YubiKey NEO OpenPGP Security Bug

David Maples

David Maples

2 minute read

Yubico recently learned of a security issue with the OpenPGP Card applet project that is used in the YubiKey NEO. If you are not using OpenPGP, or have the OpenPGP applet version 1.0.10 or later, this vulnerability does not apply to you.

The OpenPGP Card applet defect was inherited from the open-source software project “javacardopenpgp.” The technical details are available in a security advisory posted on our website. This issue only affects the OpenPGP applet and does not impact the security of the YubiKey or its other functions.

While we continue to believe that the practical impact for the majority of users is not critical, Yubico aspires to exceed expectations related to security incident handling. Therefore, we have developed a policy on replacing affected YubiKey NEOs.

Note that moving usage of an OpenPGP key to a new YubiKey NEO requires that you have saved a backup copy of the private key on the card as there is no way to retrieve the private key from any YubiKey, including the YubiKey NEO. If you did not save a backup copy of the private key when you initially generated the key, you will need to revoke the existing key and create a new key. Therefore, we urge you to consider whether you are truly affected by the security issue before proceeding.

If you are using the YubiKey NEO with the OpenPGP Card applet and want to replace your YubiKey, go to yubi.co/support to log a support ticket. Include the output from ‘gpg –card-status’ on your YubiKey NEO (masking out personal information) together with your order number in the ticket you submit. We will give you a coupon code so you can order a replacement YubiKey NEO.

,
Talk to our teamTalk to our team

Share this article:
  • CEO Corner: Maintaining stable growth while navigating global uncertaintyAs we officially close out the first quarter of 2025,  I am pleased we saw a quarter with solid growth and profitability along with ongoing demand for phishing-resistant authentication. We continue to see new types of high-profile cyber attacks appearing regularly, and a major reason for the success of phishing attacks is stolen credentials. As […]Read moreCEOCEO CornerEarningsMattias Danielsson
  • Introducing the Yubico Academy: Enabling partners for a phishing-resistant futureAt Yubico, strong partnerships are fundamental to a more secure digital world. Our commitment goes beyond providing leading security keys; it’s about actively fostering the growth of our valued partners through impactful enablement programs. A cornerstone is the Yubico Academy, featuring our comprehensive certification program.  This program enables our partners’ teams to become Yubico experts, […]Read more
  • AI is booming — but proving you’re human matters more than everIf you walked the show floor at the RSA Conference this year, you probably noticed the same thing I did: Artificial Intelligence (AI) is everywhere. Agentic AI. AI in threat detection. AI in firewalls. AI in identity management. AI-generated demos. AI everything. The energy around AI was undeniable, and we’re seeing real innovation, efficiency gains […]Read moreAIArtificial IntelligencephishingRSAC
  • Ditching passwords for good: Celebrating the inaugural World Passkey DayHave you ever been stuck in a relationship with someone who constantly lets you down, exposes your secrets, and leaves you vulnerable? Odds are you cut your losses, packed up your things and moved on. Today is the day to do the same with your passwords: say goodbye forever! The reality is a majority of […]Read morepasskeyspasswordlessWorld Passkey Day