First up, as the research paper's abstract says:

The attack requires physical access to the secure element

So, straight off the bat, this reduces the likelihood of attack. Someone would need to actively target you. Of course, if you're the sort of person who secures all their secrets and cryptowallets with a FIDO token, you may be a juicy target!

Secondly, the attack relies on:

the adversary steal[ing] the login and password of a victim’s application account protected with FIDO

So, you need to lose your username, password, and token for this attack to be successful. Again, this is unlikely to happen as a "drive-by" attack.

Once the attacker gets your FIDO token, they need to analyse it using "expensive equipment". A cost of approximately $11,000 according to Ars.

That moves the attack away from the hands of casual criminals. It isn't an insurmountable barrier for organised crime or nation states.

Finally, Appendix A discusses how difficult it is to actually get the equipment close enough to the circuitry:

[…] capturing the EM signal with a small EM probe would not work if this probe is too far from the chip. We hence have to open the YubiKey plastic case to access its logic board. […] In both cases however, the device needs to be re-packaged if the adversary wants to give it back to legitimate user without him noticing. We did not study further this issue.

Here's what it looks like when that probe is placed next to the circuitry:

If you suddenly find your Yubikey smashed or cracked, then you may have been a victim of this attack!

A reasonable way to defend against this is to get some glittery nail polish. No, seriously! Put a blob of glitter polish on the seam of your device. Something like this:

Take a photo. If the baddies grab your YubiKey and crack it open, they won't easily be able to get the pattern correct when they re-seal it. Regularly compare your photo to your device.

The Real Issue With FIDO Tokens

Physical tokens require physical security. I've moved to a an Encrypter Ring. I literally wear my FIDO token. I am extremely likely to notice someone removing my ring (or my finger).

Is your token on your keyring? Where is your keyring right now? In your pocket or hanging up somewhere? Most people either leave their FIDO token laying around out of sight or have it permanently plugged in to their machine. I'm not sure which is worse.

The other major issue is that it is impossible to revoke a FIDO token from all your accounts at once!

You've used your token to register with a few dozen sites, you either lose your key or discover it has been tampered with. What do you do?

There is no way to tell which sites you have used a FIDO token with. You have to remember (or keep a list somewhere). You will need to manually go to each site and revoke the stolen token. If you've forgotten one, you can't revoke it from your key, which means attackers could have unfettered access to that account.

What should I do?

The discoverers of this vulnerability take great pains to say:

it is still safer to use your YubiKey or other impacted products as FIDO hardware authentication token to sign in to applications rather than not using one.

I think they are correct. But there are still a few things you should do to secure yourself against this class of attack.

0. Ensure the physical security of your token. Either wear it as jewellery, implant it in your skin, or reduce the likelihood of it being taken.
1. Ensure the physical integrity of your token. Use nail-varnish or something similar to help you detect if it has been physically compromised.
2. Ensure that you know which sites have been secured with a Yubikey. Make a note of it in your password manager or other secure vault.
3. Ensure that you are less of a target. Don't brag about your security. Certainly don't post on the Internet about which security products you use and the countermeasures you take. Oh shit.

1. Get two YubiKeys
2. Associate them both with your accounts
3. Keep one off-site in a safe location

OK, done! My wife and I spend a very boring evening going through every single account we have which supports FIDO tokens with WebAuthN - about a dozen in total. We manually paired two keys each. We put our main key on our keyrings, then drove out to the woods and buried our spares in a a waterproof box in a top secret location⁰.

But what if I lost my keys?

Perhaps I could have been pickpocketed or just been careless and dropped them when getting my wallet out. Either way, I can buy new eurocylinders for my home's doors, replace the padlock on my shed, and grovel to work for a new locker key.

And then, of course, I would have to dig up my backup key and start the painful process of revoking the old one. But here's the snag...

I have no idea which services I've associated my WebAuthN token with!

Firstly, there is staggeringly little chance that the person who found / took my keys would also know my username and password for various services. But we use MFA because we're paranoid, right? So it makes sense to invalidate the lost token to prevent even the slimmest chance of it being used against me.

Secondly, obviously I know some of the major services that I associated the token with - Facebook, Google, and the Russian crypto exchange where I keep all my money¹. But what about the rest? Should I have made a list of each service I used? Should I have recorded it in my password manager?

Apparently a YubiKey can only hold 25 FIDO2 tokens, but unlimited FIDO U2F tokens. I'll be honest, I've no idea how many I have. And I don't think there's any way to query my key to see which services it was registered to.

It is probably a good thing that there's no big button which would universally revoke a key. That would be an extremely tempting target for abuse.

But I wish there were an easy way for a user to see where they had used their token. As it stands today, that's impossible.

It launched an entertaining discussion about the risks of taking a potentially fake FIDO token.

We all know the risks of taking a free USB drive and shoving it in our computer, right?

USB sticks can install software, act as a keylogger, transmit data over WiFi, and even physically damage the electronics!

So a USB Yubikey could do all those things - but could it do anything malicious as an MFA token?

And - at the risk of invoking Cunningham's law - I think the answer is a cautious "no".

Other than the risks inherent in any USB device, what's the worst that could happen? A cloned device might let an attacker have a duplicate key. But that's useless unless they also have your username and password.

A device with a built in transmitter might send an OTP to an attacker but, again, useless without the other authentication factors.

The devices could be set up to deliberately fail - or be revoked. That could work as a denial of service attack against users. But most services allow you to have a backup authentication method.

