#yubico — Public Fediverse posts

Ho provato per settimane le YubiKey 5 NFC e 5C NFC, ecco com’è andata

https://yoota.it/ho-provato-per-settimane-le-yubikey-5-nfc-e-5c-nfc-ecco-come-andata/

Ho provato per settimane le YubiKey 5 NFC e 5C NFC, ecco com’è andata

https://yoota.it/ho-provato-per-settimane-le-yubikey-5-nfc-e-5c-nfc-ecco-come-andata/

OpenAI ersetzt Passwörter und Recovery-Optionen für ChatGPT durch Hardware-Schlüssel und Passkeys.

Die Advanced Account Security deaktiviert E-Mail- und SMS-Wiederherstellungen komplett. Konten mit dieser Stufe werden vom Training der KI-Modelle ausgeschlossen. Für Cybersecurity-Experten im Programm »Trusted Access for Cyber« wird die FIDO-kompatible Hardware-Bindung bis Juni 2026 Pflicht.

#ChatGPT #OpenAI #Yubico #FIDO #AIGeneratedImage

https://www.all-ai.de/news/news26/openai-sicherheit-passwort

Yubico and OpenAI are partnering on hardware-backed security keys for ChatGPT users.

Dawn Manley, senior vice president of product management at Yubico, told us that traditional security methods are no longer sufficient for AI-driven workflows involving sensitive data and automated actions.

“We are introducing a new model for phishing-resistant security at scale for the AI ecosystem."

https://www.movetheneedle.news/brands/yubico-targets-the-next-phase-of-ai-security-through-openai-partnership/

#AI #security #technology #innovation #openai #yubico #business

#OpenAI announces new advanced security for #ChatGPT accounts, including a partnership with #Yubico

https://techcrunch.com/2026/04/30/openai-announces-new-advanced-security-for-chatgpt-accounts-including-a-partnership-with-yubico/

#AI #cybersecurity #yubikey

Yubico i samarbete med OpenAI, lanserar skräddarsydda säkerhetsnycklar för AI-användare. Initiativet är en del av OpenAI:s program för avancerad kontosäkerhet och riktar sig särskilt till användare med förhöjd riskbild. https://borsposten.se/yubico-i-samarbete-med-openai-lanserar-skraddarsydda-sakerhetsnycklar-for-ai-anvandare/ #aktier #Yubico #OpenAI

what's the deal with the Yubikey pop-up when you use NFC? It's highly irritating and on iPhone it seems to interfere with other logins - instead of approving a login, I get the pop-up on the second tap.

Is there any way to deactivate the pop-up, short of replacing the Yubikey with a competitor?

#Yubikey #Yubikey5nfc #Yubico #iPhone #NFC #enshittification

🚨 New Video: One Key To Rule Them All - The OneKey Classic 1S Pure Review

Do you have to choose between a security key like a Yubikey for logins or a hardware wallet for your crypto? Today we are looking at the OneKey Classic 1S Pure, a battery-free, open-source device that aims to handle both without compromising on digital sovereignty. We dive into its repairability, FIDO2/U2F support, and why its raw, industrial philosophy might make it the ultimate tool for true self-custody.

Part 6 of the Sovereign Authentication series.

100% human made. #NoAI :NoAI:

▶️ YouTube: https://www.youtube.com/watch?v=25f1ywRyw3M

💬 Join our sovereign community on Stoat: https://stt.gg/GgB6HBTv
☕ Support the mission: https://liberapay.com/terminaltilt
🤝 Become a channel member: https://www.youtube.com/@TerminalTilt/join

#TerminalTilt #NoAI #Privacy #Security #HardwareWallet #CryptoWallet #BTC #Crypto #OneKey #Yubikey #Yubico #FOSS #OpenSource #Linux #Cybersecurity #DeGoogle #DigitalSovereignty #QueerCreator #DisabledCreator #HumanMade #TechEthics

🚨 New Video: One Key To Rule Them All - The OneKey Classic 1S Pure Review

Do you have to choose between a security key like a Yubikey for logins or a hardware wallet for your crypto? Today we are looking at the OneKey Classic 1S Pure, a battery-free, open-source device that aims to handle both without compromising on digital sovereignty. We dive into its repairability, FIDO2/U2F support, and why its raw, industrial philosophy might make it the ultimate tool for true self-custody.

