, typically smaller orders, we are able to ship in quite quickly. Larger orders might have some complexities in terms of logistics. Not only that, some customers might want actually a phased approach and have different deployment choices.
Again, kind of the time of delivery will determine our revenue recognition. In general, as a concept, it's a very straightforward model. From order to cash, it's a linear sort of dropdown in a very logical way. When it comes to the YubiKey as a Service model, again, very illustrative example. Let's assume that we get a service order or an order for SEK 20 million or SEK 21 million for the simplicity of calculations' sake. This is an order for three years. This is a contract where for three years, we will support our customer both in terms of the deployment of the keys, but also in the entire lifetime of actually using the YubiKey during these three years. According to the IFRS, we recognize the revenue for this contract over the lifetime of the contract. Every year, SEK 7 million being recognized.
Typically, we will deliver the keys during the first year and recognize the direct cost of these keys during the first year, which means that the gross profit then is a little bit lower. Then the second and the third year, when the physical keys are already delivered, or the majority of them, the gross profit is much higher. From a cash collection point of view or from payment, typically the invoice is issued or is done one year in advance. From a cash collection point of view, it follows more or less the revenue recognition. Again, this is a very sort of illustrative and straightforward example. There are other factors that impact the timing. For example, there are ramp-ups.
Some clients or some customers will start with a pilot, will move into kind of next phase and third phase, and that will impact how we kind of plan or plan the revenue recognition. The contract duration typically is between one to five years. The majority is three years, but there are, of course, cases going up to five years. That will impact how we recognize the revenue. From customer delivery choices point of view as well, this impacts how we recognize the financials more so from a direct cost recognition rather than revenue. Typically, when we have activated users, even if the customer has different delivery choices, the revenue recognition starts from activating the users. That are the fundamentals of the two business models.
I would like to zoom in a little bit more into the subscription model or the YubiKey as a Service model and specifically on our annual recurring revenue. We have seen a very, very good growth of 23% in our annual recurring revenue since 2022. I would like just to pause a little bit here and read what is our definition of annual recurring revenue. This is the total contract value at the time of the reporting or the end of the reporting period of contracts that have started, and then we divide this total contract value by the remaining duration of the contract. By definition, this makes our annual recurring revenue actually a forward-looking metric and forward-looking metric for our next 12 months of subscription sales.
Actually, if you put together a chart of our annual recurring revenue, as we have reported it every quarter since 2022, and our next 12 months' subscription sales, you see almost one-to-one correlation. Of course, there are small differences here and there in the quarters. Primarily, it is from kind of changes that are coming into the ARR and some currency fluctuations. Since our base is quite large, basically ARR is a forward-looking metric for our next 12 months of sales. This might be very simple, but kind of just to set the scene, our growth driver in the annual recurring revenue is both growth of existing customers, but also adding new customers to the model. The growth of existing customers, you can break it down into renewals, expansions, so customers that have already a contract, but they expand their user base.
The negative part is if we do not manage to renew a contract, which is churn. The net retention rate would be, or the net retention then would be the sum of these, so the renewals plus the expansions minus the churn, and the rate would be the change period over period. The new growth is consisting of when we convert perpetual customers into subscription and, of course, of new customers or new orders. If we are looking to our 23% growth of ARR, we started with SEK 207 million. We have retained SEK 23 million of ARR, and the rest comes from new growth. There is one thing to kind of just be aware of, which is that net retained ARR is based on this base. Of course, within this new ARR, we retain this as well in between the periods.
On the left-hand side, yes, our net retention rate has been consistently over the years above 100%, which means that our customer stays with us and they renew and they expand. To recap, let's compare back, or let's go back to comparing the two business models, and especially the pricing models. The perpetual is a one-time purchase. Typically, we have a price per key. We do have some additional, or there could be services like shipping services and things like that. The model is a price per key. In the subscription model, it's price per user. We have services included in that, of course. It is everything from technical support, dedicated customer success manager, the enrollment suite for onboarding, and all of that. How does the same scope of protected users would look like?
If we take, again, the same scope and I'm taking at least pricing, how would it look like? When we get an order booking for perpetual, we recognize it or we report it immediately. For subscription or for a YAS, we will report the total contract value. It will be typically a little bit higher. If we take it over the three years, a perpetual customer typically has repurchases, expanding, or replacing keys, etc. Over the three years, typically what we see is that a subscription value in the orders is about 20% higher than for the same scope of a perpetual customer. The net sales, they follow through. Just the profile is different. In a perpetual, we would recognize the revenue immediately, more or less one-on-one as the order booking. For subscription, we will recognize the revenue over the contract term.
In this case, over the three years, it's one-third every year. From a direct cost perspective, so the cost of the keys, since in this example, I'm taking kind of the same scope, so same number of keys, the cost is the same, which means that as a % of revenue, since the pricing is higher in the YAS, the direct cost as % of revenue is lower, and then the gross profit is respectfully higher. That's not a coincidence, of course. We provide more value, more services, and that's natural that kind of from a pricing perspective as well, the subscription model generates more revenue and more profit over time. Now, we often get the question, how a transition to more subscription would impact our financials?
Especially if we take it in a bit of a longer term, how does it relate to our financial target, etc.? I've shown that the YAS model basically creates by definition higher revenue. It does so because the solution that we are providing has bigger value for the customer with all the technical support and all the services around it. If we continue to gradually increase our subscription share, which is the dark green scenario, we will see also that the sales growth will be kind of matching gradual growth. If we are a bit more aggressive with the subscription sales and we go more aggressively towards a higher share of subscriptions, we will see that the revenue growth will be lagging somewhat as compared to the order booking growth. That's natural because, again, we recognize the revenue over the period of the contracts.
Both directions will, as we grow kind of order bookings, we will get to the same place. It is just the time or the path will be somewhat different. With that, I would like to iterate that we are staying committed to our long-term financial targets, which are the 25% net sales growth and 20% EBIT margin, and that we are primarily reinvesting our cash flow into growing our teams and investing in all the great things that my colleagues are describing. Thank you.
Thank you so much, Snejana. I would like to welcome back Albert Biketi and Mattias on stage and open up for our second Q&A session. Welcome back. Again, maybe start with a question from the web so the room can get a little warmer. Albert, first question is for you. Is hardware a long-term strategy or a temporary bridge until software reaches parity?
Hardware is absolutely a long-term strategy. The reason it's a long-term strategy is because having a second factor for authentication that provides high assurance is fundamental. If you have a phone as the primary device that you're interfacing with to the external web or a computer, high assurance means that that phone can't touch itself. That phone can't prove that it is being controlled by a human. There is always going to be scenarios where you need a second factor. Second factor authentication is just fundamental. Yes, it is an absolute long-term. It's not a bridge. There is a place for software-backed keys. There is a place for convenience for cloud-syncable keys. If you want high assurance, you're always going to go with a strong second factor.
If that's the case, why hasn't security key adoption reached mass scale yet?
It hasn't reached mass scale yet because the journey there requires big transitions for people. People have gotten very, very used to passwords as a way to authenticate. This is just the way it is. Change is actually much more difficult than it sounds. We are now at the pace of change where we have enough of a community that people really see the value of this, and people can see that pioneers before them have done this. It's a magical place to be. In a lot of the conversations that I have with our customers, people who aren't yet ready to go on the journey are able to listen to other customers who've been on the journey and seen what that journey looks like, the mistakes, the challenges along the way.
If you put yourself in the position of a bank, for example, that has everybody on username and password, today, the scenario they face might be that they have a certain % of revenue that is being lost to fraud, account takeovers, and the like. They have to do this calculation where they look at that, and they look at what the complexity of change might look like. The fact that as they take people from passwords to passkeys and passkeys with a strong second factor authentication, the promised land is to get to a place where there is zero account takeovers. The middle ground is figuring out how to help people with transition. People do not have the same phones. They do not have this. They do not have that. That is the journey. It is always a bit of a complex journey to get there. The momentum, as I said earlier in my presentation, is unstoppable. The foundation for this has been set. The standards are reliable, highly scalable. I am just confident it is a matter of time.
A question for both you and Mattias. What is your biggest R&D focus right now, and what will you focus on over the next 18 months?
In terms of focus, I think Albert will share some of that in the next session, not to steal your thunder.
I will share some of that in the next session. I think the key takeaway that is a bridge from this session to that is we are establishing this base of subscription customers because there is more value to give them than the strong authenticator and the foundation that we already built. That is the way we should be thinking about the value of the customer base we have built and the value that we continue to give them. Our innovation focus is on the additional value that we can bring w hen you start to solve the basic authentication problem.
