YubiKeys have an unfixable security flaw — but it’s difficult to exploit

by Shivendra Singh · September 4, 2024

Someone using the YubiKey 5 NFC to access a laptop.

The flaw doesn’t impact newer YubiKey hardware that doesn’t use the Infineon cryptolibrary. | Image: Yubico

Security researchers have detected a vulnerability in YubiKey two-factor authentication tokens that enables attackers to clone the device according to a new security advisory. The vulnerability was discovered within the Infineon cryptographic library used by most YubiKey products, including the YubiKey 5, Yubikey Bio, Security Key, and YubiHSM 2 series devices.

YubiKey manufacturer Yubico says the severity of the side-channel vulnerability is “moderate” but is difficult to exploit, partly because two-factor systems rely upon something the user has and something only they should know.

“The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM, knowledge of the accounts they want to target, and specialized…