To be fair given some of the places and things YubiKeys protect, especially local government, finance, hospitals, and the like, this is one of the cases where a physical attack isn’t beyond the realm of possibility. I’m not cloning a Yubikey with specialized kit to break into a small business, but if it plus a password lets me log in as an accountant at an bank or investment firm on the target’s day off, well then it might be worth it for an attacker.
Yeah, I was thinking that when I wrote the comment, and aimed it at people working for a smaller company or using it in their personal life, I should have been clear on this.
To be fair given some of the places and things YubiKeys protect, especially local government, finance, hospitals, and the like, this is one of the cases where a physical attack isn’t beyond the realm of possibility. I’m not cloning a Yubikey with specialized kit to break into a small business, but if it plus a password lets me log in as an accountant at an bank or investment firm on the target’s day off, well then it might be worth it for an attacker.
Yeah, I was thinking that when I wrote the comment, and aimed it at people working for a smaller company or using it in their personal life, I should have been clear on this.
All they would have to do to mitigate the threat is buy new keys. The vulnerability doesn’t exist in their keys since May.