Thanks for watching!

They did! But they fixed that "feature" in the 5.7 firmware 😋

do you have a link?

@@arofhoof Can't really post links but the title of the article is YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel

Nothing burger. You have a better chance of winning the lottery than being affected by the so-called "issue."

The issues requires such extraordinary measures to exploit there is no concern (yet).

@@JK-mo2ovyeah, like 10 hours of access and the process pretty much destroys the key. It isn’t sneaky by any means. I think most of us are safe.

Sorry, I am out of town and don't have my computer with me. I ran out of time to do the timestamps (it's a manual process for me) before I left.

@@ShannonMorse Are you back in town now? It's been a while :))

@@ShannonMorse Still no time stamps

@@dgf7451 technically u can make em as well :P just in comments

What part of the video explains we need a new key? I missed that part

@@speedracer9132 Well it was what I understood by the mentioning of the new firmware on new keys, older ones were not mentioned at all.

@@VincentGroenewold The new firmware adds functionality to the keys. As I understand it the application works for all existing keys.

@@penultimatename6677 I did some googling and came up with this statement from Yubico's website: Yubico periodically updates the firmware to take advantage of features and capabilities introduced into the ecosystem. YubiKeys are programmed in Yubico’s facilities with the latest available firmware and once programmed cannot be updated to another version. The firmware cannot be altered or removed from a YubiKey. So the new firmware is only on new keys.

It would be really nice if Yubico would allow firmware updates to hardware. On their website they explain how they do not allow for firmware updates as a "security precaution" and I get it. But then they allow updates to their mobile and desktop apps...? So Yubico is afraid someone is going to physically steal my key and do something nefarious but my constantly connected Yubico Apps are less vulnerable? I'm not suggesting anything foul on their part, but it would be nice (and look a little more ethical) if they allowed refunds/trade-ins. Something like a $20 refund if they receive your old key within 30 days of purchase. Setting up your "Yubi-life" is tedious enough, having to re-do this after every firmware update is costly, unreasonable and for mid/large companies unscalable. I'm a long time user of YubiKey, but if I were to do it all over again I would probably go with the Google Titan Security Key (yes, their firmware is upgradable, and it's less expensive). Forgive my rant.

Hey could you let me know if you get the new firmware or old. I just got mine and it was the old firmware version.

@@OneZone4 Sorry for the wait. I got them and they are on firmware 5.7.1

My biggest is that I misplace my keys a lot... >_

Yes! And after paying for the new one they sent me the old firmware version. Kinna useless as that's the version I have.

I thought Yubikey are the best one for 2FA. Meanwhile I know they are not.

@@OneZone4 they are now writing the version they will send on the page.

Yeah, that is annoying but for a very good reason. They are supposed to be secure and allowing changes to firmware makes the thing inherently insecure.

Which is why you should store those QR codes (in a safe place) for later use.

@@JohnDoe-fk6id How do you store a QR code safely that's not on a digital device? There-in lays the issue

@@stultuses Print it out, and put it in a safe?

@@stultuses Instead of taking a picture of the QR code. Choose don’t have camera. Then you can type it into all the keys. As well as saving it in a password manager.

Oh my gosh! Small world haha 🤣

@marco31 This is how every major vulnerability starts and certainly isn't the end of the story. Sure, it requires an em probe, high speed acquisition gear, and detailed knowledge now... but it's not a stretch that this could be simplified and sold as a kit to script kiddies.

@@beaubellamy And the script kiddies will still need to have access to the physical key. I'll take my chances.

@@beaubellamy given that they also need a working login+password combination for a specific service, and the cloning only works for these credentials on the one service they aim for… Presumably, with enough time and working credentials, they could clone all of them, but still. Also, a decent service should be able to notice that their user is providing correct information but is brute forcing their 2fa, and slow down response time or something? I really don’t see how it could be automated further.

@@beaubellamy any future script kiddies will also need to take apart the physical yubikey *without damaging any internal components* for it to work.

It's literally Mission Impossible level of skill to pull it off, along with 10K worth of equipment and several other factors like already knowing where you log in and passwords for same. Unless you are a highly target individual like head of nation state, Coke secret recipe holder, reserve bank, etc kind of person, you don't need to change your existing keys!