Part 6 of the Sovereign Authentication series.

100% human made. #NoAI :NoAI:

▶️ YouTube: https://www.youtube.com/watch?v=25f1ywRyw3M

💬 Join our sovereign community on Stoat: https://stt.gg/GgB6HBTv
☕ Support the mission: https://liberapay.com/terminaltilt
🤝 Become a channel member: https://www.youtube.com/@TerminalTilt/join

#TerminalTilt #NoAI #Privacy #Security #HardwareWallet #CryptoWallet #BTC #Crypto #OneKey #Yubikey #Yubico #FOSS #OpenSource #Linux #Cybersecurity #DeGoogle #DigitalSovereignty #QueerCreator #DisabledCreator #HumanMade #TechEthics

🚨 New Video: One Key To Rule Them All - The OneKey Classic 1S Pure Review

Do you have to choose between a security key like a Yubikey for logins or a hardware wallet for your crypto? Today we are looking at the OneKey Classic 1S Pure, a battery-free, open-source device that aims to handle both without compromising on digital sovereignty. We dive into its repairability, FIDO2/U2F support, and why its raw, industrial philosophy might make it the ultimate tool for true self-custody.

Part 6 of the Sovereign Authentication series.

100% human made. #NoAI :NoAI:

▶️ YouTube: https://www.youtube.com/watch?v=25f1ywRyw3M

💬 Join our sovereign community on Stoat: https://stt.gg/GgB6HBTv
☕ Support the mission: https://liberapay.com/terminaltilt
🤝 Become a channel member: https://www.youtube.com/@TerminalTilt/join

#TerminalTilt #NoAI #Privacy #Security #HardwareWallet #CryptoWallet #BTC #Crypto #OneKey #Yubikey #Yubico #FOSS #OpenSource #Linux #Cybersecurity #DeGoogle #DigitalSovereignty #QueerCreator #DisabledCreator #HumanMade #TechEthics

🚨 New Video: One Key To Rule Them All - The OneKey Classic 1S Pure Review

Do you have to choose between a security key like a Yubikey for logins or a hardware wallet for your crypto? Today we are looking at the OneKey Classic 1S Pure, a battery-free, open-source device that aims to handle both without compromising on digital sovereignty. We dive into its repairability, FIDO2/U2F support, and why its raw, industrial philosophy might make it the ultimate tool for true self-custody.

Part 6 of the Sovereign Authentication series.

100% human made. #NoAI :NoAI:

▶️ YouTube: https://www.youtube.com/watch?v=25f1ywRyw3M

💬 Join our sovereign community on Stoat: https://stt.gg/GgB6HBTv
☕ Support the mission: https://liberapay.com/terminaltilt
🤝 Become a channel member: https://www.youtube.com/@TerminalTilt/join

#TerminalTilt #NoAI #Privacy #Security #HardwareWallet #CryptoWallet #BTC #Crypto #OneKey #Yubikey #Yubico #FOSS #OpenSource #Linux #Cybersecurity #DeGoogle #DigitalSovereignty #QueerCreator #DisabledCreator #HumanMade #TechEthics

🚨 New Video: One Key To Rule Them All - The OneKey Classic 1S Pure Review

Do you have to choose between a security key like a Yubikey for logins or a hardware wallet for your crypto? Today we are looking at the OneKey Classic 1S Pure, a battery-free, open-source device that aims to handle both without compromising on digital sovereignty. We dive into its repairability, FIDO2/U2F support, and why its raw, industrial philosophy might make it the ultimate tool for true self-custody.

Part 6 of the Sovereign Authentication series.

