IF YOU BUY a government-grade security key, the one thing you really want from it is government-grade security. It's the very dictionary definition of "you had one job." That's why it's somewhat embarrassing that Yubico has put out a recall notice on its FIPS series of authentication keys which, it turns out, aren't completely secure.
A security advisory from the company states that devices running 4.4.2 and 4.4.4 of the firmware have a bug which puts in "some predictable content" within the randomly generated security keys.
"Predictable" isn't ideally a word you want to be used when it comes to passwords, but to be clear, it's not like the FIPS is popping out passwords like ‘123456' or even ‘1234567'. The RSA key generator, for example, would have "up to 80 predictable bits out of a minimum of 2048 bits." And while security keys with ECDSA signatures are comparatively open doors, they still only have 80 of the 256 bits generated by the key remaining static.
In other words, it would still take a very determined hacker to get anything out of the keys, given the need to first intercept the given authentication and then break the slightly compromised security key.
But then again, the people that use security keys for authentication do so because they're housing very sensitive material and are therefore hugely tempting targets. This isn't like managing to break into a random person's long-discarded Yahoo Mail account.
Despite this, any affected customers will get a replacement security key from the company instead. And if all this gives you a sense of deja vu, then it may be that you read of a similar thing happening to Google's Titan Security Keys less than a month ago. µ
Bad for shareholders, mildly good for the planet
YouTube on the Tube
Claims that it hasn't ever actually worked