Depends on which authentication "app" ur using

@ well no. A browser extension and a password manager does NOT protect against MiM attacks if using OTP codes that are entered or autofilled by the password manager. If you use passkeys in the password manager as credentials on the other hand, then just like with security keys authentication won’t happen if the URL is wrong. That’s what phishing resistant credentials means and it can also conveniently be passwordless! I hope more and more sites give you the ability to remove your password from their services so they no longer can be leaked, Mike Microsoft did with personal Microsoft accounts

Exactly. I'm not upgrading unless it's USB c

If we're not including all the ones I use for my demo videos, yes, I am. It's a small price to pay for a product with no subscription fees and fw 5.7 has lots of worthy upgrades. I consider this like upgrading my phone. It's a cost, but also an investment in my own personal security.

@@ShannonMorse thank you, that makes sense to me. The “old” ones are still good for a backup? Or do you destroy them?

They work great as backups! Otherwise I'll remove them from my online accounts and gift my old ones to friends. I try not to throw away electronics if they still work

Some people are complaining that after purchasing the yubico keys 🔑 the are getting the old keys. Surly, Yubico should remove their old keys ?. It would be totally frustrating, buying a new key, only to receive the old key version in the post.

Yes, it will work with all keys.

@@ElmoFuntz Thanks

Because the OTP codes are stored on the key, not on your computer, which is somewhat safer

@@VincentGroenewold Are the OTP codes stored directly on the YubiKey, or are they stored in the app but protected by the key for access? If I understand correctly, this would function similarly to using Bitwarden to manage OTP codes while securing access to the vault with a YubiKey. @ShannonMorse what are your thought on this ?

@@francoislefebvre2469 No the codes are stored on the key, downside is that for the older keys I can only store about 32.

@@francoislefebvre2469😮😊 great question! Looking forward to the ands too 😂

@@francoislefebvre2469 They are stored on the Yubikey.

You would have to log into the account and remove the multi factor authentication layer in order for her to login.

@@ShannonMorse Thank you, that is better than nothing.

It does not affect keys with 5.7 firmware and you need expensive specialized hardware to do it. So unless you are careless and leave your device out where anyone can get to it, it's not really an issue.

@@ryokaix So short answer, mostly fixed. Never underestimate the carelessness of people.

The exploit requires to physically have access to the key. The equivalent to stealing the key. Be more concerned with the possibility of it being stolen.

@@pagefault404 Short answer, no, it's a hardware bug that they've mitigated by releasing a new V5 yubikey with new firmware. All pre 5.7 will alway be vulnrable now.

Absolutely! Use them as long as they work!!

​@ShannonMorse Thanks... I thought that would ve the case, BUT when you have access to someone who knows what they are talking about, that is when you ask those questions that sit in the back of your mind. I'm retired now but I used to be both an UNIX Systems Administrator & a Custom Software Developer back in the 80s & 90s. My programming skills didn't survive the millennium. I'm older than the Internet! The Internet will outlive me, but It will take a few decades for it to be as old as me!

I got 100+ tokens. KeePassXC's TOTP function FTW (of course separate database)

Yes to your last point, unfortunately

Especially when there is a vulnerability discovered that could be fixed with a firmware update

@@bluzytrix Don't tell that to Google, the Titan Security Key firmware is upgradeable. In fact, all security devices should be able to patch/update. Requiring users to purchase new hardware after every firmware update is ridiculous IMO. This business practice just encourages people to not use Yubico products or more likely, continue using outdated/vulnerable Yubico products.

@@bluzytrix makes total sence. How often are they being updated ?

You don't add a 2nd key directly to gmail. You do what she explained, take a screenshot of the QR code and add it manually to both keys. It's not a difficult process and if you have a way to safely store those QR codes offline I would do that as well as it gives a 3rd backup.

@@ElmoFuntz Ok thanks for that I will have to do some further investigation as at the time I was following instruction from a video on the Yubico channel "Secure your Google account with a YubiKey" which seemed to be saying once you have connected one you just repeat the process with the other and bobs your uncle, however there was no voice over just the video, this was two years ago. Could be things now are different.

Yes

Hahaha well, she was named after battlestar Galactica, not the coffee brand

Thank you for the support!! I appreciate you so much!! 💖🥰

Nope

This is not true. They have been shipping 5.7 keys since the end of May. We just ordered several and all were the new firmware.

No need to panic, it's a very theoretical attack and using the older keys is still miles better than not using hardware keys.

So is RSA and ECC, beware of the quantum computers!!!! No OnE iS sAfE LOL