Now to Snejana. Do your financial targets still hold if subscription adoption accelerates faster?
As I have shown, they should hold. It is just the path would be a bit different from a net sales growth perspective.
Will you work with pricing to incentivize the different models?
Our pricing is set so that kind of reflects the value that we provide to the customers already. I think every customer case, of course, is different, and we take the value that we are bringing in creating the specific pricing quote for a customer.
What about volatility? How do you see that it will persist as the mix changes? Perhaps a question for b oth you and Mattias.
Yes. And to Carl as well. Volatility in the large orders in particular, it very much is driven by the time it takes for large organizations to take these decisions. I mean, large organizations do not take necessarily very quickly decisions to invest $3 million+.
The volatility, for those of you who had a chance to look real quickly at the chart that Snejana showed, three things really stand out there, if you ask me. One is the big volatility of the large orders in between quarters. You can see a seasonal pattern if you looked real closely, seeing that Q4 is typically a really strong quarter historically. Those two aside, if you look at the orders sub $1 million, there is a pretty consistent pattern there over time. That is what makes me more reassured about the fact that we are on the right trajectory and that even if you see the short-term swings, we remain committed to the financial targets that we have. As Snejana and I discussed this before, we had this day, and we decided to only focus on the numbers that we have made public since we went public, so in 2022 onwards. If you take an even longer perspective, I have been around quite a long time. If we take for the last five or seven years, the average annual growth rate has been about 40%. However, year by year, I think it has varied between - 17% and + 102%.
Of course, there are no guarantees for the future, but I've seen this volatility long enough. As long as I see that underlying trend of run rate business, nothing bad with that, but orders below $1 million, that makes me confident in the long-term viability of our sales growth.
Yeah. I think one more point. As we are growing our subscription customer base, our order intake will always have volatility, but our net sales will become more predictable because we have the annual recurring revenue. We have contracts. We work very diligently in renewals of our contracts. I think as the share of subscriptions is increasing, our net sales will become more predictable as well.
Just to be clear, ou r order intake, not order book. Yea h.
Order intake. Yeah.
We have a question in the room, so let's take that.
Yes. Colin Veltine, founder, a question for Albert. If you compare YubiKey to a competing vendor selling a plain FIDO2 key, do you have anything in the firmware or any features on top of FIDO that is important for enterprise customers?
Oh, yeah, a ton. I could spend the next seven minutes talking about it, but I'll keep it to one. One is the fact that we build our firmware and test it and have done that in a robust way over six generations is incredibly important. Many of our competitors are in the first or second generation of doing anything in this space and do not have the long history that we've had with extremely demanding enterprise customers holding our feet to the fire. The second thing is we are focused on delivering a life cycle of value around our enterprise relationships.
We're not comparing a key to another key. You're comparing a key with a bundle of value that comes around that, including a very robust way of delivering both the physical key and the logical credentials around it so that that whole process is phishing resistant. For a lot of our customers, the choices that they make are about having a strategic partner that can walk this journey with them and having a strategic partner that can think through the implications of doing this classic to hybrid to post-quantum transition as well. For us, we feel very comfortable that we are able to differentiate that value in the market.
Just to follow up on that, if you have a proprietary feature like a touch to sign, how do you decide if you want to add it to FIDO2 to make it easier to roll out or have it more proprietary secret sauce so you actually differentiate and build great and durability over time?
For us, there's always a trade-off between running with the standard and building extensions on top of it. The way FIDO is constructed actually allows us the latitude to do both of those things. I think for us, our heart is always going to be in the place where we want to make digital identity safer for everyone. There is a lot of focus in innovating in a way that is consistent with the standard because that's what will get you billions of users. For us, that's always been the North Star for how it is we can co-create, but always stay ahead of the innovation curve in terms of the ability to bring those features to our enterprise customers and our consumer base because we do serve both.
We have another question in the front.
Jay. Thank you. Erik Lindholm-Röjestål from SEB here. You mentioned having a replacement rate of about 25% in the perpetual business. Just two questions about this. Do you have any sense as to what share of revenues comes from sort of pure replacement business today? I also was wondering, we saw that smaller orders have grown over the last couple of years. Do you think this is an effect of a sort of larger replacement business base to stand on? Does that create lower volatility?
Real good questions. When we talk about 25% replacement rate, that's excluding expansion. Just to say kind of on an installed base, what would typically be the replacement? And that's primarily driven actually by employee attrition and, frankly, people losing their keys. So that's a typical customer. I would say it ranges between 15%-25%, but it's closer to 25% depending on type of customers. Interesting story there. Depending on the recovery methods, customers typically see very different replacement rates. If it's very cumbersome to recover if you lost your YubiKey, people hang on to them more tightly than if it's easier to recover back. That's a side note. I would agree that the fact that we have a larger installed base drives more run rate business. It's definitely part of that more predictability and that increasing number of smaller deals or run rate business.
Just to follow up, do you have any sense of what the installed base is today?
Yeah. I mean, again, with the exception of-
5,000 enterprise customers.
Yeah, but with the exception of the caveat here is that, and keep me real now, Albert, with the exception of those running OTP, a legacy authentication method on Yubi OTP is something that we host ourselves. We cannot track usage, actual usage of the keys. That is all based on estimates and working with customers. We have shipped and delivered some 40 million keys, quite a big chunk of those over the last five years. Rule of thumb, installed base being used currently probably in the 20 million range.
Another question in the room?
Yes. Thank you. Daniel Thorsson from ABG. A question to both Albert and Mattias. I guess that there are a fraction of the customer base that you only see adoption among the IT department still and not the full organizational rollout. On the tech and product side, is it anything you are working on on the future products to kind of accelerate the full organizational rollout? Also on the commercial side from Mattias, what can you do to see this pace accelerating? Also, what are the key triggers for organizations to go full rollout?
Yeah. I think that the adage in security is that you're only as strong as your weakest link. We see sometimes a pattern where people say, "Well, I'm only going to deploy this for my privileged users." We have big, powerful integrations with privileged access management, for example. My perspective is that organizations that begin there gradually start to expand their scope because they start to understand that you can't just have a phishing-resistant implementation that fits only a small bill. There is a security argument that is compelling for a lot of enterprises to start somewhere, learn the lessons, and then expand. We are very optimistic that that's something that will continue because it's just grounded in good security sense that you want to expand your phishing resistance until it covers 100% of your population.
I'll add to Albert's comment on one of the key features of YubiKey as a Service, reducing the thresholds, making it less difficult to do a broader rollout, whether it's enrollment or such a simple thing as getting it into 50 different locations in 30 different countries. There is a lot of groundwork being done there. What we do on the go-to-market side, I'll ask for a little patience, and we'll cover that in the next session. I'm happy to follow up after that.
Yeah, thank you. I have a financial question as well. When I looked at the first-year numbers you gave for the subscription business model, you showed around $7 million in sales and $5 million in gross profit over the first year in this illustrative example. Does it mean that the gross margin in the first quarter? Some of us in the room are quite short-sighted here. Does it mean that that could theoretically be 0% gross margin in the first quarter?
Theoretically, it could happen, yes, depending on when we ship the keys because we recognize the revenue, let's say, on a linear basis in the quarter, so one-twelfth of the order. If you assume that we ship all the keys in the same quarter, it could happen. Yes.
That is typically not the case.
That is typically not the case. It is kind of the worst case scenario.
Also, worth noting is that we have quite a substantial part of our subscription customers have actually converted, and they have already deployed perpetual keys. Despite that, they elect to go for our YubiKey as a Service.
Yeah. The flip side is that in the next quarters, we do not have direct cost, so then it becomes quite a high gross profit.
Another question?
Yeah. Thank you, guys. Just brief on you showed us the NRR bridge on subscription revenues per end of 2024 until today, 10% up, roughly speaking, ever since. Given this land and expand model that you just spoke about and the fact that you've gone from privileged access users to a broader spectrum of users internally, could you say anything about the flip side? What are you losing? What's the churn rate? Anything to add on the other side of that spectrum?
The key message here is that the net retention rate is positive. We do have some churn, but it is lower than what we expand and renew. We are not right now kind of able or ready to share that. In the bridge that I showed in particular, by definition, the net retention is only on the base that we start with. In these two, three years that I showed from 2022 -2025, even in the new customers there, when we add them, then we expand and we retain, etc. I think that's kind of how you should look at it. Year -over -year, it's above 100% net retention rate.
Isn't that partly a function of the average contract being three years as well? You haven't reached the tail end of a lot of the contracts signed ever since. The 2022 cohort is more representative.
