>The attacks require about $11,000 worth of equipment and a sophisticated understanding of electrical and cryptographic engineering. The difficulty of the attack means it would likely be carried out only by nation-states or other entities with comparable resources and then only in highly targeted scenarios. The likelihood of such an attack being used widely in the wild is extremely low.
While this isn't great advertisement for Yubikey, it doesn't feel like the most practical of exploits. And as it's mostly(only?) used as second factor it's one of many hurdles most things don't warrant.
Of course if you're protecting a crazy full crypto account or deploy a massively popular or low-level github library you might want to check out swapping keys.
In a Passkeys world my org’s Yubico Security Keys are used with only a PIN to unlock; no password required. Shoulder surfing PIN entry is another hurdle for the attacker though.
reply