[mrtx01]

Thank you so much!

My client was in the final stage of selecting security tokens.

They have contracts with administration and their tokens need to be secure.

I was strongly for yubikeys, now they will not be an option any longer.

It is not so much about the flaw, but about their handling of the broken security tokens, still claiming them to be somehow secure-ish.

Even if they offered us the new tokens, that wouldn't make a difference. Their claim to making the internet more secure for all, contradicts their attitude.

That is really disappointing.

[TheNewsIsHere]

That seems really reactionary based on a single random report posted to HN. It’s worth actually verifying if this was intentional or accidental. They’re marketing the keys as having the new firmware. It would be really idiotic to do that and then intentionally ship old firmware. Anyone and everyone would be able to figure that out in an instant, and would severely damage their business.

[mrtx01]

I was in contact with a Sr. Customer Support Specialist from Yubico and I was not impressed by their denial of a problem.

The reason to get such a Hardware Token is, that the private key cannot be extracted, even if the users lose it.

They have plausible deniability for fraud with the broken devices.

Claiming that this would not be a problem and trying to explain why it is not a problem without considering their client could be right, is pure arrogance.

Only a complete exchange of the whole management of yubico could save them, when they want to be taken seriously ever again.

And of course the new management should immediately offer a cost free exchange program.

D'oh.

[MaKey]

The report can be verified by visiting the product page of the YubiKey 5 NFC FIPS: https://www.yubico.com/us/product/yubikey-5-fips-series/yubi...

It is listed with the vulnerable firmware 5.4.