Tech

Yubico replacing FIPS security keys used by feds

The company found a flaw in two versions of YubiKey FIPS Series devices that could affect cryptographic operations.

June 13, 2019

A try of YubiKeys, a popular form of multi-factor authentication. (Yubico)

Yubico says it will replace security keys used by federal civilian agencies and the contractors and vendors that work with them, after finding an issue in the devices’ cryptography.

The security hardware company discovered the problem in mid-March with versions 4.4.2 and 4.4.4 of its YubiKey FIPS Series devices — FIPS being the Federal Information Processing Standards published by the National Institute of Standards and Technology. Users insert the keys into USB slots in personal computers when logging in to a network or an app, providing an additional means of authentication.

After each power-up, the first set of random values used by YubiKey FIPS applications have “reduced randomness” that may impact cryptographic operations, according to a Yubico security advisory released Thursday. The issue “only affects certain use cases in certain scenarios,” the company said.

“We are not aware of any security breaches due to this issue and are committed to always improve how we help protect our customers and continuously invest in making our products even more secure,” reads the advisory.

Version 4.4.5 was certified on April 30 and fixes the flaw, while Yubico estimated “the majority” of affected keys have been or are in the process of being replaced with updated devices.

YubiKey FIPS devices are also used outside the government by organizations looking to employ the NIST-approved security standard to their own networks.

A replacement portal can be used to obtain an updated key.

Yubico replacing FIPS security keys used by feds

More Like This

ICE pursuing privacy approvals related to controversial phone location data

House Modernization panel advances bill to improve CRS’s data access in first-ever markup

Agency FedRAMP usage increased but challenges persist, watchdog finds

Top Stories

Generative AI could raise questions for federal records laws

Cybersecurity executive order requirements are nearly complete, GAO says

White House hopeful ‘more maturity’ of data collection will improve AI inventories

GSA administrator: Generative AI tools will be ‘a giant help’ for government services

State Department encouraging workers to use ChatGPT

Federal CIO calls on Congress to fund Technology Modernization Fund

Congressional panel outlines five guardrails for AI use in House

With 2023 tax season in the rearview, IRS commissioner eyes expansion of AI capabilities

More Scoops

New-era authentication key widens trusted access to federal resources

Program offering alternatives to CAC could be expanded, Army officials say

Will Yahoo breach finally get us past the password?

Farewell to the smart card? Yubico makes federal play

Latest Podcasts

Yubico replacing FIPS security keys used by feds

Los Angeles CIO discusses how AI and cloud technologies transform urban public services

GSA wants to be the leader in federal generative AI

AI Week 2024 has Come and Gone

Tech

Defense

Cyber

Acquisition