If you assume state actors can compromise the supply chain with impunity your Yubikey is the least of your concerns I would think. Why wouldn’t they just place a hardware implant in your computer :).
There is no potentially detectable 'implant' required in these cases, it can be sufficient to capture a factory initialized private key.
The width supply chain of computers is enormous, and only a tiny fraction of computers available are interesting to compromise. This would make it astronomically expensive to compromise a significant fraction of all computers that are useful to compromise and the risk of detection would be fairly high. The market of security keys is relatively small and a significant portion are worth compromising, compromises there are much more effective.
If state actors do not completely compromise the manufacture of these keys then they are extremely incompetent and derelict in their duties.
Put another way, if the {pick your boogeyman state} government started issuing hardware cryptokeys and suggesting you use them as a single factor access to your servers, what would you think of that?
Would your opinion be improved if they just didn't announce that they were the boogeyman state and instead did business under a cover company?
Do you have any realistic means of determining that this isn't happening?
"I let someone else generate my secret keys for me" is a failure at the most basic level of security, and that failure isn't removed by them also putting the secret keys in a potted, opaque, and unauditable hardware device.
Yubikey as a second factor is a fantastic improvement-- it's a quite strong protection against attackers who couldn't compromise the keys.
Yubikey as a single factor is simply key escrow with extra steps.
Claiming that trusting the devices own 'fingerprint permission' is two-factor is deceptive since an attacker which has compromised the device's construction, design, or confidentiality of its state only faces one-factor security.
The width supply chain of computers is enormous, and only a tiny fraction of computers available are interesting to compromise. This would make it astronomically expensive to compromise a significant fraction of all computers that are useful to compromise and the risk of detection would be fairly high. The market of security keys is relatively small and a significant portion are worth compromising, compromises there are much more effective.
If state actors do not completely compromise the manufacture of these keys then they are extremely incompetent and derelict in their duties.
Put another way, if the {pick your boogeyman state} government started issuing hardware cryptokeys and suggesting you use them as a single factor access to your servers, what would you think of that?
Would your opinion be improved if they just didn't announce that they were the boogeyman state and instead did business under a cover company?
Do you have any realistic means of determining that this isn't happening?
"I let someone else generate my secret keys for me" is a failure at the most basic level of security, and that failure isn't removed by them also putting the secret keys in a potted, opaque, and unauditable hardware device.
Yubikey as a second factor is a fantastic improvement-- it's a quite strong protection against attackers who couldn't compromise the keys.
Yubikey as a single factor is simply key escrow with extra steps.
Claiming that trusting the devices own 'fingerprint permission' is two-factor is deceptive since an attacker which has compromised the device's construction, design, or confidentiality of its state only faces one-factor security.