Original Ars Technica Story

This is, unfortunately, a big deal. Not just for the users of YubiKeys, but also for anything using Infineon crypto chips. Infineon makes the crypto chips in a ton of devices, including TPMs, smart cards, passports, credit cards, and SIM cards. I suspect there will be more fallout from this, as additional devices are found to be using the same cryptographic library.

There are two important mitigations:

Recently, eSentire published some interesting research on successfully phishing users even when they’ve configured phishing resistant MFA (like a FIDO2 Passkey or a smart card). For organizations deploying Phishing Resistant MFA (PR-MFA), like a FIDO2 Passkey, be it for internal user authentication or customer logon, there are some important takeaways.

Much of my public work has disapeared into the depths of the internet, but I found a few things still lurking around.

I was recently listening to Security Now!’s coverage of the EU’s QWAC proposal. There’s much debate regarding the EU’s role in the global PKI ecosystem, when it dawned on me there’s a far simpler solution that should (hopefully) address everyone’s concerns.

12 years ago I started paying for LastPass Premium. Today, I canceled my subscription, migrated my data to a different service, and deleted my account.