Security researchers have detected a vulnerability in YubiKey two-factor authentication tokens that enables attackers to clone the device according to a new security advisory. The vulnerability was discovered within the Infineon cryptographic library used by most YubiKey products, including the YubiKey 5, Yubikey Bio, Security Key, and YubiHSM 2 series devices.
- Home
- Technology
- News
YubiKeys have an unfixable security flaw
Security researchers have detected a vulnerability in YubiKey two-factor authentication tokens that enables attackers to clone the device if they get their hands on it.


YubiKey manufacturer Yubico says the severity of the side-channel vulnerability is “moderate” but is difficult to exploit, partly because two-factor systems rely upon something the user has and something only they should know.
“The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM, knowledge of the accounts they want to target, and specialized equipment to perform the necessary attack,” the company said in its security advisory. “Depending on the use case, the attacker may also require additional knowledge including username, PIN, account password, or authentication key.” But those aren’t necessarily deterrents to a highly motivated individual or state-sponsored attack.
As YubiKey firmware can’t be updated, all YubiKey 5 devices before version 5.7 (or 5.7.2 for the Bio series and 2.4.0 for YubiHSM 2) will remain vulnerable forever. Later model versions aren’t affected as they no longer use the Infineon cryptolibrary. NinjaLab, the security firm that discovered the vulnerability, estimates that it's existed in Infineon’s top security chips for over 14 years. The researchers believe other devices using the Infineon cryptographic library or Infineon’s SLE78, Optiga Trust M, and Optiga TPM microcontrollers are also at risk.

Renowned Iranian singer Omid Jahan dies of heart attack during stage performance
- 5 گھنٹے قبل
Pakistan opens doors to global crypto firms with new licensing initiative
- 5 گھنٹے قبل
PDMA issues alert for 11th monsoon spell in Punjab
- 5 گھنٹے قبل

Family of three killed in GT Road crash near Gujar Khan
- 3 گھنٹے قبل

193 killed in two separate boat accidents in DR Congo
- 4 گھنٹے قبل
Resolution submitted in Punjab Assembly seeking ban on TikTok
- 4 گھنٹے قبل

Earthquake shocks Gilgit-Baltistan's Astore region
- 5 گھنٹے قبل

Rally Arcade Classics gets manual transmission option in latest update
- 13 گھنٹے قبل

Bottom 10: The spitting distance between Florida and Arizona State
- 13 گھنٹے قبل

Let’s be honest about Charlie Kirk’s life — and death
- 12 گھنٹے قبل

Is this the “sickest generation” in American history? Not even close.
- 3 گھنٹے قبل

Nova Launcher’s founder and sole developer has left
- 5 گھنٹے قبل