Yubico has announced that it will soon replace hardware security keys from its YubiKey FIPS series due to a firmware flaw that reduces the randomness of cryptograhic keys generated by the devices.
Unlike the company's consumer-focused products, the YubiKey FIPS Series are certified for use on US government networks and take their name from the US government's Federal Information Processing Standards (FIPS).
In a recent security advisory (opens in new tab), Yubico explained that YubiKey FIPS Series devices running firmware version 4.4.2 and 4.4.4 contain an issue where the first set of random values used by YubiKey FIPS applications after each device power-up have reduced randomness.
- Yubico launches Security Key NFC and previews Yubikey for Lightning
- iPhone users can now use Android tech to unlock their devices
- Users can now log in to Microsoft accounts without a password
This means that these devices will generate keys that can be either partially or fully recovered depending on the cryptographic algorithm the key is using for a particular authentication operation.
Replacement security keys
Yubico discovered the issue internally in March and conducted a full investigation into the root cause, impact and how it could mitigate the issue for its customers. The company fixed the issue fully in YubiKey FIPS Series firmware version 4.4.5 but as a result of the firmware update, FIPS recertificiation was also required.
Yubico is also now advising owners of YubiKey FiPS Series devices to check the firmware version of their security key and affected users can sign up for a new key on its replacement portal (opens in new tab). The company said that its customers would receive new YubiKey FIPS Series keys with firmware version 4.4.5.
According to the security advisory, most of the affected devices have either been replaced or are in the process of being replaced:
“To safeguard the security of our customers, Yubico has been conducting an active key replacement program for affected FIPS devices (versions 4.4.2 and 4.4.4) since the issue was discovered and recertification was achieved. At the time of this advisory, we estimate that the majority of affected YubiKey FIPS Series devices have been replaced, or are in process of replacement with updated, fixed versions of the devices.”
Yubico also reassured customers by informing them that the company is not aware of any security breaches that have occurred as a result of the issue.
- We've also highlighted the best business accessories