- What is YubiKey
- YubiKey Security Vulnerability
- Conclusions and Recommendations
One way to ensure the security of your crypto assets is by using YubiKey. However, a vulnerability has been discovered that users who purchased a lifetime YubiKey must learn to live with. Let’s first discuss why YubiKey is important for crypto asset security and then talk about its lifelong vulnerability.
What is YubiKey
FIDO Alliance developed this USB-sized device to assist with identity and password verifications. This authentication device, supporting 2-factor and FIDO2 authentication protocols, keeps your crypto wallets secure. It can work offline, allowing you to log in by simply touching the key instead of entering a password, without relying on a phone. This way, you don’t need to store your exchange passwords or other private keys on WhatsApp, email, or paper. You can also use it by tapping it on your phone thanks to the NFC feature. This device, compatible with applications like Lastpass and Google Password Manager, can be used not only for your crypto accounts and wallets but for all your accounts. For extra security, some users buy 2 YubiKeys, using one actively and keeping the other as a backup or recovery key.
YubiKey Security Vulnerability
Everything is perfect unless someone holds a gun to your head and takes your YubiKey. However, a significant security vulnerability that you need to get used to living with was recently discovered. Cybersecurity experts found a vulnerability in YubiKey two-factor authentication keys that allows the device to be cloned. This vulnerability was discovered in the Infineon crypto library used by almost all products, including the following series: YubiKey 5, YubiKey Bio, Security Key, YubiHSM 2. Yubico stated that this security vulnerability is of moderate severity and difficult to exploit. Experts mentioned the following details in their comments on what to watch out for: “An attacker would need to have physical possession of the YubiKey, Security Key, or YubiHSM, have knowledge about the accounts they want to target, and require special equipment to carry out the attack. Depending on the use case, the attacker might also need additional information such as username, PIN, account password, or authentication key.” Although it seems difficult, attackers who believe they can access a significant amount of assets might overcome this challenge.
Conclusions and Recommendations
Since YubiKey firmware cannot be updated, all YubiKey 5 devices before version 5.7 (or version 5.7.2 for the Bio series and version 2.4.0 for YubiHSM 2) will live with this vulnerability for a lifetime. However, later models are not affected by this vulnerability as they do not use the Infineon crypto library. In conclusion, users should be aware of existing vulnerabilities and take all possible measures to protect their assets.
In the end, YubiKey remains a powerful device for ensuring the security of crypto assets, although users should be aware of the existing vulnerabilities and take all possible precautions to safeguard their funds.
