Recommend Always UV setting for Yubikey

In the light of EUCLEAK - YubiKey 5 can be cloned in a matter of minutes

I noticed we do not yet recommend the always require user vector setting on Yubikeys. This partly mitigates the vulnerability discovered and generally seems good practice.

Can be set like:

ykman fido config toggle-always-uv

Or with settings in the apps.

5 Likes

Yubico themselves also recommends this as mitigation: https://support.yubico.com/hc/en-us/articles/15705749884444-Infineon-ECDSA-Private-Key-Recovery-Customer-Resources

1 Like

What important and relevant information. You are very good!

1 Like

I had already configured this and I mostly use Yubikey Bio series. But just checked and saw it wasn’t recommended as a default yet and we should really encourage using this.

Haven’t looked yet, but we should also double-check whether this is possible on the Yubico Security Key series, and on Nitrokeys for the sake of completeness.

1 Like

I just checked and I can confirm that this option is not supported even on yubico 5 series with firmware versions older than 5.7. Considering that they released yubikey 5 series with the updated firmware 5.7 on May 21, 2024, any yubikey 5 series that was purchased before that date comes with an older firmware version (like 5.4.x). So all yubikeys (except for BIO) that do not have the latest firmware are vulnerable to this.

edit: clarification

Shit, seems you are right. That’s a pitty. I am now even more glad with my bio ones.

Configure alwaysUv? ¡ Issue #499 ¡ Yubico/yubikey-manager ¡ GitHub says 5.5 and later, so there may be a 5.5-5.7 range of devices which could benefit from this setting.

Edit: Mine is 5.4.3 so I can’t confirm :upside_down_face:

Edit 2: Oh, 5.5 and 5.6 were Bio only, I see lol

Yeah the firmware matrix confirms that yubikey 5 series never had 5.5.x firmware versions.

1 Like

This seems like a sensible thing to suggest.