I wouldn't say so.
I don't quite make the bridge there. Maybe it's me not being able to calculate it fast enough. Of course, it's only 2022 ones that would typically have expired and where you have a renewal, and then you can calculate net retention rates. You did the calculation here. I don't think that was the key factor.
No, I don't think so, if I understand your question correctly.
We'll take it offline. Thank you.
We're running out of time a little bit. Just last question. Would you consider changing the guidance framework?
The short-term guidance framework, you mean? Or the person?
The overall, I guess. The simple answer is it's above my pay grade. I mean, one of the benefits of issuing long-term guidance, one of the constraints there is you shouldn't change the structure too often. The guidance becomes meaningless. We have done, however, since we went public, made one alteration based on feedback that we got. We expressed the long-term growth target, 25% still, but we moved from order bookings to net sales because we wanted something that was more consumable for analysts and investors. Of course, that opens up for the question that Snejana got earlier. If there's a faster transition to subscription, doesn't that have a negative impact on revenue growth in the short term? That is correct, but it shouldn't have a major impact.
Not on the long term.
Very good. Now it is time for another break. We are going to take a 10-minute break and resume for the third and last session in 10 minutes. Thank you so much.
Thank you.
Thank you.
Welcome back once again. We are going to initiate our third and final part of the presentation, where we will go through.
Thank you, Alexandra. I will talk a little bit about our strategic direction when it comes to existing customers, the ones that have agreed to being public references for situations like this. It does not include all the other companies that feel more comfortable with sharing it in a one-to-one setting that they are using our technology. Even from this subset, you can see that some of the most attacked and security-conscious organizations in the world are trusting us. We have built what I feel is a unique position in terms of credibility of being that combination of the highest level of security with good usability. This is another illustration that some of you have come across before. We are very focused, and where we have seen success so far has been primarily working with the world's largest companies, largest companies and largest public organizations. We have seen a steady inflow of new customers, landing new customers. As Carl mentioned, there are certain markets that we do not serve, People's Republic of China being one of them. In spite of that, we are already at a point where we have some 30% or 29% of the back in 2024 of the Global 2000 companies as our customers.
However, in the vast majority of cases, we're only deployed within a subset of their employees, starting with privileged access users or one of the initial use cases that Carl referred back to. What's comforting or very nice to see is that this before we introduced the YubiKey as a Service model or our subscription model, we tried to keep a close eye on, okay, so what can we say about customer retention and repurchase rates? This statistic is based on the sample of customers that we had before we introduced YubiKey as a Service. If you took a look at our 25 biggest customers back in 2019, these were perpetual customers only. What did their average annual repurchase rate look like? Consistently, when we've done these measurements, it's landed above 100% per year.
Eric asked earlier about the typical renewal rates or repurchase rate on an installed base. It is probably 15-25% on average. If you get above 115%, if you get to 115%, it is not that people lose their YubiKeys left and right. It is that land and expand motion where our customers are loyal in the sense that they come back to us despite that they have not made any commitment to do so, but they come back to us as they deploy it to a larger user audience. We are able to be sticky with our customers. Finally, no secret, we started out with the high-tech companies because they were pretty much the only ones we could work with way back when because they had that pull to be able to use one way to authenticate across all of their systems before open standards were adopted.
They were also very happy to talk to us engineer to engineer before Carl and his team joined the company. The market we're in, the current market that we serve, is a subset of the identity access market. It's what's called advanced authentication. The best estimate that we've seen of that market is that it currently is about $5.2 billion a year. I think these are 2024 numbers, actually, and that it's expected to grow with, on average, 14% per year. We "only" have a 5% market share of that, give and take, about $250 million of sales, $5.2 billion being the total market. I think someone alluded to earlier, who are the biggest players in advanced authentication today? It's still the smart card vendors that have the biggest chunk of the market, even if it's not a growing technology today.
This is the final piece of statistics that I'll show about the current position that we have. If you look five years back, and it actually holds true even today, we were optimistic about the relevance of our technology because we saw that nine out of the ten biggest tech companies at that time, they were all American, were using our technology. They who really understood the threat landscape out there, they were using YubiKeys to protect themselves. Take a snapshot today. We did so recently and have a look at, okay, what about the largest AI companies? This time we looked at it and defined largest as in terms of market size, but sorry, in market cap. I think you can apply pretty much any definition.
What's interesting to note there is that 18 out of the 20 largest AI companies today rely on YubiKeys to protect their organizations. If anyone is aware of the types of attacks which will be scalable in the brave new AI world, my guess would be that it's probably these organizations who are very much aware of the need for hardware root of trust in a world where pretty much any type of attacks can scale massively because of AI. This is the position that the go-to-market team, Carl's team with sales and the great marketing team we have at Yubico, has put us in. We're recognized as a market leader and as a thought leader among those who really understand technology. How do we scale there? How do we scale to users that are perhaps not quite as techy advanced?
How do we get the message out there to a broader audience? The answer is, of course, by good execution on the go-to-market side. We'll talk a little bit about some of the activities that we got going in this space over the next couple of slides. This is a summary, and I'll deep dive on these different initiatives that we'll talk about as we expand our reach and as we go deeper with existing customers. It's pretty simple. It's about landing new customers and then expanding within those so we don't end up in just a subset of the relevant users using YubiKeys to authenticate. The five different motions that I like to talk about are increasing coverage, scaling through the reseller channel, or I should say reseller and disti channel, more traditional channel partners, leveraging the partner ecosystem.
Once we have our foot in the door, how can we be more efficient in expanding? There are two motions I'd like to talk about there: driving adoption and renewal and expanding beyond workforce. What do we mean by that? The footprint that we have. We started out pretty much in the US. We're now growing rapidly in Europe. As you may have noticed on the slide that Jerrod shows, there's a lot of activity going on when it comes to upleveling the security in Southeast Asia these days. To meet that demand and the fact that there's now regulation coming out in a lot of different Asian countries requiring strong MFA, as we announced in the Q3 report, we're shortly setting up an office in Singapore. It's not just a sales office.
It's a fully operational office where we'll be able to do the final steps of programming. We can even invite customers in. We'll even be able to invite customers in Singapore, much like we've done in Santa Clara and Stockholm if you're really paranoid about security, to program their own keys. It's really setting up that functional model that we have running in Santa Clara and Stockholm to service the local market. It's important for a number of reasons. One is that we want to, of course, be in touch with the customers, but it's also important for credibility. We are facing a situation today where European customers are concerned about moving all of their assets to a non-European company and vice versa in the US. We're also seeing some of that in Asia. It's important for us to be local in the markets.
I think this opens up a huge opportunity for us because the need is definitely there, and the market readiness is there. Broadening industry coverage. You still see a lot of our business coming from high-tech companies, from financial services and public sector. The need is much broader than that. We'll be investing in making sure that our technology is out there and being tested and then easy to scale within a broader set of sections. I've highlighted this before, but one of the favorites there is really the healthcare industry, especially healthcare providers, because they're sitting on so much sensitive data, and we read about breaches pretty much every day. We want to be part of putting that industry at the forefront of modern technology rather than at the forefront of hacker attacks.
More to come there, but it's really important that we can get to a broader set of customers, even within the geographies that we currently serve. Channel partners, distis and resellers. To this point, we've been very reliant on a one-to-one sales model where our account executives work directly with the largest companies and public organizations in the world to generate demand. We want to make sure that we enable channel better. We have a representative for that effort in the room, Bettina. I'm sure she'll be happy to talk to you later. It's really about getting that global reach. We can't be local in all the different geographies where we serve customers. We need distis and reseller to do the work there. We want to make sure that we get more channel-generated sales.
We work with channel partners to a very large extent today when it comes to servicing all of the existing customers, making sure that delivery happens, making sure that they get service locally in the right language. When it comes to demand generation, there's lots that can be done. One of the important parts that we have there is that it is about training the trainers, i.e., training our channel partners so that they understand our technology, what benefits it brings compared to other technologies, what are the typical reservations that you meet from customers, and perhaps even more importantly, how do you make sure that you support the customer to successful implementation? That part is critical, not just for customer success, but also for the kind of channel partners that to a large extent have their business based on working in a service model with these end customers.
It's not rocket science, but it's a long-term effort building the credibility so that channel partners trust you, that you won't take the business that they've generated in a direct motion or switch to another channel partner. I think we're building an important basis there that will serve us long-term, seeing more channel-generated sales. Even if consumer is not a big part of our business, especially for really security-conscious consumers, there's already some buying online our keys either from our store or our Amazon presence. We've also started working with consumer distribution partners. One of the first ones that we started working with was Best Buy, a large US retailer. They saw a lot of demand actually on their homepage for our products. It's primarily two types of users: cryptocurrency enthusiasts and people that use password managers and want to protect their vault.
