[Newsflash] “YubiKey Recalls Defective 2-FA Authentication Devices” as New Vulnerability Found
- A spokesperson for YubiKey has recently come forth and stated that a majority of his company’s “vulnerable devices” have either already been exchanged or are in the process of being replaced.
- At press time, there have been no reported cases of security breaches arising from the newly discovered security flaw.
As per a security report released by YubiKey recently, the firms’ FIPS Series devices (especially those running on firmware versions 4.4.2 and 4.4.4) are now more vulnerable to various security-related issues.
To be a bit more specific, we can see that the devices currently running on the V4.4.2 and 4.4.4 can retain up to 80 predictable bits, with keys being as short as 256 bits. As a result of this, the ‘randomness quotient’ of the affected machines (YubiKey FIPS, YubiKey Nano FIPS, YubiKey C FIPS, and the YubiKey C Nano FIPS) has reduced quite significantly.
With that being said, it is still worth pointing out that even with these reduced security standards, it is still quite difficult for miscreants to
“gain access to a device connected to the FIDO U2F device or leverage a TLS vulnerability”.
From a technical standpoint, we can see that to make use of the above-stated flaw, hackers will need to “capture several signed responses” from a machine that has been compromised. Following this, the nefarious agent will then have to recompute the coded framework “ — which in itself is an extremely arduous task.
Other similar episodes may also be incurred when dealing with OATH one-time passwords and other OpenPGP-based authentication protocols.
Even though YubiKey’s devices aren't meant to serve as altcoin-wallets as such, owing to their use of 2-FA based authentication modules, many crypto holders seem to swear by the company’s products.
Bitfinex, Coinbase, and Gemini are a few of the premier crypto trading platforms that currently support FIDO U2F. Not only that, according to a number of independent reports, YubiKey devices are also being used by various government organizations across the globe right now.
A number of security experts are of the belief that this latest flaw affecting various YubiKey devices — especially those running firmware versions 4.4.2 and 4.4.4 — will compromise the existing security protocols that have been deployed by a number of big-name corporations and governments (that are making use of the company’s products).