• Alphane Moon@lemmy.worldM
    link
    fedilink
    English
    arrow-up
    29
    ·
    3 months ago

    “The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM, knowledge of the accounts they want to target, and specialized equipment to perform the necessary attack. Depending on the use case, the attacker may also require additional knowledge including username, PIN, account password, or authentication key.”

    • lemmyng@lemmy.ca
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      2
      ·
      3 months ago

      On the contrary. China for example is known for accessing traveler electronics both during customs/immigration checks and in their hotels. Unless the victim carries their key on their person at all times without fault it can be cloned without them knowing.

    • eyeon@lemmy.world
      link
      fedilink
      arrow-up
      5
      ·
      3 months ago

      i have physical access to my own yubikey and can’t make a backup copy. someone else who only temporarily has access to it being able to do so is definitely a vulnerability.

  • WolvenSpectre@lemmy.ca
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    1
    ·
    3 months ago

    Its not much of a vulnerability, like locks, its not if it can be picked, it is how difficult it is to be picked, but the difference here is that the vulnerability is that a nation state actor, or a high capability actor can compromise it, and “it” being the thing that keeps your accounts safe.

    So this is like the lock that protects all your accounts can be shimmed if it ever gets out of your control type of an issue, so not to stop using them, but to keep them secured or on your person at all times.

    I hope YubiKey offers a fair upgrade program for their next series of keys and maybe a new FIDO Standard.