That's what we see in every survey that we make out of these consumers. It is not really something for everyone yet. We hope to get there. For these two markets, that in itself is something which is interesting in generating demand. Together with Best Buy, we have now taken the step of moving into the brick-and-mortar stores with a new set of packaging and some simple instructions for how to use it. This is the new packaging reason for that. I think you may be even able to order something afterwards. We will get back to that. This is one illustration of how we can make our technology more accessible to a wider audience working through partners, even if this is not a big part of our business today.
Finally, when it comes to the land motion, it actually works in expand too, but we're seeing it primarily as a land motion, is strategic alliances. I'd highlight two strategic alliance types. One is global system integrators or GSIs, where we today have started working with a few of the leading GSIs on a more tactical basis, where we're essentially running large projects together with them. We're hopeful or optimistic that we'll be able to announce a more formalized partnership with at least one of the largest GSIs shortly. That will be important in getting into the board conversations, executive-level conversations. We always have our biggest friends and supporters in the basement, so to speak, the ones who are really techy. To uplevel our conversations within the organization, GSIs or global system integrators could play a really big part.
On the technology alliances, one thing that we've talked a little bit about as an example is the partnership that we have with Okta. It's not a coincidence that we run Okta internally because they have a great identity access management platform and a very nice integration with YubiKeys. They do the very same within their organization. That's kind of eating your own dog food and then taking it out to the customers. So far, we've launched it for a very limited set of users, but it provides a really good user experience. We're optimistic that with Okta and other technology partners, we can reach audiences that are already captured on those platforms. Turning over to expand, and this is an area where we perhaps haven't spent enough resources and attention in the past.
One critical step that we made there was that as we introduced YubiKey as a Service, we said that, well, it's one thing to drop ship keys at someone's loading bay. It's a whole different thing to make sure that they have a successful implementation. We probably want to dedicate customer success managers to all of our largest YubiKey as a Service customers. Honestly, that shouldn't be limited to YubiKey as a Service. 80% of our business is still perpetual business, and we see a very high repurchase rate there. We are now also introducing customer success managers for our largest perpetual accounts. What does that mean? It means that we support the customer. We work with them in assessing their needs, provide manuals for how successful deployments can work that are relevant to them in their industries, in their geographies.
We are with them as they plan the rollout. Then we assist them as they deploy, whether it's with practical questions or user adoption, or whether it's with technical questions. Okay, this wasn't implemented right in that system, so we need to go through this process. We've seen this before. Again, train the trainers within the customers. There is that ongoing engagement with the customer. As we get more data points, we're better able to predict how we can best support our customers. We can be more proactive. Okay, you've protected these types of users. Do you know that a customer in a similar situation then went through these next steps? This is the experience that they've had.
Monitor their data and support them with relevant experience so that they can be more quick and more successful as they deploy it to the wider organization. Finally, making sure that we have the right incentives for people to continuously upsell within the organization, i.e., identifying new use cases and making sure that renewals or repurchases happen. This is a relatively new function within our company, but I'm really excited about this because this is frankly the fastest way to grow in revenue for us. It's great, and we need to add new customers, but upselling and renewing on existing accounts is a much quicker way to revenue. Finally, and this is really tied to a lot of the things that Jerrod and Albert will talk about as we talk about the product roadmap. This is about extending security beyond use within a large enterprise or public organization.
We have seen successful deployments in the past, but they have all been based on bespoke development, where we work with specific banks to protect a subset of their customers to make sure that they do not experience account takeovers, or where we work with a large manufacturing company to make sure that their supply chain is protected. With some of the initiatives that we are now preparing within product, this will be then we do not need to reinvent the wheel every time. It can scale more quickly beyond the limits of the organization without us having to find out the right solution for every customer one by one. I am really excited about that.
That opens up a whole new set of users for us without us being at the forefront in generating that demand because, as we mentioned, our biggest customers serve billions of users that need protection. In short, what has formed this foundation for our success to date is primarily a direct sales motion to the largest companies and public organizations in the world. Of course, we need to continue doing that, and we need to excel at expanding within that type of customers. However, we are now investing in a number of initiatives when it comes to Land & Expand, which will permit us to reach new customer segments. We will be able to work more closely with the customer and therefore deepen the relationship with them. If we're smart about working with tech partners and GSI, we can leverage their vast sales resources and reach within other organizations. With that, I'd like to hand over to Jerrod, who will talk about some of the things that will put him in a position to scale better in the future.
Thank you. Thank you, Mattias. I wanted to step back a little bit to give everyone a view of the mission that we've been on. Stina's actually here, so kudos to her. The reason I joined Yubico and the reason I'm still here really relates to this mission. The mission was to make a safer place for everyone. One of the things that we've done is to make secure login easy. We talk about the FIDO technology. We talked about passkeys. If you look into the future, it's not just about the authentication.
It is the user interacting with this digital wall. When I first joined Yubico, I had the opportunity to train a group of journalists, and I was raving about all the great things they can do with the YubiKey, being so naive to know actually what they do. I start to emphasize on things they can protect, their social accounts, their banks, and their governments. They say, "Hold on, Jerrod, you do not understand. If my digital identity is compromised, you will not see me tomorrow." I take this mission very seriously. I take the way that we orchestrate our company to build the products, to make an impact to the world. I do believe a lot of our customers believe in this as well, and they are with us in this journey.
What is happening today is that we've established a very good baseline, the foundation of authentication. What's happening is the attackers are kind of going around authentication now. We hear this straight from our customers. They just said, "I've lost all my authentication device, whether it's a phone, a laptop, or a YubiKey. Please let me in." People generally say, "How do I know it's you?" There are so many ways that people create fake documents. Now, with, again, generative AI, it's so much easier to create fake documents, fake voice, fake pictures, you name it. Whoever it is that helps this individual lets them back in. Who cares about passkeys? This is a huge problem. The users don't have control of their digital identity.
They may have control of the authentication, but they don't have control with this digital identity that they've now put themselves out there. We saw the headlines with attacks. We're starting to see the actual problems of digital identities now. The attackers are kind of moving around and evolving the attacks. There's this huge paradigm shift in digital identities. It's actually happening at the center of the change that's actually happening in Europe. There are so many activities and so much regulations coming and standardization coming. How do we create national IDs? How do we create all these citizen IDs? All this great innovation is happening right in front of us. I'll take a little step back. This also pertains to the growing market that the analysts believe is the next big thing.
If you look at authentication, you look at identity access management, but digital identity is a huge, huge, bigger type of opportunity in the market. Today it is very fragmented. A lot of companies trying to solve this problem, no standardization, everybody doing their own thing, the proprietary thing again, right? That is just a snapshot of 2024. We anticipate this space to expand and accelerate at rates of close to doubling their size in the next five years. For the reasons I just told you why, it is a big problem. I want to take a step back to say, what is the difference? You have solved authentication. You are the best, and we will continue to invest in that space. Absolutely, we will. A lot of people do not use strong authentication today.
It actually is in parallel where it needs to coexist in terms of digital identities because you issue a strong authentication to the digital identity that you've just proven. Here's the difference between the two. The authentication you are trying to authenticate to that one service, right? The log on to your Google is Google. You set a password, and you set up a FIDO security key for Google, and then you log into Google. The same entity. In digital identity, it is different. Slightly different in terms of the way that things are orchestrated, but it's vastly different in the way that who gives you the digital identity and how you use it. The government gives you a passport, but you use the passport to enter security and get to your airline. They're two different entities. That complexity alone requires coordination at scale.
Today it's not coordinated at scale. That's the challenge. That's why you have so many companies trying to solve this problem, and no one has solved it at scale. I'll take a quick example, and both Stina and Albert will give you a little bit of a glimpse of what we're actually trying to do. I'll set some baselines. This is a national ID from Finland. Physical card, smart. It has a chip in it. Today you can create a digital version of that from a physical card. Seen it today, you can be on an app, you can be on a web application. What you want to do is that you want to prove certain aspects of yourself to the service that you're trying to do an activity. Certain sites require to be of a certain age to do something.
In this case, in a digital identity form, you can actually only control and share what you want to share. "I'm over 13. Please let me use this site." You can present in a way that you selectively disclose, which is great. You want to control, right? You want to control. You do not want to say, "Now I'm over a certain age. You have my address. You know where I'm born." You know all these other things that you should not need to know most of the time. When we look at the digital identity ecosystem, it becomes complicated because there is an issuer, like I said, like a government issues you a digital credential, and then you have a verifier, which may not be the same person that issues it.