100% human made. #NoAI :NoAI:

▶️ YouTube: https://www.youtube.com/watch?v=25f1ywRyw3M

💬 Join our sovereign community on Stoat: https://stt.gg/GgB6HBTv
☕ Support the mission: https://liberapay.com/terminaltilt
🤝 Become a channel member: https://www.youtube.com/@TerminalTilt/join

#TerminalTilt #NoAI #Privacy #Security #HardwareWallet #CryptoWallet #BTC #Crypto #OneKey #Yubikey #Yubico #FOSS #OpenSource #Linux #Cybersecurity #DeGoogle #DigitalSovereignty #QueerCreator #DisabledCreator #HumanMade #TechEthics

How To Safely Eject And Remove A YubiKey Or Any USB Device On Windows https://youtu.be/R5dfnhQrsD8 #Websplaining #SafelyEject #RemoveYubiKeySafely #USB #UsbDevice #Windows #WindowsPC #SafelyEjectYubiKey #SafelyRemoveYubiKey #SecurityKey #Yubico #YubiKey #EjectYubiKey #OTP #FIDO #CCID

How To Safely Eject And Remove A YubiKey Or Any USB Device On Windows https://youtu.be/R5dfnhQrsD8 #Websplaining #SafelyEject #RemoveYubiKeySafely #USB #UsbDevice #Windows #WindowsPC #SafelyEjectYubiKey #SafelyRemoveYubiKey #SecurityKey #Yubico #YubiKey #EjectYubiKey #OTP #FIDO #CCID

How To Reset Or Set FIDO2 Pin Using YubiKey Manager App On Windows https://youtu.be/OIe04k0szCE #Websplaining #ResetFIDO2PIN #FIDO2PIN #FIDO #PIN #ResetFIDO2 #SetFIDO2PIN #SetFIDO2 #YubiKeyManager #Yubikey #YubicoYubiKey #Yubico #Windows #WindowsPC #PC #SetNewFIDO2PIN #UsbSecurityKey

How To Reset Or Set FIDO2 Pin Using YubiKey Manager App On Windows https://youtu.be/OIe04k0szCE #Websplaining #ResetFIDO2PIN #FIDO2PIN #FIDO #PIN #ResetFIDO2 #SetFIDO2PIN #SetFIDO2 #YubiKeyManager #Yubikey #YubicoYubiKey #Yubico #Windows #WindowsPC #PC #SetNewFIDO2PIN #UsbSecurityKey

How To Test And Verify If your YubiKey Is Genuine And Functioning As Designed https://youtu.be/ai8Tmicojt8 #Websplaining #YubiKey #Yubico #YubicoYubiKey #SecurityKey #VerifyYubiKey #Genuine #TestYubiKey #VerifyDevice #2FA #MFA #Authentication #Auth #YubiKeyVerification #Verification

How To Test And Verify If your YubiKey Is Genuine And Functioning As Designed https://youtu.be/ai8Tmicojt8 #Websplaining #YubiKey #Yubico #YubicoYubiKey #SecurityKey #VerifyYubiKey #Genuine #TestYubiKey #VerifyDevice #2FA #MFA #Authentication #Auth #YubiKeyVerification #Verification

🚨 New Video: Protecting You From Yourself - The Token2 Review

We have looked at the industry standard (YubiKey) and the philosophical idealist (Nitrokey). Today, we’re looking at the aggressor: Token2.

The PIN+ Dual Release 3.3 and the Bio3 come in at nearly half the price of the competition, but there is a catch. This Swiss company doesn't care about convenience; they care about correctness. From hardware-enforced complex PINs to a literal war on legacy TOTP codes, Token2 assumes your ego is your biggest vulnerability.

Is this cynical, locked-down approach exactly what we need for true digital sovereignty, or is the clunky user experience a dealbreaker? Let's find out if this is the ultimate punk rock choice for your threat model.

Part 5 of the Sovereign Authentication series.

