Hackers talk a lot of smack about their “leet”—that is, elite—skills, but no method of digital burglary is more tried and true than phishing. Tricking people into revealing a password is one of the easiest ways to access sensitive personal information. (Just ask former Clinton campaign chairman John Podesta.) In just over a year, email scammers fleeced $3.1 billion from U.S. companies, according to the FBI. In a recent report, email security firm Agari found that phishing attacks were either on the rise or keeping pace at 89% of more than 200 surveyed firms.
Yubico aims to eradicate the threat by fortifying passwords with a physical object—“one key for all the Internet,” says Stina Ehrensvärd, the company’s Swedish-American CEO. Founded in 2007 and backed by Salesforce chief Marc Benioff, Yubico develops a set of hardware devices that add an extra layer of security to online accounts. Dubbed YubiKeys, these tokens look like small USB sticks, fit easily on a key chain, and cost $40 (although simpler models sell for as little as $18). Individuals can use them to lock down their own Facebook and Google accounts, while businesses are able to safeguard entire fleets of laptops. Corporate customers range from Novartis (nvs), the Swiss pharma giant, to CERN, the European nuclear research organization, to the U.S. Department of Defense.
Here’s how YubiKeys work: When users try to log in to a secure email or social media account from an unfamiliar computer, a message asks them to insert the key into the computer and tap it. Since only the real account owner possesses the key, scammers working from afar can’t get into the account—even if they have the password.
Security pros regard Yubico’s crypto-processing as the best form of two-factor authentication available on the market. But there are limitations. Yubico’s technology doesn’t work with Apple mobile devices and only works in Chrome, Firefox, and Opera web browsers. Yubico also faces competition from companies including Nitrokey, Vasco, and Feitian.
Still, the embrace of two-factor tech is making life more difficult for scammers. Google (googl), Facebook (fb), Dropbox, and Salesforce (crm), as well as parts of the U.K. and U.S. governments, have adopted the standard that Yubico helped pioneer. Expect to see more companies and countries roll out compatibility in the coming months.
This article is part of “The Future of Startup Innovation” package that appears in the May 1, 2017 issue of Fortune magazine. Click here to read more from the series. We’ve included affiliate links in this article.