The holder is holding these really important attributes of themselves, their age, their birth date, sometimes even family members. There are things that you do, professional credentials. You work for a company. In that case, the user, in our term for the digital ecosystem, we call this user holding a wallet. The wallet has different things that you hold in it. Because of this complexity, there are a lot of players in the mix. In this new world, the standardization is much more complicated than just trying to standardize authentication like FIDO or passkeys. If we get this right, if we get this right, you actually protect the user.
A quick example on how this actually works is some of the early works that we've done with our teams, with other organizations, including the organization that Stina found, Sirius Foundation, to give a glimpse of what is possible. This is the same ID, but now we're trying to present this credential to a service to prove an age. We want to show this site that this individual is over a certain age only, and we don't want to reveal anything else. We don't want to reveal the name. We don't want to reveal where they live, anything else. In this case, the way to unlock that sharing is with a YubiKey. Without using the YubiKey, the user is not releasing anything about themselves to the service, which means the identity of the individual is locked to this hardware that you can control.
You can decide which service is allowed to see what attribute of yourself. This is not just a video. We actually have a working prototype, which we also actually showed at the same FIDO Authenticate conference that we showed our post-quantum cryptographic YubiKey. With that, I want to introduce back and bring back Albert back on stage to tell you a little bit about what Yubico is going to do with these great scenarios.
Thanks, Jerrod. I'll ask you all to wish me luck that my glasses don't fall down in the middle of this. All right. In explaining what this means, I think it's just important to go back to something that I said, and a couple of folks have said. It's subtle, but it's really important. We have a very long-term perspective. There was a time long before I joined Yubico that somebody stood on a stage and said, "Passkeys are going to be adopted by billions of users." It's true today. That same long-term perspective actually has been applied to lots of other things that we really need to think about as a society. I'll talk a little bit about what this means in this context because it'll then give you a sense for what we're investing in and why. Hopefully, that gets some people grounded. What does it mean for AI to be in the mix? I mean, two, three, four years ago, people were working on artificial intelligence for a long time.
There was a long AI winter, and there were other companies that were really grinding at the mill because they knew that this was going to become something big and great, and this is the moment. If you look at what identity means in the age of AI, it's actually a perilous question. When computers are able to impersonate so well, it just opens up a lot of big questions. Without creating a lot of parade of horrors, I want to focus on the way we're thinking about it as AI is actually a new supply chain input. What does that mean? It means you have labor. You now have this boundless intelligence that you can insert into lots of different things, and you have to trust it.
Especially when AI is going to be acting on behalf of a human in terms of verifying something or authorizing something, you're going to need verifiable inputs at the heart of what it is that you're presenting in order for people to feel some trust that the telemetry that's coming from that or the software bill of materials that you're signing or all the other things that enterprises are now beginning to do with artificial intelligence can be trusted. You are going to need roots of trust that come back to humans. Fundamentally, that's going to be something that as systems start to work and act on our behalf, we have to have that trusted.
Almost every device you have in your hand is going to be infused with intelligence, and there will be times when you need to separate what that device is doing from the human who authorized it. That is a key role that we will continue to play. I want you to look at this chart because what this shows you is a 20-year journey from where we were with 99% of any kind of authentication coming from passwords to passkeys, which now have a multi-billion user and multi-billion account adoption trajectory that is very, very strong, built on open standards and foundations that give us this ability to have adoption at scale. You ask then, what does that journey look like?
I mentioned earlier that some of the necessary innovation we have to have will require that this foundation of encryption we have has to be rebuilt on quantum-safe capabilities. In the United States and around the world, there have been competitions and contests to establish the correct white-box cryptography that will be allowed for post-quantum cryptography. We have incorporated the algorithms that have been chosen by NIST as finalists. NIST is the National Institute of Standards and Technology. It plays a big role in determining which encryption technologies will be the correct foundations for what we do because all of these things have to be interoperable. That is a very necessary bridge.
I'll tie this back to what Jerrod just talked about, which is verified credentials, meaning something that you own that you tie to your identity that you might need to prove to somebody else. The interesting thing about verified credentials is that they are as powerful for what you allow them to do for you as what you can disallow. Meaning you can actually create a privacy container and a security container around a piece of information, an attribute about yourself, and enforce that it may or may not be shared depending on what you, the owner of that identity, decide. This is a big deal because this is a complete flip of the privacy model we've lived under for the last however many years.
What I'm really excited about is the fact that, again, Yubico and its founders have been visionary about thinking about what this future holds. I'm incredibly excited to have Stina, our co-founder, come up on stage and talk about what this means.
Thank you, Albert. Wow. One of the biggest challenges on the planet. Every second, three fake identities are created on LinkedIn. Today, there are more fake identities and bots on the internet than real humans. We have a solution. This is about two and a half years ago, about the same time I stepped aside as the CEO for Yubico. We were approached by a research organization here in Europe who invited us to be part of a very cool, bold vision that the European Union had set up.
You have heard Jerrod and Albert sort of talk about this in other terms, but it is actually a vision for EU. I think EU is, for the first time, I think EU is much cooler than Silicon Valley. Yes, credentials, user information is transferred from your passport, digital identity app to this identity wallet that is controlled by the user. You share whatever information is needed for the service that you want to share. This is the coolest part. You can be verified but anonymous, which means that you can share that you are a real person and not a bot. Do you understand what this means for the world's democracy and free speech and peace and human rights? It is a revolution. Of course, we wanted to be part of this. We did not only engage with the first research organization.
We engaged with two others, Greece, Holland, and Sweden. We created an open-source, open-standard prototype research project that is actually the one that Jerrod shared. The challenge is it was sort of a shared ownership. It was an open-source project on GitHub. There was no real leadership. It was just like, "Hey, we, we as a group want these things to happen." You know what we did? We actually solved the fundamental problems with universal digital identity. I am absolutely sure that we are now building a new next-generation secure internet on these pieces. By routing it as a web-based application and not a centralized solution that is owned and controlled by an identity provider where you tie to a phone or a smart card, we have a solution that is web-based. You can share it. You can use computers. You can use phones.
You can delegate to others. Families can have a shared computer. I mean, there are families who may have even a shared phone to access the system. You can even delegate to a legal person. No one has solved this before us. It is the highest level of security because all the reasons we have talked about today, passkeys, security keys, and YubiKeys is the best. It's smarter and more secure than your Swedish hard bank ID or bank authentication tokens or name it. Because it's not a centralized service and it doesn't collect data, and we delegated security to users, and these users do not just share everything about everything, but actually the only thing that they need to share, there's no oversharing. There's less data that will be hacked, and it's the highest level of privacy.
Because there was no ownership of this amazing project, I knew now it was time for me to step into a leadership position again. I created the nonprofit as a partner to Yubico. I am now the executive director and founder of this little sister to Yubico. We are on a good path into making this into a global standard. Here are the things we started. We are the most tested, most interoperable of all the European Union digital identity wallet projects today. We won a German competition, an innovation competition that Germany put out and said, "Hey, innovators, tech giants, anyone, help us create the next-generation identity system for Germany." Our solution kicked out both Google and Samsung because we are cooler and more privacy-preserving.
After that, when Germany said, "Hey, we like this," Canada and France said, "We also want to be part of this." Canada is not even part of Europe, but they like Europe now a little more than a year ago. Now we're starting a pilot there. This is a project we're doing with Sweden, actually showing that you have legal ID wallets, and there may actually be some kind of press release out there where this idea of business ID wallets is coming where you can delegate, for example, Mattias can delegate the authorization of signing documents to other members of the Yubico team. You can't do that with your phone, but you can do that with the YubiKey. Singapore also wanted to be part of Europe, or at least this initiative. We're making a pilot between Sweden and Singapore.
This is the coolest part. There is this group of investigative journalists. We all were very touched when Jerrod named the importance of protecting free press and the people who protect us. If there is no free press, there is no security. There is this group of investigative journalists who are developing a new digital press pass for the internet. They said and asked us at Sirius Foundation if they can route that in this digital identity standard. We have already started the first phase of that, sending them all YubiKeys. There is an international research organization, and the list goes on. Every week, there is someone new, a new country, a new government agency, a new company that want part of this global initiative. People have asked me, "Why could not Yubico lead this? Why did I have to create a nonprofit?".