100% human made. #NoAI :NoAI:

▶️ YouTube: https://www.youtube.com/watch?v=lQlN84gEb9c
📺 PeerTube: https://gnulinux.tube/w/fZbyKea1b6QJVQoFE4oQso

💬 Join our sovereign community on Stoat: https://stt.gg/GgB6HBTv
☕ Support the mission: https://liberapay.com/terminaltilt
🤝 Become a channel member: https://www.youtube.com/@TerminalTilt/join

#TerminalTilt #NoAI #Privacy #Security #PasswordManager #Token2 #Nitrokey #Yubikey #Yubico #FOSS #OpenSource #Linux #Cybersecurity #SelfHosted #DeGoogle #DigitalSovereignty #QueerCreator #DisabledCreator #HumanMade #TechEthics

🚨 New Video: Virtue is Inconvenient - The Nitrokey 3 Review

In my last video, I crowned the YubiKey 5 as the "King of Keys" but it has a fatal flaw. It is proprietary. For those of us who believe in digital sovereignty and the right to audit our own hardware, blind trust is not an option.

Then there is Nitrokey 3A NFC. It promises open-source firmware, transparent design, and code written in memory safe Rust. But does "open" actually mean "good?" Today, we look at whether the moral high ground is worth the inconvenience, why the Android experience might be a deal breaker, and who should actually buy this device.

Part 4 of the Sovereign Authentication series.

100% human made. #NoAI :NoAI:

▶️ YouTube: https://www.youtube.com/watch?v=7I65RPlxqdY

📺 PeerTube: https://gnulinux.tube/w/gtTcaBH4GTEKMunR8CUiaX

Support the mission: ☕ https://liberapay.com/terminaltilt

#TerminalTilt #NoAI #Privacy #Security #PasswordManager #Nitrokey #Yubikey #Yubico #FOSS #OpenSource #Linux #Cybersecurity #SelfHosted #DeGoogle #DigitalSovereignty #QueerCreator #DisabledCreator #HumanMade #TechEthics

🚨 New Video: YubiKey 5 Review - Security Essential or Overpriced?

The "Industry Standard" is usually a warning sign.

In this video, we are looking at the YubiKey 5 NFC and 5C NFC. These are arguably the best engineered security keys on the planet. They are injection molded, "violence-proof," and they work with just about everything. But for those of us in the Linux and FOSS community, they present a problem.

Can you trust a security tool if you aren't allowed to see how it works?

Part 3 of the Sovereign Authentication series.

100% human made. #NoAI :NoAI:

▶️ YouTube: https://www.youtube.com/watch?v=G44zJm-UwJQ

📺 PeerTube: https://gnulinux.tube/w/s9B6sBsjwh8ro2sHpZi86f

Support the mission: ☕ https://ko-fi.com/terminaltilt | https://liberapay.com/terminaltilt

#TerminalTilt #NoAI #Privacy #Security #PasswordManager #Yubikey #Yubico #FOSS #OpenSource #Linux #Cybersecurity #SelfHosted #DeGoogle #DigitalSovereignty #QueerCreator #DisabledCreator #HumanMade #TechEthics

Is it 2026 or 2006? I just went to harden my PayPal account with my new review units.

Turns out, PayPal still only supports one physical security key. No backups allowed. If you want redundancy, they force you back to TOTP apps or (worse) SMS.

#CyberSecurity #FIDO2 #Yubico #Nitrokey #Privacy #Security #TerminalTilt #FinTechFail #Token2 #Banking #Money

@pink @nitrokey @yubico

UPDATE #2: The Trifecta is Complete!

I’m thrilled to announce that Token2 is joining the upcoming security series!

I am aligning the Token2 review with their core mission: The death of legacy TOTP.

While many users still rely on codes, Token2 is pushing for a 100% phishing resistant future. We will be focusing exclusively on their Open Source, publicly audited FIDO2 stack. This is a massive win for the #FOSS community. Hardware that is both auditable and explicitly designed to move us past insecure, legacy protocols.

The Comparison is now set:

Yubico: The Industry Giant (Closed Source).

Nitrokey: The Open Hardware Veteran.

Token2: The Audited Open FIDO2 Specialist.

Thank you for the boosts! :tux:

#FOSS #CyberSecurity #Token2 #Yubico #NitroKey #Linux #TechReview #Transparency #TerminalTilt

I am raising $50 to pick up a pair of open-source security keys (SoloKeys or Nitrokey). I'd love to do a review or series about these!

The Mission: Kill off SMS based 2FA and move to hardware backed FIDO2 for my desktop and Proxmox logins. It is time to move my security away from a SIM card and into my own hands.

