The dominant topic at Keyfactor's Tech Days conference earlier this week (March 4-5) in Miami Beach was
post-quantum cryptography, with nearly half the talks we attended at the two-day event touching upon the issue.
We'll have a deeper dive into post-quantum cryptography in a follow-up piece. But for the moment, the salient points made by conference speakers were these:
"In some respects, we're already too late" in starting the post-quantum migration, said Russ Housley, founder of Vigil Security LLC, in a panel discussion Tuesday. Nevertheless, he and his fellow panelists urged organizations to begin planning the migration now.
To illustrate the lack of awareness of the issue, panelist Jaime Gomez-Garcia of Spain's Santander Bank said that in a recent survey of 100 important German companies, 30% of respondents said that they thought the post-quantum migration would not apply to them.
They're wrong. Any company that uses
digital code signatures, public-key infrastructure, or asymmetric key exchanges will be affected. This includes everything from retail giants like Amazon to white-label manufacturers of IoT devices.
Industrial concerns, energy companies and healthcare organizations also must worry, as the software updates for their machines and medical devices, as well as their network communications, will be vulnerable to having their encryption cracked by
quantum computers.
In a separate talk Tuesday, Kevin Ha, vice president of technical engineering at M&T Bank in Buffalo, said that your organization doesn't need to be the fastest in migrating to quantum-safe encryption.
As with campers being chased by a bear, what matters is that you're not the slowest, Ha said.
Who doesn't love AI?
Concerns over the post-quantum migration managed to push aside
AI as the top issue, a rarity for a cybersecurity conference these days. But AI did come up in the opening keynote address Tuesday by Kay Firth-Butterfield, CEO of Good Tech Advisory and a recognized expert on AI in the UK.
"Do we have the right grammar to constrain what AI agents are up to?" Firth-Butterfield said, wondering whether we had yet developed tools to properly place guardrails around AI.
She found it interesting that despite the hype, actual AI usage is pretty small. In
a recent survey, she said, nearly half of Americans and Britons said they had never heard of ChatGPT. Tiny percentages (7% and 2%, respectively)
said they used it daily.
Those numbers are reflected in the
Edelman trust barometer, Firth-Butterfield said, which found that trust in AI fell 22 points from 2024 to 2025. Comfort of use by AI in business, she added, fell 21 points.
Firth-Butterfield had her own doubts about the general usefulness of artificial general intelligence (AGI), the point at which a machine can think as well as a human across a broad range of subjects and tasks. (Like quantum computing, AGI is eagerly anticipated but has not yet been achieved.)
"We just want to have usable AI to solve our problems," she said. "Do we really need the Swiss Army knife [of AGI]?"
Clearly, many people doubt whether AI is a good thing. Asked by an audience member how we can increase public trust in new technologies like AI, Firth-Butterfield responded that if people don't trust it, that will create a slowdown in the industry.
"The world agrees on what responsibility [with new technologies] is," she said, "but not on how to get there."
Verifying photos, gadgets and code
Firth-Butterfield's keynote was followed by a round of four "speed talks" in which presenters took about 10 minutes each.
First up was Jason Slack, director of product engineering of Truepic, a San Diego company that uses Keyfactor's EJBCA public-key infrastructure (PKI) to verify the authenticity of photos taken on smartphones running the Truepic mobile app. (Later that day, Keyfactor presented Slack with its Innovator Award for novel use of Keyfactor technology.)
Truepic's clients include insurance companies, banks and other lenders. Instead of sending out inspectors to verify damage claims or property valuations, clients can simply ask applicants or claim filers to take their own inspection photos using the Truepic app, or a client app running the Truepic SDK, on a smartphone.
Truepic has saved its insurance clients 10% by cutting down on fraudulent auto-damage claims, Slack said. He added that Keyfactor's PKI prevents
AI-generated images from entering business processes and creates trusted documentation for conflict-reporting photos to make sure the images haven't been embellished or otherwise tampered with.
Echoing Firth-Butterfield's talk, Steve Hanna, Distinguished Engineer at Infineon, said that we're seeing more regulations and other
compliance requirements because consumers don't trust new technologies, especially when it comes to
IoT devices and connected systems.