It is because we now need to engage with governments and policymakers and nonprofits and have a neutral platform. Just like Ericsson, when they created GSM and wanted that to be a global standard, they could not. It had to be the GSM consortium that sort of took the pieces of GSM and moved it forward. Of course, Ericsson had a very vital and important voice in the room. That is sort of the relationship between the little sister Sirius Foundation. We are just a dozen people. I funded it with money that I was grateful to receive when Yubico went public. It is my way of giving back. Now we are also being encouraged to get funding from other resources. We partner with Yubico because Yubico is the established credible player, is the leading inventor behind passkeys.
It is actually a really good synergy between us. We meet up every week, and we sort of conquer and divide where can Sirius be of use and where and what does Yubico need to do to make this into one global digital identity standard for all on our same mission, making the internet safer for everyone. Thank you.
This is exciting. Hopefully, you start to see a glimpse of something that we will talk about more and more. As elegant as this sounds, there is a lot of, there is a saying in the U.S., there is a lot of wood to chop. There is an incredible amount of cryptography and coordination and mad science that you have to get right for this to work really well. That is the job that our customers are going to trust us with. That's the job that we are going to work in a way that has been consistent with where Yubico has always worked before, which is a pairing of standards and standards-based innovation together with excellence and building that foundation of trust. I want you all to look at this slide and kind of recognize what these layers tell us. This is a very simplified diagram that shows kind of what the relationship looks like across the layers. You can think about Yubico as being this root of trust, well-established. Global passkey adoption is a great foundation.
In addition to that, we have this enormous base of thousands of enterprise customers, at least one-third of the fortune of the Global 2000 that we're already working with, that give us this amazing innovation factory to go back and think about what it means to have this new sense of identity start to go. We have this interoperability layer that starts to bring the right kind of open standards that you'll need in order to drive billion user adoption eventually. You have the kind of engagement that you need at the user experience layer that's a sophisticated interplay of both the open standards and the root of trust. We need to obviously have a way of making this measurable because if you're not making this measurable, you can't transmit the proofs that people need in order to trust the ecosystem.
We're thinking about all of these problems. I'm really, really excited about the investments that we're making here. There'll be more to come over time. Just to give you a couple of examples of what this could look like, I'll tell you a little bit of a story here. Initially, we had an example that kind of lived in the healthcare field, but that's one of the places where the United States and Europe are highly, highly contrasted because in the United States, if you give a healthcare example, you're giving a private sector example. In Europe, when you give a healthcare example, you're mostly giving a public sector example. We wanted to give something that was a little bit more distinct.
I'll just give one of the examples that we had, which is it does take a while for a doctor who works for one hospital system to sometimes just transfer to work in a different hospital system or to work in the same hospital system in a different jurisdiction in the United States. If that takes six weeks, that's six weeks in which somebody can't make an appointment with, I don't know, a doctor who looks after people who have complications from diabetes and they have a leg that is suffering, and so they wait six weeks longer to get something. If you could have a system where you're verifying those credentials nearly instantaneously, that is real value add in a way that cascades into things that people feel viscerally. It's about how well you can get quicker because you get better care.
That's just one example that kind of links back to the medical side. There is this whole web of things that you can do all the way from how people do background checks effectively in the workforce, how people do loyalty programs, what it is that you can do to prove that you have certain qualifications in order to take on a task, how quickly you can onboard if you're a consultant working in one company and then being deployed to another. There are just so many things that you can do once trust becomes a programmable artifact that the sky is really the limit. We are very, very confident that this is a race that we are going to run really hard at because the world needs this.
If you think about what I've talked about, there's a possibility of actually bringing identity back into the control of the user. User-controlled identity with verified credentials, which are as powerful for what it is that they allow you to do as what they allow you to prevent from happening. You start to have identity that travels with privacy attributes that work as a container that you control cryptographically with your YubiKey. Secondly, you have all these great use cases that you can start to show to industry, starting with our 5,000 enterprise customers and growing beyond. Third, if we do this the way we are, we are committed to doing this in a way that's really about open standards. It means that the value of this actually increases with greater adoption.
We are doing this with the context that has been set with widespread passkey adoption. This is not a cold start problem where you are going to have to create the logic that then allows people to do this. You could never do this without first trying to solve authentication. What that tells you is that this company has an incredibly long-term vision about how the world will change for the better. We are committed to doing this in a way that is very much about open standards, and we are really excited about what the future holds. These are the two takeaways that I want you to have about what our innovation path looks like and why we are investing the way we are. What passkey adoption is doing is it is setting the foundation for digital identity that protects users beyond login.
I think we've painted that picture really clearly, and you're beginning to see how it comes together. Yubico will sit at that decentralized root of trust for what this next generation is going to be. I think that brings us to Q&A. I'll call up Mattias, I think, to wrap.
I think we can welcome back all speakers from the last session, Jerrod, Mattias, Stina, and Albert. This concludes the third and final session, and this will be the third and final Q&A. Let me start with the first question. The first question is for Mattias. Which factors do you believe are most crucial for Yubico's success, and how do you ensure the whole organization focuses on them?
It comes in two different parts. Fundamentally, we need to stay ahead of not just competition, but also the hackers in terms of providing that secure hardware root of trust. The work that Albert and his team is doing in both making sure that our core stays ahead of the game and then expanding to what our customers are looking to solve in terms of problems when it comes to digital identities are both critical for our success long-term. If you look more short-term, the quickest way to make sure that we meet our financial targets is about that expansion within the existing customer base. That does not mean that we can let go of the land ambitions that we have and look at more ways to add new customers and get more leverage in our sales model. It is a combination of the two. Of course, if we don't have the leading product, it doesn't matter if we have the best go-to-market in the world. That's kind of a short-sighted approach.
To Albert and Jerrod, can you elaborate on the focus for digital identity, and do you view it as diluting focus?
It doesn't dilute focus because it's actually building on the foundation that we have. The customers that get the value out of the YubiKey today are the ones who are setting themselves up for that future. We see this very much as what that evolution will need to be.
I'll just add to one practical scenario at a company. Albert talked a lot about delivery of YubiKeys and enabling them to be onboarded really quickly. One of the key challenges today that customers have is the recovery. How do I know it's you before I give you the YubiKey? Just that statement alone, we have to solve the identity part of the equation. It's not just authentication. In some ways, whatever we have envisioned for the future of Yubico, it's also solving a real problem that the customers have today, particularly as companies employ and have users everywhere globally and growing, and not just employees, but their customers and their suppliers. How do I actually know that you should be getting a YubiKey? Because I don't really know who you are. We need to solve that problem to solve the bigger ecosystem challenges.
Following that, how do you see the revenue model for identity verification?
I'll take that one. This, to me, is one of the reasons why I'm so happy that we introduced the service and subscription model some time ago. For most applications, at least enterprise applications, the logical way to sell this service is in a subscription mode. Of course, we're going to have customers who would want to separate the two, and we're not going to stop that. I think this is one of the accelerators that we're seeing for customers, making sure that we have that long-term partnership and a commitment, which the YubiKey as a Service framework provides.
To now both Stina and Mattias, can you just elaborate a little on the collaboration between the Sirius Foundation and Yubico? Is there a scenario where the solutions are competing with each other?
I think I made it fairly clear. Sirius is like the Linux for online identities, and Yubico is the Red Hat that builds value-added commercial service on top of the same platform, top of the same code. Yubico will develop more advanced service, while we at Sirius will continue to drive the open-source project, oversee it, ensure that it's certified, ensure that it goes to every country on the planet, and ensure that we actually engage with the Linux foundations of the world to put it into the central pieces of the internet. For that, you need to be a nonprofit, long-term, sort of neutral player. We at Sirius, because I represent both, I am a major shareholder in Yubico. I own 10% of this company. I'm the co-founder, and I'm on the board. I, of course, have literally only one hat today, but I have two hats. My hats are to ensure that Yubico is successful and Sirius is successful.
At Sirius, we realized that when all these governments want to come and try this open-source platform, we set up a, that we're going to launch shortly, just a reference wallet platform where people, like the test bed. We say, hey, this is for free. If you want to do something more advanced, we will charge some very minimum just to not start losing too much money. It's basically that. That is sort of the revenue model.
I only wear one hat, even though I'm not wearing it today. I'll add to Stina's description there by saying we're actually very happy to be working with one of the leaders now, Sirius, in this space, because this is actually a center of expertise and knowledge, and we learn a lot about getting our heads around this interesting market and defining our product offering where we can make money with this emerging technology.
Initially, I thought it would be mainly YubiKeys, but there are more commercial services tied to the YubiKeys that Yubico can make.