Testing Password Managers: Moving on from KeePassXC + Syncthing (it has served me well but can be fickle) to try out Proton Pass, which also supports hardware keys. I also had good experiences from Bitwarden and VaultWarden.

Which do you prefer for Linux? :gnu: :tux:

I would greatly appreciate any support of the goal here: https://ko-fi.com/terminaltilt/goal?g=0

I also have a LibrePay (which is much more privacy respecting) here: https://liberapay.com/terminaltilt/donate

#Security #Privacy #GNULinux #GNU #Linux #SoloKeys #NitroKeys #YubiKey #Yubico #2FA #ProtonPass #KeePassXC #Syncthing #SelfHosting #Homelab #Bitwarden #Vaultwarden #MutualAid #MutualAidRequest #QueerMutualAid #DisabledMutualAid #DisabilityMutualAid #QueerAid #QueerTech #DisabledCreator

The Yubico Black Friday sale is on. 30% discount on the 5 NFC and 5C NFC. #Yubico #YubiKey #Passkeys
https://www.yubico.com/store/2025/black-friday-sale/

Black Friday 2025 cybersecurity deals to explore https://www.helpnetsecurity.com/2025/11/24/black-friday-2025-cybersecurity-offers/ #Don'tmiss #NordLayer #Hotstuff #NordPass #Passwork #Ledger #Yubico #News

Theo actually did it...

From https://www.openbsd.org/78.html

Do not attach YubiKeys as keyboards anymore in ukbd(4). This disables the OTP functionality, but makes it easier to use the FIDO function without the need to configure the YubiKeys correctly first.

Old authentication habits die hard https://www.helpnetsecurity.com/2025/10/06/weak-authentication-risks-in-organizations/ #Artificialintelligence #authentication #cybersecurity #passkeys #report #Yubico #News #MFA

Phishing-Mails: Viele Nutzer:innen erkennen Betrugsmails nicht mehr sicher
Eine neue Studie zeigt: Phishing-Mails sind oft so überzeugend, dass viele Menschen sie nicht mehr von echten Nachrichten unterscheiden können. Das macht solche Angriffe für Unternehmen u
https://www.apfeltalk.de/magazin/news/phishing-mails-viele-nutzerinnen-erkennen-betrugsmails-nicht-mehr-sicher/
#News #Sicherheit #Cybersicherheit #KI #MultiFaktorAuthentifizierung #Passkeys #Phishing #Sicherheitsschlssel #Yubico

Anybody using Firefox v141 can test, if Webauthn with Yubico is working? It stopped working after upgrade for me, it works under Chromium.
#webauthn #yubico #login #security #linux #firefox

The future of authentication: Why passwordless is the way forward https://www.helpnetsecurity.com/2025/04/16/passwordless-authentication-security/ #authentication #cybersecurity #FIDOAlliance #passwordless #Don'tmiss #passwords #Stytch #Yubico #News #CISO #Okta

Damn, I expect an #identityManagement company like #Yubico to know better than to give people bad, outdated advice to "rotate passwords."
If you are using random, unique passwords stored in a password manager and using MFA wherever it's available (which is pretty much all sensitive sites nowadays!), there's no reason to rotate passwords that haven't been compromised. Telling people to do so decreases security rather than increasing it.
#infosec #BeIdentitySmart
Ref: https://www.yubico.com/blog/5-fast-cybersecurity-tips-to-clean-up-your-digital-life/

time is a flat circle

#meme #memes #infosec #cybersecurity #yubikey #yubico

New Privacy Guides article 🔑✨
by me:

If you are using a YubiKey,

you might get in some situations where you need to reset your key to factory default, and/or set up a backup of it on a spare key.

This tutorial will guide you
through each step to reset and back up your YubiKey successfully, with clear instructions and plenty of visual support.

