Obama campaign used security keys in 2012 election to prevent hacks

It's unclear the extent of how far the campaign used security keys, but Yubico's CEO said it had a presence.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
4 min read
Presdient Obama Participants in a Twitter Town Hall at the White House in Washington

Former President Barack Obama on a laptop at the White House.

Brooks Kraft LLC/Corbis via Getty Images

Political campaigns in the 2018 midterm elections might want to look back at Barack Obama's campaign team and what it figured out six years ago to fight off hackers.

President Obama's campaign in 2012 used Yubikeys, which are security keys for protecting logins, as a defense against hackers, according to Yubico CEO and founder Stina Ehrensvärd.

"The woman who tried after him did not, and you can see the results," Ehrensvärd said in an interview at Black Hat.

Harper Reed, the chief technology officer for Obama's 2012 campaign, said only a small handful of people within the organization used Yubikeys.

Yubico declined to comment on the extent of its involvement with the Obama campaign.

"We are not authorized to discuss specific use of YubiKeys within the campaign," Ashton Tupper, a Yubico spokeswoman, said in an email. 

The missing link in the cybersecurity chain could have cost Hillary Clinton the presidency. The thousands of leaked emails released by Russian hackers played a pivotal role during the 2016 election, and the resulting controversy contributed to her defeat by Donald Trump.  

The hackers gained access to prominent officials within Clinton's campaign, as well as the Democratic National Committee, through a process called spear-phishing, in which hackers use carefully crafted emails and websites that trick victims into giving up their passwords.

A security key is a useful tool if that happens, since potential hackers would need both your password and that physical key itself to log into your accounts. Google has boasted that since it adopted security keys, none of its employees have fallen victim to account takeovers.

Google plans to start offering a device it's built, the Titan Security Key, to the public sometime in the next few months.

"People who have a lot to lose, a lot at stake, those are the ones who are starting to adopt our products," Yubico's Ehrensvärd said. "High-profile individuals, people on Twitter who have a lot of followers, or YouTubers with millions of followers."

The extra security measure likely would have protected Clinton campaign manager John Podesta's email from being hacked.

Jeff Link, the regional IT director for Obama's campaign in 2008, said that they didn't use security keys at the time because it was too early. Ehrensvärd originally mentioned that both Obama's campaigns used the security keys, but the company later clarified that it didn't offer the tool in 2008.

Obama campaign managers from 2008 and 2012 and the Clinton Foundation didn't respond to a request for comment.

Watch this: Justice Department indicts 12 Russian cyberspies suspected in DNC hacking

This isn't just a problem of the past. Former Director of National Intelligence James Clapper warned Congress that Russian hackers would return in 2018 to attack the elections, as well as in 2020, and there's already been evidence of it happening.

Sen. Claire McCaskill, a Democrat from Missouri, said hackers attempted to access a staffer's emails through a phishing attack -- the same method that breached the DNC. On Wednesday, Rolling Stone reported that hackers gained access to a Congressional candidate's emails in California. And in July, Microsoft said it stopped Russian hackers from attacking three members of Congress.

Attacks against political candidates and elections have become a major concern, potentially undermining the legitimacy of the democratic process. These targeted attacks could also cause political chaos and sway elections in a preferred candidates' favor.

Ehrensvärd said security keys are crucial for protecting elections, as they make hacking highly targeted people much more difficult. Her company has been working with election campaigns around the world, saying that it recently protected a presidential election in another country but declining to state which one.

The DNC has now enables two-factor authentication, including security keys. 

The security company's CEO said that Yubico has been teaching political campaigns in the US during this year's race about why they need security keys. She declined to provide more specific information.

"The people who are in election campaigns right now," Ehrensvärd said, "may actually not want to disclose what they're using, even if they're using the best."

The story originally published on Aug. 16 at 11:07 a.m. PT. 

Update, Aug. 22 at 8:01 a.m. PT: To include a comment from Harper Reed, the chief technology officer of Obama's campaign. 
Correction Aug. 17 at 7:52 a.m. PT:  This story originally misstated which of the Obama campaigns used Yubikeys. Those security keys were used only during the 2012 campaign. 

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

As midterm elections approach...: US officials hope hackers at Defcon find more voting machine problems