Now, question to Mattias. Can you talk more about the new office opening in Singapore? Why Singapore? When will we see material revenue coming from that region?
Today, the Asia-Pacific region represents about 10% of our revenue, but it's growing quite rapidly. As we talked about earlier, it used to be that most of our revenue from that region actually came from American and European companies operating in the region. That is now changing. We are seeing locally generated demand. We have a sales team in place, and we are seeing a lot of activity on both the government side and on the private side recognizing the need for strong MFA. It is definitely a rapidly growing market. As I mentioned, it is critical for us to be local as we do business. We literally have customers who would not take delivery of the product unless they know that it is programmed in a location that they feel confident about. Even if those are really the really large and very security conscious companies, having that local base is important. Why we chose Singapore is because it is a great place to do business. I'm not going to lie about that. It provides a very stable framework and a long-term perspective, and we're getting great support locally for our ambitions there. Fundamentally, it's driven by customer demand, but we're seeing this hub as a natural place to expand our footprint in the region.
A question for you, Albert. You talked a little bit about how Yubico is preparing for the era of quantum computing. When do you anticipate that quantum-resistant authentication will be required?
We think that for some use cases, quantum-resistant or quantum-safe authentication will be required as early as the end of the coming year. We think that that's only going to grow. Where we are right now is in an intense testing phase with partners. We have really opened up at the Authenticate Conference an invitation to folks to work with us on that because these are not small projects. Essentially, what you have to do to get your organization ready for a quantum-safe transition involves doing a cryptography audit of every dependency that you might have in your environment and then going on from there. From the date you start, you're starting off on a multi-year project. A lot of enterprises, a lot of the CISOs and identity folks we speak to are beginning to kind of bring that into view, are setting up post-quantum working groups. The time for the engagement is right now.
What cadence or product releases is Yubico aiming for?
Is that in the post-quantum context?
Both.
We have two kind of two cadences for our product releases. The simplest answer I can give is our services are releasing monthly or something on a much more frequent cadence, and that will continue. On the hardware where you have firmware trains, customers typically do not want to consume too much change. They want kind of stability around that because these keys are deployed for a long time. The cadences there are a lot longer, where we will take some time, get something out, and then kind of move from there. Those are the two cadences we have. In order to support our subscription businesses and the services that we continue to offer that add value, we will continue to intensify the release trains there accordingly.
Thank you. We have a question in the room.
Yes. Thank you, Daniel, from ABG. You showed that you had 9 out of 10 tech companies in 2020, 18 out of 20 AI companies today. Is that just because these companies in the forefront are much more aware of cybersecurity and they buy protections from many, many more providers and does it really say that much about your solutions against your head-to-head competitors? Or do you see better proof in the other sectors, like healthcare, financials, that you are more an exclusive provider?
No. Sorry, as I understand the question, when we looked at those statistics, we also took a closer look. What is the level of deployment that we have within those customers? It turns out that for our broad set of customers, our average penetration rate, if you compare the number of keys deployed with the total number of employees, is in the 10% range. In this subset, AI companies, we find that more than half of them have rolled out YubiKeys to their entire workforce. They're at the bleeding edge of understanding the threat levels, and they're very tech-savvy, of course. I think that's an indication that they're a little ahead of the curve, but I think the rest will catch up before too long.
I think a little comment to it. For a long time, we were perceived as a Silicon Valley company. We were in the heart of Silicon Valley. Google, Microsoft, Apple were our main partners. These AI companies have thrived mainly from Silicon Valley, and these tech giants are US West Coast based. It was like we were never like the biggest cybersecurity on the planet, but we were the biggest strong authentication organization company in Silicon Valley.
Yeah. I think that the color from Joe earlier, which is a lot of these AI companies have been using this technology for more than a decade. That is the fact. When you, it's not just a technology that they're buying into. I think an earlier question, why should they buy another device? People do not buy devices. They want to trust Yubico. That is a big difference.
One thing maybe also to add, I'll just refer back to the video we saw earlier. Cloudflare, for example, is a very classic example of one of the things that we see, which is somebody who used the technology and saw the difference that it made in one job, then moves to a different job and says, I would like to sponsor this to get this rolled out everywhere. We also have that as something that's almost like a perpetual fountain of people who experience the product, see the value in it, taking the experience from one organization and going to another one and doing a company-wide rollout.
In the early days, we had someone from Google who went to Facebook. They deployed YubiKeys. Then someone from Facebook went to Uber, and they deployed YubiKeys. Someone from Uber went to Salesforce, and they deployed YubiKeys. Exactly what you pointed out.
Yeah. Go ahead.
Another question from the room.
Excellent. Erik from SEB here. Just to follow up on the identity product to Stina and Mattias, perhaps, or all of you. I mean, just so I understand, do you foresee that this is something that governments would deploy and they would send out YubiKeys to the users?
It will be a combination. Some will just deploy digital identity cards that are similar to the identity cards that you get today and that you can put on your phone, and it will transfer the information. You can also, through a card reader, transfer information to a computer. You will have YubiKey as an add-on for high security, high privacy, shared delegation, shared computers, phone-restricted rooms, backup. I mean, there are all these scenarios where the first card will not be enough. There may be, and we have those conversations in Sirius now in countries to say, hey, could we replace that card and just have a YubiKey because it's more convenient? It works on all computers, all phones. You can put it on the keychain. I mean, a card doesn't work with your computer unless you have a card reader.
It is sort of a little, we do not know yet, to be very honest. We know that there will be enough use cases. As I would say, how big can this market of digital identity be? Let's say we get 10%. 10% of 5 billion internet users is 500 million. To date, we only sold 45 million keys. I am not going to sort of commit to that number in X number of years, saying like, oh, in two years, we will be there. It is sort of the opportunity that is growing because before Yubico was enterprise and some consumers, and now we can be part of national ID systems. That is the big opportunity where we need Sirius and Yubico to work hand in hand in driving that effort.
It is definitely expanding the addressable market. We're not betting the farm on governments sponsoring YubiKeys for everyone, but it's a nice idea. It's more about making sure that we're part of that platform which is being provided, which is being developed right now.
I'll put 500 million keys in the model then. Just to follow up, if I may, I mean, you said there's a lot of wood to chop before this is fully deployed and functional. If you were to give a rough timeline, when does this become relevant for Yubico and a big driver for Yubico, do you think?
I think it's going to go fast. Much like time sort of comparison, we took 10 years before starting with Google, getting Microsoft, getting Apple to adopt passkeys. This will go faster. I think in five years, there will be hundreds of millions of citizens that use this kind of digital identity system. How much of this share will Yubico get? That's up to us. We need to continue to innovate. We need to not only with the keys, but with the services surrounding the system. Just like an Ericsson or the guys preventing when there's a standard for Wi-Fi or USB or whatever, whatever standard that is created, the innovators need to be on top of it because there is competition.
I believe it's the last Q&A session, so I'll just take the opportunity to first off, thank you all for the great presentations throughout the day. I just wanted to, you mentioned that I do not want to run ahead of ourselves here, but you mentioned that there are several adjacent services that could be added by Yubico in the future in this initiative. Could you elaborate a little bit on.
I think you heard it better at that.
Yeah. I give a glimpse of it a little bit on that earlier. Albert, obviously, can share more. If you think about the identity lifecycle, there are things that you need to do to verify the identity of the user. This is just one example, right? It is not like the YubiKey cannot do that. There are things that you can offer to help prove that the user is who they say they are. You can also think of a service where you are providing the user with the trust that they work for someone, right? We may not be a government, but we could provide a service for corporations. I think we talked a bit about the delegated scenario here, right? Mattias delegates to someone else to sign the paperwork. But what gives him the right to delegate?
And who is he supposed to trust in the digital world? We can offer such scenarios where professional credentials can be issued by Yubico, and then they can take an action to then present it. There are a lot of corporate scenarios, business scenarios, independent of citizen government scenarios. That is really our focus, to really find trusted customers in this journey. The good news, we have like 5,000 of them. I think that is the difference which both actually Stina and Albert talked about, which are not starting from zero. I mean, if you start like the cold start problem, which is like no customers, no market, it's really hard. We have a strong foundation to build upon.
Yeah. Two things to add. One is just being transparent, I can't stand here and tell you the things that we're going to run fastest on because that would not be wise.
A security company can never run too fast. Do not ask us to run too fast because we cannot make mistakes.
