Inside Yubikey Neo

I like how polite Yubi and Hexview are in this exchange; a breath of fresh air from an infosec company engaging with a security company! Makes me feel like there are grown-ups both places, and that the work will help Yubi in future iterations.

Off-topic, but I came across this tweet today.<p><a href="https:&#x2F;&#x2F;twitter.com&#x2F;flexlibris&#x2F;status&#x2F;660108123487789056" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;flexlibris&#x2F;status&#x2F;660108123487789056</a><p>&gt; TSA at Boston airport tried to take my Yubikeys away from me to a second location &quot;for a test&quot;. I refused &amp; they backed off but FYI people.<p>If you have your Yubikeys with you while traveling, you might want to be careful.

It seems that hardware breakdowns inevitably place a &#x27;raw materials&#x27; costing to ojects broken down, often (but less in this instance) - as a somewhat passive-agressive dig at the company: &quot;They sell it for $50, but it&#x27;s only got $10 worth of components in it!&quot;<p>Outside of the obvious external costs (development, transport, overheads, import, profit, etc), PCB + Tooling costs are often wildly underestimated.<p>For reference, a PCB of this size requires a setup + stencil template, which would run ~ 400 - 500 USD.<p>Tooling for the plastic injection mold for this piece would run around 5000 USD, and each subsequent piece would probably cost around 10 - 50c USD.<p>Tooling + PCBA done right have significant upfront costs that often seem to be forgotten.

I accidentally ran over my Yubikey with my Honda Accord, on a key ring with a fin key (1). I dusted it off and it works fine 6 months later. Seriously, if you&#x27;re in a position where you&#x27;re using a Yubikey, getting another Yubikey isn&#x27;t that big a deal for the organization. In fact, if you&#x27;re a solo practitioner using something like Yubikey, I recommend you get another one and just keep it in a lock box in the event you, say, run over the primary with your car :)<p>(1) <a href="http:&#x2F;&#x2F;www.amazon.com&#x2F;FCS-Moulded-Steel-Fin-Key&#x2F;dp&#x2F;B003JCQPXM" rel="nofollow">http:&#x2F;&#x2F;www.amazon.com&#x2F;FCS-Moulded-Steel-Fin-Key&#x2F;dp&#x2F;B003JCQPX...</a>

Nice article, would be interesting to build something that HexView did, in fact, find &quot;nearly indestructible&quot;. Full disclosure I&#x27;m a fan of the Yubikey, I think that something like it will be the future of operational security for networks. Requiring the key be present to answer challenges helps a lot.

Read a much more detailed security review of the Yubikey as it works in practice here:<p><a href="http:&#x2F;&#x2F;www.unrest.ca&#x2F;yubico-reinvents-the-yubikey" rel="nofollow">http:&#x2F;&#x2F;www.unrest.ca&#x2F;yubico-reinvents-the-yubikey</a>

That&#x27;s a lot of text to say nothing of interest. I really love how they question the trade offs made in the PCB design, as if these things didn&#x27;t occur to the designers.

While we&#x27;re at it .. are there any other tokens&#x2F;smartcards that could be used for signing messages (ECC preferable, RSA acceptable)? I only know of YubiKey and the KernelConcepts PGPcard.

Hard to take your article seriously with statements such as &quot;...Levels 1 and 2 of the FIPS140-2 certification are just a marketing gimmick&quot;. Even harder to believe Jakob took the time to respond.