There may be some sites which only use a token for login - eschewing passwords - but that's rare, I would hope.

A Yubikey can be hacked to send arbitrary keystrokes - but that's of limited usefulness. I guess an attacker could force open a browser window to download malicious software, but that would be fairly obvious to a user.

So, go on then, prove me wrong. What's the worst thing that can be done with a compromised Yubikey?

I use a USB thumb-drive sized hardware token and they're nifty - but a little impractical.

Since the great working from home experiment, I don't have my keys on me at all times. This means my Yubico Neo sits on a keychain, in a pocket of a coat which is rarely worn. So every time I need to use U2F to authenticate with a service, I have to trek around the house trying to remember where I last saw my keyring.

Wouldn't it be great if I could wear my Yubikey? Some high-tech jewellery would be fab!

To be clear, this isn't an original idea:

Joanna Rutkowska

@rootkovska

Anyone could recommend a U2F-compatible NFC ring (as in: jewellery)?

(Additional requirements: not bulky, women sizes; silver, not gold pls :)

---

And some people do wear their keys as pendants.

There are also Yubikey earrings:

*:･ﾟ✧ Samantha ✧･ﾟ:*

@samantha_gold

Working late in the labs on these yubikey earrings! eeee! pic.x.com/fdto5ksdwz

---

So why not a ring? A ring doesn't take up much space on the body, they're rarely taken off, and they're socially acceptable jewellery for most people.

A basic NFC ring costs less than two pounds! But it doesn't have the necessary processing power for U2F.

The OMNI ring is £70 and looks like it has the right hardware. But, sadly, they appear to be incompatible with the FIDO specification.

The cheapest FIDO2 U2F NFC key is about £30. So it shouldn't be impossible to put the hardware into a more aesthetically pleasing form factor.

Token were planning to release a WebAuthn ring "soon" - but with no price nor predicted availability. Their social media hasn't been updated in two years. Similarly, Motiv were planing on releasing a WebAuthn ring - but they got bought by a company called Proxy - who have since fallen into a Web3 hole never to be heard of again.

So - this is my version of Cunningham's Law. If I blog saying something doesn't exist - some smartarse will immediately post a link to some Shenzhen store selling them for a quid each!

There are no WebAuthn rings - or other jewellery-like form factors. And that sucks.

Tess Rinearson

@_tessr

Is this a phishing attempt? Goes to "githubverification.com" and asks for username and pw

(if so, it nearly got me!)

/cc @github pic.x.com/jgt4oNvjF2

---

In the replies, you’ll see lots of techbros saying “this is why you should switch on 2FA people!!!”

Except, and I hate to bring accuracy to a technical discussion, that’s not how 2FA works!

A second factor allows a site to better authenticate you. It does not help you identify the site.

If you log on to fake-bank.com, the scammers will immediately take your username and password and send it to real-bank.com – the fake bank will then ask you for your 2FA token. That could come via SMS, email, an authenticator app, or even post. Then the fake site uses your real token and logs in as you.

Game Over.

There is almost nothing you can do to authenticate that a site is legitimate.

• Any information that you can request from the real site can be proxied to the fake site.
• The green SSL padlock means nothing for validity. Anyone can get one.
• The top result on Google is invariably an advert for a scam site.

Realistically the only thing you can do is look for “out of band” verification. What’s the URL stamped on your credit card? What’s written on the welcome letter sent by snail mail?

None of these are infallible – and they can all be manipulated by a suitably determined attacker.

The best defence is to use a password manager. I recommend the open source Bit Warden.

A password manager stores your passwords. But it also stores the web address of site’s login page. If you visit githud, the password manager won’t prompt you to use the login details for github.

Defence in depth. Use 2FA to prevent attackers masquerading as you. And use a password manager to prevent fake sites masquerading as real sites.

What About YubiKeys?

No. I'm not a big fan of YubiKeys. In theory, a hardware token can help with this. You register the token with the device and it spits out a code only to the correct site.

But it has significant downsides.

• Cost. The average YubiKey is £50. There are a few around the £30 price point. That’s a huge expense given the small number of sites that support them.
• Usability. Buy a device, register it, install the app, configure it, find the setting in the website, enable it, hope your machine has the right sort of USB ports, press the button at the right time. Take 10 minutes to watch a normal user try to set one up - then tell me if you think this is a good solution.
• Convenience. My YubiKey is on my keyring. My keys are in my coat. My laptop is not near my coat. Given how often I need to log into things, it means adopting a significant change of habit. Or leaving my YubiKey plugged in all the time. Which leads to…
• Risk. YubiKeys have no password lock of their own. At least my crumby Android has a fingerprint lock to prevent people getting my 2FA tokens. But if you’ve stolen my laptop and the YubiKey is plugged in, then you’ve got the keys to my kingdom.
• Support. WebAuthn is a great standard – but only a few sites support it. While it is good at protecting a handful of sites, I encounter it so infrequently that I regularly forget how it works.

While a WebAuthn request can't be proxied - there's nothing stopping a fake site from asking for your token, then rejecting it and asking for a separate factor.

If fake-github.com said "Hmmm we're having problems with our WebAuthn backend - please use a one-time code from your authenticator app for added security" would you be fooled?

WebAuthn and hardware tokens are probably the future. And they’re probably the best way we have to verify site legitimacy. But they’re also currently a poorly supported usability disaster.

Stay safe out there.