AuthLite Advisory #7: YubiKey FIPS series replacement

Overview

On June 13, 2019, Yubico (the manufacturer of YubiKey tokens used with AuthLite) released security advisory YSA-2019-02 affecting the YubiKey FIPS token series.

AuthLite does not directly use any of the affected features of the token, so your AuthLite deployment is not directly affected.  However if you or your users use affected tokens for FIDO/U2F, smart-card, or OpenPGP, those other functions can be impacted.  Even tokens not presently using those features might still use them in the future, so they are considered vulnerable.

Affected YubiKeys

YubiKey FIPS Series with firmware 4.4.2 to 4.4.4 inclusive:

• YubiKey FIPS firmware 4.4.2 to 4.4.4
• YubiKey Nano FIPS firmware 4.4.2 to 4.4.4
• YubiKey C FIPS firmware 4.4.2 to 4.4.4
• YubiKey C Nano FIPS firmware 4.4.2 to 4.4.4

*Not* Affected Tokens

All other YubiKeys.  I.e.

• YubiKey standard, versions 1-2
• YubiKey Edge
• YubiKey NEO
• YubiKey version 4,  standard and Nano, A and C
• YubiKey version 5, standard and Nano, A and C

What Should I Do?

Although there is no direct security threat to AuthLite use cases, if you have affected tokens purchased through AuthLite, you should still contact support and obtain free replacement tokens.  We are also pro-actively reaching out to all customers who have purchased FIPS tokens from AuthLite.

1. Obtain replacement tokens at no charge
2. Program new AuthLite secrets onto the new tokens
3. Import token XML file into the token manager.
4. (Delete XML file after import! Very important!)
5. Assign tokens to your users in the usual manner, either administratively, or using the self-service portal.
6. Once users start using the new tokens, reclaim all the old tokens and discard them. Do not keep the tokens in reserve or keep using them for other purposes.  Their security should be considered compromised.

Common Questions and Answers

Does this affect the security of Active Directory logons?

AuthLite does not directly use any of the affected features of the token, so your AuthLite deployment is not directly affected.  However if you or your users ever use these tokens for FIDO/U2F, smart-card, or OpenPGP, those other functions can be impacted.

If I don't use affected protocols, can't I just ignore this?

Yubico has determined, in an abundance of caution, to replace all affected devices, even if they are not currently using the affected protocols.  This is because we can never be certain that the tokens won't be reconfigured one day.  In particular: web sites often prompt users to add 2-factor security.  Users could choose to use FIDO/U2F with their YubiKeys even without telling the enterprise AD administrator. And those secondary uses of the token would be less secure.

I need help with this, what should I do?

If you require further details, or assistance with installing the update, please open a Support Request from our Support page and reference Advisory #7 or FIPS token replacement.