We are excited about where we're going to run fastest because we know that there's already a lot of customer value we can create. That's one thing. The second thing is it's just coming back to the fact that amongst our 5,000 customers in the enterprise and our many thousands more prospects, we have conversations every day that illuminate for us just how much need there is for what it is, the direction we're going. All the way from people who want to flip their privacy model to people who want kind of easy verification for really hard things to do today because they're just inconvenient processes. We are just going to be very methodical about how we create value for our customers. This is not going to be rooted in things that divert from the focus that the company has always had, which is providing that strong authentication root of trust, a hardware-backed phishing-resistant MFA as the foundation. Because if you do not lock that door, then you do not have identities that you can trust to do anything else. You have to think about this as sort of laying that foundation has taken a while. This is a fantastic base on which to build. When we build on that base, we are going to be rooted in real customer problems, and they are just too numerous to solve. Actually, what we spend a lot of time thinking about is what we are not going to do.
Every existing customer struggles with this. How do I onboard people? How do I secure the identity of the user? How do I manage the lifecycle of the product? Every customer today pretty much has a different approach to it. I think it is safe to say you used to work there. Google had a very generous approach and said everyone should get at least three YubiKeys and make sure that that's always the root of trust. I spoke with a German customer only a couple of weeks ago. They have a lot of discipline when it comes to someone losing their YubiKey and how they get back online or how they get access again. They literally demand the delinquent to show up on site and then to have two of their managers on location verifying that person's identity using their YubiKeys, and then new credentials can be issued. That's an example of a customer with a very low attrition rate, let's put it that way, because you do not want to go through that process. We want to make sure that we find the right balance between security and convenience/scalability there. I think we come from a unique position with the background that we have.
Next question.
Yeah. You kind of touched upon it a little bit now, but I'm thinking of maybe you don't know the answer to this, but if you consider other cybersecurity companies like Cloudflare has been mentioned or CrowdStrike or Palo Alto Networks, when they roll out their services, those are also typically quite long implementations, and they're painful. The implementation time for you guys compared to, I don't know if you can say an average of other large complex implementations, but based on what you just told us, it is this kind of recovery onboarding that is really the big pain point for you. How do you stack up versus other companies, and are they quicker at deploying? I know it's software, but it kind of ties in.
I think the question is, if you took a lifecycle of hardware versus a software, there are fast things and slow things in each category of technology. You might be, for example, let's just talk about software. You could be fast to deploy, but really struggle for maintaining the level of security. What you do not see behind the scenes of software is you actually have to maintain the patches of that phone. Do you want to take control of how frequently we patch phones and operating systems and Windows and Google and Apple? There is a huge cost to that. Some things are fast and some things are longer. Hardware is a little bit the reverse. It takes a longer time to establish that deployment, but then you have a very consistent flow because we are not changing anything on the hardware like the YubiKey when you get it.
There are all these measurements that we see from the reality of customers deploying. Long-term perspective, independent of whether software or hardware, customers choose companies that go for the marathon, not the sprint. That is really the difference because you have to really work through the pain in some ways. It is nothing to do with Yubico or the technology. Every company has complexity because I call this every large company, large is relative, has a computer history museum of stuff. You cannot run fast in some of these things, even if you wanted to, right? Obviously, T-Mobile had a very strong leader that pushed all the way through, but that sometimes works, sometimes does not work because the technology does not have it. The stack did not mature enough.
I think that a few combinations that I can't give you a straight answer whether it's faster than a Palo Alto network-based software thing or a YubiKey thing. I think enterprise is complicated, then let alone if you think about deploying to government systems, you have even more complexity. What we believe, though, is that the innovation that we provide accelerates the adoption. And it's two things. It's definitely about the standardization so that it works out of the box. We spend a lot of time making sure things work out of the box. The second part of it is Yubico has to do its part. It's got to innovate on those open standards to accelerate the adoption.
One quick thing to add. First of all, I think we've got two customers here who have been so kind with their time. They can give you unvarnished samples of how quickly they saw time to value. Because oftentimes, this is just a time to value question. Like, how quickly can I see value from deploying this? Value is often very, very quick. Because there are situations where when Carl talked about unplanned deployments, an unplanned deployment is usually because some kind of catastrophic compromise occurred. Credentials were stolen. People show up and they say, well, we need to reestablish connections to our environment that we can trust again. There will be people in our facilities working until 2:00 A.M. to get keys to them. It happens. If that's an indication of what time to value means for YubiKey deployments, that's the best evidence I can give you that this is something that has very rapid time to value.
Everything between a few couple of weeks to seven years. I mean, we've seen some customers like seven years ago, like, oh, we started this little thing. And then, oh, as you said, the reason why they then take action is the two major reasons are either compliance, that there's a new regulation that they need to comply with that needs this kind of high-level security, or they've had a breach, or they got a new CISO that had a YubiKey in his previous job.
We're running out of time.
Can I ask a quick follow-up on that? Is there a service you could provide where you promise a certain delivery time, or would you just, based on what the IT stack looks like in the various customers, but where you actually, even further than you did with T-Mobile, et cetera, just we do the implementation for you and then charge for it?
Most environments are Microsoft environments in enterprise. The parts of the environment that we control the delivery of, often identity is such a complex stack. There are going to be many things that you're getting right in order for the YubiKey to fit in correctly and deliver the value. You could deliver and deploy YubiKeys in a day. However, if you did that and you have vulnerability to what are called downgrade attacks, downgrade attacks are all the other places where you do not actually have true phishing resistance in your architecture, but you have ostensibly deployed something phishing resistant on the front door, but you have got an open window here. We can deploy YubiKeys extremely quickly and deliver perceived time to value quickly. All identity and access management professionals and CISOs will tell you that you have to make sure that you are doing it in a way that gives you the protection you are trying to buy.
The best we can get to today, I think, is working with a professional organization like T-Mobile saying, okay, we are going to get this done. We are going to make sure that we do not have the back door open or open windows. We're committing then to, yes, we'll support you in that journey. The physical access to YubiKeys at this point will not be the limitation. As we scale, yeah, that's doable. I think it's more of an implementation partner opportunity than a Yubico opportunity.
I think we're going to work with a lot more. I think Mattias talked about some of the global system integrators because a lot of it is not even technology-related. It's all change management. The majority of these projects, besides going through unplanned, they're massive change management. Some of it is digital transformation as well. We certainly don't have the expertise to do large-scale change management. That's why one of the leveraged sales plays that we have is to work with the global system integrators, MSSPs. That's our plan to really help accelerate the adoption because those are the folks that know how to do change management and be professional about the cadence and the planning.
We have one last question.
My name is Joran Altius. And I would like to ask you if you see company acquisition as a way to expand and how would that be?
Yeah. Just some background though. We've never made an acquisition. It's all been organic growth in the past. However, as we expand in the digital identity space when it comes to lifecycle credentials management, when it comes to IDV, those are two areas where there could be value in, quote-unquote, not reinventing the wheel, but identifying specific product features or specific competencies that would be quicker time to market and a good return on investment to instead of making acquisition. We're not quite there yet, but it's not something that will.
It's not off the table.
No.
Okay. Thank you.
Thank you to all the speakers. I'll leave it for Mattias to-
Close it out?
Close things out.
Thanks, everybody. Hopefully, this was digestible. At times, I need to think really hard to follow along when Albert and Jerrod talk about things. It takes some time to get your head around it. We're recording everything. If there are parts that you want to revisit, there's a good chance to do so. Also, all the presentation material will be available online. I'd like to wrap it up by talking about what I mentioned initially. I'm really happy about the questions that we got here. This is about how we leverage the position that we build so we can protect and create safe digital identities for generations.
Why are we so confident about our ability to deliver on that? It comes from a few different levers. We already have established a market leadership position in a rapidly growing market, which is the foundation for managing digital identities. We created the passkeys protocol, co-created it, and we have built a position where we are being recognized as the world leader when it comes to hardware-based MFA. We have also established a business model which lends itself to working with some of the largest players in this market to leverage the position we built with them within the current use case with YubiKey as a Service and with emerging digital identity solutions. We have the strongest innovating team in this market that you can find.
I think some of the examples that were shown today are testaments to the fact that we'll continue innovating and lead at the market within strong MFA and beyond. We have a solid financial position. We have had three quarters with lower sales growth than the long-term target, taking a longer perspective. We've had 40% growth since we went public, about 15% growth. We have a stable gross margin. We have consistently had positive cash flow, and we have a very strong balance sheet. We are in a position where we can invest in building the next big thing. With that, I'd like to thank everybody for your interest in Yubico. We'll hand it over to Alexandra to wrap things up for those that are here. For those of you that have joined online, thank you so much. We look forward to hosting similar events in the future. Thanks.