>Well since Yubikey's can't update their firmware everything with a firmware below 5.7 is e-waste I guess?
You guess wrong (also "ewaste" is such a stupid term but whatever). As the article says, it's of moderate impact and depends on the user's threat model. The vast majority of us do not face advanced persistent individually targeted threats at all, let alone ones with a physical component (ie, breaking into our houses or offices or the like). And we don't have any significant counter measures already (how many of you would actually 100% of the time notice if a sophisticated team broke into a trusted space of yours and installed covert cameras aimed at various places you use your trusted computers, such that they could grab passwords and PINs, then steal keys?). Rather, the point of adding an HSM second factor, particularly one with an operator presence feature, is to help raise the difficulty of everything from phishing to security failures on the remote side (since unlike with passwords the remote side only has public info) to local malware.
This certainly isn't ideal, and some businesses will be paying attention, but any weakness that starts with "you must physically steal a specific item from somebody" already eliminates the overwhelming supermajority of threats most of us are concerned with.
You guess wrong (also "ewaste" is such a stupid term but whatever). As the article says, it's of moderate impact and depends on the user's threat model. The vast majority of us do not face advanced persistent individually targeted threats at all, let alone ones with a physical component (ie, breaking into our houses or offices or the like). And we don't have any significant counter measures already (how many of you would actually 100% of the time notice if a sophisticated team broke into a trusted space of yours and installed covert cameras aimed at various places you use your trusted computers, such that they could grab passwords and PINs, then steal keys?). Rather, the point of adding an HSM second factor, particularly one with an operator presence feature, is to help raise the difficulty of everything from phishing to security failures on the remote side (since unlike with passwords the remote side only has public info) to local malware.
This certainly isn't ideal, and some businesses will be paying attention, but any weakness that starts with "you must physically steal a specific item from somebody" already eliminates the overwhelming supermajority of threats most of us are concerned with.