Yubico replacing FIPS security keys used by feds

Yubico says it will replace security keys used by federal civilian agencies and the contractors and vendors that work with them, after finding an issue in the devices’ cryptography.

The security hardware company discovered the problem in mid-March with versions 4.4.2 and 4.4.4 of its YubiKey FIPS Series devices — FIPS being the Federal Information Processing Standards published by the National Institute of Standards and Technology. Users insert the keys into USB slots in personal computers when logging in to a network or an app, providing an additional means of authentication.

After each power-up, the first set of random values used by YubiKey FIPS applications have “reduced randomness” that may impact cryptographic operations, according to a Yubico security advisory released Thursday. The issue “only affects certain use cases in certain scenarios,” the company said.

“We are not aware of any security breaches due to this issue and are committed to always improve how we help protect our customers and continuously invest in making our products even more secure,” reads the advisory.

Version 4.4.5 was certified on April 30 and fixes the flaw, while Yubico estimated “the majority” of affected keys have been or are in the process of being replaced with updated devices.

YubiKey FIPS devices are also used outside the government by organizations looking to employ the NIST-approved security standard to their own networks.

A replacement portal can be used to obtain an updated key.