I hope you find it helpful!

https://www.privacyguides.org/articles/2025/03/06/yubikey-reset-and-backup/

#PrivacyGuides #Privacy #Yubico #YubiKey #Security #OTP #OpenPGP #Encryption #MFA

YubiKey 還在出清有問題的版本

在「YubiKey still selling old stock with vulnerable firmware」這邊看到的，有人提到 YubiKey 還在賣有問題的版本，裡面提到的 blo

https://blog.gslin.org/archives/2024/11/15/12066/yubikey-%e9%82%84%e5%9c%a8%e5%87%ba%e6%b8%85%e6%9c%89%e5%95%8f%e9%a1%8c%e7%9a%84%e7%89%88%e6%9c%ac/

#Computer #Hardware #Murmuring #Security #Software #attack #channel #compliance #eucleak #fips #firmware #hardware #security #side #sidechannel #sidechannel #vulnerability #vulnerable #yubico #yubikey

YubiKey 還在出清有問題的版本

在「YubiKey still selling old stock with vulnerable firmware」這邊看到的，有人提到 YubiKey 還在賣有問題的版本，裡面提到的 blo

https://blog.gslin.org/archives/2024/11/15/12066/yubikey-%e9%82%84%e5%9c%a8%e5%87%ba%e6%b8%85%e6%9c%89%e5%95%8f%e9%a1%8c%e7%9a%84%e7%89%88%e6%9c%ac/

#Computer #Hardware #Murmuring #Security #Software #attack #channel #compliance #eucleak #fips #firmware #hardware #security #side #sidechannel #sidechannel #vulnerability #vulnerable #yubico #yubikey

YubiKey 還在出清有問題的版本

在「YubiKey still selling old stock with vulnerable firmware」這邊看到的，有人提到 YubiKey 還在賣有問題的版本，裡面提到的 blo

https://blog.gslin.org/archives/2024/11/15/12066/yubikey-%e9%82%84%e5%9c%a8%e5%87%ba%e6%b8%85%e6%9c%89%e5%95%8f%e9%a1%8c%e7%9a%84%e7%89%88%e6%9c%ac/

#Computer #Hardware #Murmuring #Security #Software #attack #channel #compliance #eucleak #fips #firmware #hardware #security #side #sidechannel #sidechannel #vulnerability #vulnerable #yubico #yubikey

YubiKey 還在出清有問題的版本

在「YubiKey still selling old stock with vulnerable firmware」這邊看到的，有人提到 YubiKey 還在賣有問題的版本，裡面提到的 blo

https://blog.gslin.org/archives/2024/11/15/12066/yubikey-%e9%82%84%e5%9c%a8%e5%87%ba%e6%b8%85%e6%9c%89%e5%95%8f%e9%a1%8c%e7%9a%84%e7%89%88%e6%9c%ac/

#Computer #Hardware #Murmuring #Security #Software #attack #channel #compliance #eucleak #fips #firmware #hardware #security #side #sidechannel #sidechannel #vulnerability #vulnerable #yubico #yubikey

Authentifizierung mit #FIDO2 und #Passkeys
https://karl-voit.at/FIDO2-vs-Passkeys/

Erklärungen, Unterschiede und meine Einschätzung zu dem Thema, da es hier oft Unsicherheiten oder Missverständnisse gibt.

Schenkt euch und euren Liebsten doch mal ordentliche FIDO2 Hardware-Tokens!

#publicvoit #Sicherheit #Authentifikation #MFA #2FA #Yubico #Yubikey #IDAustria #Handysignatur #Google #Microsoft #Apple #Amazon #Cloud

🇵🇱 Nowy wpis na blogu! / 🇬🇧 New blog post!

Brawo dla PKO BP za U2F ?

#2FA #PKOBP #Santander #U2F #Yubico #YubiKey

Autor: @to3k

https://blog.tomaszdunia.pl/brawo-dla-pko-bp-za-u2f/

@breadsmasher
Great question! "Need" probably isn't the right word. "Strongly desire" or "greatly prefer" would more accurate.

The reason is that I have lots of different devices with different port types. Some of my newer devices only have USB-C ports, while my older devices only have USB-A ports, and I'd really like to have just "one key to rule them all," so to speak.

I know that I could buy a little USB-A/C adapter dongle and keep that on the same keychain with the MFA key, but that introduces a degree of fragility that I'd prefer to avoid if possible.

