[TheNewsIsHere]

That seems really reactionary based on a single random report posted to HN. It’s worth actually verifying if this was intentional or accidental. They’re marketing the keys as having the new firmware. It would be really idiotic to do that and then intentionally ship old firmware. Anyone and everyone would be able to figure that out in an instant, and would severely damage their business.

[mrtx01]

I was in contact with a Sr. Customer Support Specialist from Yubico and I was not impressed by their denial of a problem.

The reason to get such a Hardware Token is, that the private key cannot be extracted, even if the users lose it.

They have plausible deniability for fraud with the broken devices.

Claiming that this would not be a problem and trying to explain why it is not a problem without considering their client could be right, is pure arrogance.

Only a complete exchange of the whole management of yubico could save them, when they want to be taken seriously ever again.

And of course the new management should immediately offer a cost free exchange program.

D'oh.

[MaKey]

The report can be verified by visiting the product page of the YubiKey 5 NFC FIPS: https://www.yubico.com/us/product/yubikey-5-fips-series/yubi...

It is listed with the vulnerable firmware 5.4.