I wanna make more of myaccounts in the internet secure with two factor. I don’t know much about it, but found out about Fido 2 and so. The security key my webbrowser shows often is the one from Yubico (BTW, I would like to get one that works with Linux, with USB and for phone with NFC) I got concerned when I noticed that Yubico is from USA, (??) Because I think NSA and thibgs like five eyes and so. Is there actually a risk that the for example is made an backdoor in the key?

    • Telorand@reddthat.com
      link
      fedilink
      arrow-up
      5
      ·
      2 months ago

      That depends on your threat model. For most people, the attack is probably unlikely to affect them, but I would recommend reading about the flaw yourself. It’s not hard to understand.

      Also, this was not the fault of Yubico but a supplier, and instead of waiting for the supplier, Yubico patched the flaw themselves by providing a custom library.

      Whether you should replace your current Yubikey 5 is up to you.

    • dracs@programming.dev
      link
      fedilink
      English
      arrow-up
      3
      ·
      2 months ago

      The issue isn’t a big deal for the average user. The vulnerability required them to first get your username and password, physically steal your Yubikey, spend half a day using $10-15k worth of electronics equipment to repeatedly authenticate over and over, they then could potentially make a clone of the key.