But, Hanna added, consumers say they're much more likely to buy an IoT device if it has a security certification label.
As a result, we've recently seen the introduction of the Singapore Cybersecurity Labelling Scheme, the UK Product Security and Telecommunications Infrastructure, the EU Radio Equipment Directive, the
U.S. Cyber Trust Mark and of course the
EU Cyber Resilience Act.
Most of these are optional standards, Hanna said, and many are cross-compliant. They are creating a global approach to IoT security certification, which helps consumers and trustworthy manufacturers overall.
Eric Mizell, Field CTO and VP of solution engineering at Keyfactor, explained how the company's Signum
code-signing platform lets clients secure their software supply chains and streamline their
DevSecOps operations.
"It's amazing how many companies I work with that don't actually sign code," confessed Mizell.
Ellen Boehm, SVP of IoT strategies & operations at Keyfactor, addressed both Hanna's and Mizell's concerns. She presented a process by which IoT,
OT (operational technology) and IIoT (industrial Internet of things) devices can have their supply chains secured.
IoT devices are being used more and more as an attack vector, she noted, and both their makers and their users don't know how to secure the devices even as the IoT market grows 10% year-over-year.
Meanwhile, Boehm said, embedded devices in heavy industry and OT are designed to last decades. There's clearly a need to verify firmware updated for IoT, OT and IIoT devices. Fortunately, she said, Keyfactor's SignServer and Signum make it easy.
Let's hear it for our hosts
It wouldn't be a company-run conference without a little cheerleading for the company in question, and Keyfactor CEO Jordan Rackie kicked off Day One by proclaiming that Keyfactor's EJBCA PKI has, in fact, become
critical infrastructure.
Given the importance of PKI to modern digital communications, commerce and software development, it's hard to argue against that assertion.
Rackie also noted that Keyfactor currently had about 3,000 customers, and that one in three customers were using more than one of Keyfactor's main products. (In addition to Signum, SignServer and the EJBCA PKI, the company offers Keyfactor Command to manage certificates and identities on servers, endpoints and IoT devices.)
Sticking to the conference's car-racing theme, Rackie said that "Keyfactor is committed to your success through every turn and every straightaway."
Two security engineers from Zoom, Hitesh Patel and Bryce Newbold, discussed in a small session on Tuesday how Keyfactor's EJBCA let them build an in-house PKI system, and even more significantly, deploy independent EJBCA clusters in different regions around the world.
"EJBCA met all the selection criteria," said Patel. "The alternative" — which he did not name — "was lower-cost but not sustainable."
The speedway ahead
Wednesday, March 5, began with a presentation laying out Keyfactor's product vision and development roadmap.
Chief Technology Officer Ted Shorter and Chief PKI Officer Tomas Gustavsson noted the expanding role of PKI in all aspects of technology, Apple's and Google's proposals to
shorten the lifespan of TLS certificates from 398 days to as few as 47 days, increasing regulatory and compliance requirements, AI and machine learning and, of course, post-quantum cryptography.
Keyfactor will help its customers handle all of these factors, Shorter said, but the key to managing it all is automation — especially since the first few years of the post-quantum migration will likely be taking place during the same time frame (2025-2027) as the gradual reduction of TLS certificate lifespans.
Shorter added that Keyfactor Command & EJBCA Enterprise will use both proprietary and standards-based automation to tackle these issues, and will have new enrollment patterns that are easier to use and understand than previous iterations. Also, a ServiceNow app for Command will launch later this spring.
On March 3, the day before the conference, Keyfactor announced a new feature for Command called Command Risk Intelligence which discovers, scans and analyzes all of an organization's encryption algorithms and certificates and creates a risk-based score with suggestions on improving outmoded or vulnerable assets.
Building such a function was possible, Shorter said, because "we've come to the realization that our products gather an awful lot of data."
He and Gustavsson noted that Keyfactor still offered platform flexibility, with its products available to be deployed as containers, as on-prem hardware or software, or as SaaS applications available in marketplaces like AWS's or ServiceNow's.
"It's not easy for us to offer this many form factors," said Shorter, "but we know it's important."