That being said, if I found a hardware MFA key with all of the features I listed except for USB-C, then I'd happily accept the dongle compromise, because most of my devices (even the old ones) support Bluetooth, so I'd still have that as a backup option in case the dongle fails.

#MFA #2FA #fido #fido2 #fido3 #NFC #USB #USBc #USBa #dongle #Biometric #Fingerprint #YubiCo #YubiKey #Bluetooth #CyberSecurity #InfoSec

My current hardware MFA key is no longer receiving security patches, so I'm in the market for a new one.

Here's a list of features I'd like my new hardware MFA key to have, in order of priority:
1. USB-A
2. NFC
3. USB-C
4. Biometric
5. Bluetooth

My current MFA key has features 1-3 and 5. Is there a Holy Grail MFA key somewhere out there with all 5 features?

I'm already pretty familiar with YubiCo's product lineup, and while I love their security rating and build quality, none of them have more than 2 of the features listed above, so that kinda bums me out.

Anyway, let's hear your hardware MFA key recommendations!

#MFA #2FA #fido #fido2 #fido3 #NFC #USB #USBc #USBa #Biometric #Fingerprint #YubiCo #YubiKey #Bluetooth #CyberSecurity #InfoSec

Password management habits you should unlearn https://www.helpnetsecurity.com/2024/10/01/weak-password-practices/ #SpecopsSoftware #cybersecurity #Bitwarden #passwords #Experian #SpyCloud #report #survey #Yubico #News

According to #Yubico, it took six months for a firmware vulnerability that allows cloning of #YubiKeys using #EllipticCurveCryptography to be resolved and responsibly revealed to the public. That's not the problem.

The real problem is there will always be another unpatched vulnerability just around the corner. That's why we need new ways of framing what #cybersecurity should look like in today's modern enterprise. Old-school #defenseindepth still has a place, but businesses must find new ways to reduce the amount of sensitive data that's at risk in a #databreach when all layers of defense are inevitably pierced.

https://www.yubico.com/support/security-advisories/ysa-2024-03/

Don't dismiss the #Yubico security advisory, but don't panic either. My hot take, pending further analysis of the full 88-page report, is that at present the problem is limited to ECC signing functions and doesn't provide a practical attack surface for keys that remain in your physical possession, use non-cached KDF for PINs, and aren't connected to untrusted hardware.

1. Read https://www.yubico.com/support/security-advisories/ysa-2024-03/ to learn more about what's wrong, and the full 88-page technical report available from https://ninjalab.io/eucleak/.

2. Stop here if you don't use the #FIDO2, #OpenPGP, or #PIV functions of the card.

If you do have an affected firmware version AND are using elliptic curves for signing, there are some mitigations you can take.

1. Run KDF setup if you haven't already, and then regenerate your PIN numbers for all affected protocols on vulnerable keys. NB: I couldn't find this in the advisory, but it makes sense if you stop and think about it.

2. Add a PIN to your FIDO2 authentication on affected firmware versions.

3. Disable the "touch cache" feature on the key to limit the potential window of exposure window on untrusted hardware.

4. Switch all #ECDSA signing and attestation keys to use #RSA instead of an elliptic curve algorithm if possible. This is generally the default for most impacted functions, but may have been changed by advanced users or by organizational policy. NB: For OpenPGP, make sure you generate a revocation certificate for your signing key first before replacing the signature slot. This may impact other OpenPGP keys too if they were signed with the ECC key, so you might need to re-sign or regenerate your other keys as well.

5. If you rely on FIDO2, supplement your FIDO2 authentication with an additional factor if possible.

6. Revoke and replace keys that must use ECC algorithms for signing keys, use FIDO2 without an additional factor, are likely to be exposed to untrusted hardware, or that can't be used with a device PIN.

The only thing that really makes this vulnerability inconvenient is that the firmware of affected keys can't be replaced. I have seen no announcements about whether or not Yubico will be offering some kind of replacement program to affected customers, but users of RSA signature keys, the default Yubico attestation certificates, or the #YubiOTP protocol do not appear to be impacted at this time.

