YubiKey FIPS devices recalled after security issue found

Yubico image

Yubico has issued a recall of YubiKey FIPS series devices after the company discovered a security issue.

The YubiKey is a hardware authentication device manufactured by Yubico. The devices are used for two-factor authentication (2FA), one-time passwords, public-key encryption and authentication.

Yubico found the security flaw in March 2019 and then followed up with a full investigation of the root cause, impact and fixes needed.

“The first set of random values used by YubiKey FIPS applications after each device power-up have reduced randomness. This may impact the very first set of cryptographic operations by a YubiKey FIPS device after device power-up,” Yubico announced in the security advisory last Thursday.

The issue impacts YubiKey FIPS Series devices, versions 4.4.2 and 4.4.4. However, the company said version 4.4.3 was not affected. In addition, the issue does not affect other (non-FIPS) YubiKeys, Security Key Series or Yubico products.

Yubico also provided technical details regarding the impact of issue on RSA key generation, ECDSA signatures, ECC key generation and ECC encryption. Also, the company described how the issue impacted different YubiKey FIPS applications and protocols.

Customers, IT Managers, or FIPS Crypto Officers (who use or manage YubiKey FIPS Series devices) should read the security advisory. In addition, customers who purchased directly from Yubico or a reseller should have already heard from the company about getting replacement devices sent out.