Yubico announced that it will soon replace its FIPS YubiKey series of hardware security keys due to a firmware flaw that reduces the randomness of device-generated cryptographic keys. Unlike the company's flagship products, the YubiKey FIPS series is certified for use on US government networks and is named after the US Government's Federal Information Processing Standards (FIPS). In a recent security advisory, Yubico explained that YubiKey FIPS series devices running firmware versions 4.4.2 and 4.4.4 raised the issue that the first set of random values used by FIPS applications from YubiKey after The power of each device was randomly reduced. This means that these devices will generate keys that can be partially or fully recovered depending on the cryptographic algorithm used by the key for a particular authentication operation.
Replacement of security keys.
Yubico discovered the issue internally in March and conducted a thorough investigation into the root cause, impact, and how it could alleviate the issue for its customers. The company fully fixed the issue in version 4.4.5 of the YubiKey FIPS series firmware, but after the firmware update, a FIPS recertification was also required. Yubico now also advises Yubi FiPS series device owners to check the firmware version of their security key and affected users can register for a new key on their replacement portal. The company has announced that its customers will receive new YubiKey FIPS series keys with firmware version 4.4.5. According to the security advisory, most of the affected devices have been replaced or are in the process of being replaced: "To ensure the security of our customers, Yubico conducts an active key replacement program for relevant FIPS devices (versions 4.4.2 and 4.4.4) since problem discovery and recertification. At the time of this notice, we believe that most of the affected FIPS-series of YubiKey devices have been replaced or are being replaced with updated and fixed versions of the devices. Yubico also assured customers that the company was now aware of any security breaches that occurred as a result of this issue. via ZDNet