Ciekawy, ale na szczęście trudny do realizacji atak klonowania kluczy Yubikey

Firma Yubico, jeden z popularnych producentów kluczy U2F poinformowała o ataku na niektóre ze swoich kluczy (lista poniżej). Problem dotyczy także innych producentów, bo błąd wykryto w bibliotece kryptograficznej obsługującej klucze ECDSA.
Zanim przejdziemy do opisu tego ataku, już na wstępie podkreślmy, że wymaga on najpierw przeprowadzenia udanego ataku phishingowego na ofierze, a potem fizycznego dostępu do klucza ofiary przez kilka minut oraz zniszczenia jego obudowy a także specjalistycznego sprzętu i wiedzy. Dlatego eksperci oceniają, że jest bardzo małoprawdopodobne, aby ta technika ataku była stosowana masowo i na zwykłych użytkownikach. Więc nie przewiercajcie jeszcze swoich kluczy U2F.
Choć faktycznie, atak jest ultratrudny do przeprowadzenia, to naszym zdaniem Yubico i tak powinno się spalić ze wstydu. Jak za chwilę zobaczycie, wykonana przez badaczy analiza i wykryty błąd nie są wybitnie odkrywcze, więc oczekiwalibyśmy, żeby to inżynierowie Yubico sami przeprowadzali tego typu testy na produkowanych przez siebie kluczach. Standardowo.
Atak Eucleak
Błąd odkryto się w mikrokontrolerze Infineon 9, a dokładniej w obsługującego go bibliotece kryptograficznej implementującej obsługę ECDSA. Ten mikrokontroler wraz z biblioteką jest używany w różnych urządzeniach wielu producentów (zapewne na dniach pojawi się więcej informacji, gdzie konkretnie). Jeśli chodzi o Yubico, to wiemy, że błąd występuje w poniższych kluczach YubiKey:
YubiKey 5 Series versions prior to 5.7
YubiKey 5 FIPS Series prior to 5.7
YubiKey 5 CSPN Series prior to 5.7
YubiKey Bio Series versions prior to 5.7.2
Security Key Series all versions prior to 5.7
YubiHSM 2 versions prior to 2.4.0
YubiHSM 2 FIPS versions [...]

#ECDSA #FIDO #FIDO2 #FIPS #HSM #Infineon9 #Kryptografia #Yubico #Yubikey

https://niebezpiecznik.pl/post/ciekawy-ale-na-szczescie-trudny-do-realizacji-atak-klonowania-kluczy-yubikey/

Vulnerability allows Yubico security keys to be cloned https://www.helpnetsecurity.com/2024/09/04/yubico-security-keys-vulnerability/ #InfineonTechnologies #securitykey #encryption #Don'tmiss #Hotstuff #hardware #research #Yubico #News #MFA

Do you know any hardware keys, with fingerprint sensor, that support PIV with support for ed25519 and X25519? Any recommendations?

I know #yubico announced the "YubiKey Bio Multi-protocol Edition". That sounds like what I want, but it appears to be only available as early access to enterprise customers.

#pgp #yubikey #signature #piv #smartcard #cryptography

Top 6 Passwordless Authentication Solutions for 2024 – Source: www.techrepublic.com https://ciso2ciso.com/top-6-passwordless-authentication-solutions-for-2024-source-www-techrepublic-com/ #rssfeedpostgeneratorecho #SecurityonTechRepublic #SecurityTechRepublic #CyberSecurityNews #CloudSecurity #PingIdentity #Security #Yubico #Okta #2FA #MFA

Recently added quite a few finger-sized gadgets!
- Kingston DataTraveler Exodia 64GB
- Orico USB-C female to USB-A male
- PortaPow Data Blocker Pure - Prevents juice jacking
- Sandisk Ultra Luxe 64GB
- Kingston Ironkey Locker+ 50 32GB
- Yubico Security Key USB C NFC

Really happy with the performance of each product so far.

#usbflashdrive #KingstonIronkeyLocker50 #IronKey #yubico #yubikeys #Orico #portapow #juicejacking #sandisk #flashdrives #securitykeys #datablocker #usbcondom #newtoys