• Contact Sales
  • Resellers
  • Support
Yubico Header Text LogoYubico Header Text Logo
Why Yubicoexpand_more
Why Yubico
  • Enterprises
  • SMBs
  • Individuals
  • Developers
  • Careers
  • Partner programs
  • Affiliate program
  • Contact Sales
  • Events
  • Press room
  • Yubico Blog
  • Yubico Executive Connect
  • About us
  • The team
  • Innovation history
  • Secure it Forward
Easy-to-use, secure authentication

With YubiKey there’s no tradeoff between great security and usability

Why YubiKey
Proven at scale at Google

Google defends against account takeovers and reduces IT costs

Google Case Study
Protecting vulnerable organizations

Secure it Forward: One YubiKey donated for every 20 sold

Learn about Secure it Forward
Productsexpand_more
All products
  • YubiKey 5 Series
  • YubiKey 5 FIPS Series
  • YubiKey Bio Series
  • Security Key Series
  • YubiKey 5 CSPN Series
  • YubiHSM 2 & YubiHSM 2 FIPS
  • YubiEnterprise Subscription
  • YubiEnterprise Delivery
  • Yubico Authenticator
  • Computer login tools
  • Software Development Toolkits
  • YubiCloud
  • Using YubiKey is easy
  • Find the right YubiKey
  • Works with YubiKey
  • Compare YubiKeys
One key for hundreds of apps and services

YubiKey works out-of-the-box and has no client software or battery

Yubico protects you
See YubiKeys as a Service
YubiEnterprise Subscription delivers scale and savings

Gain a future-proofed solution and faster MFA rollouts

See YubiKeys as a Service
Solutionsexpand_more
Solutions overview
  • Zero Trust
  • Executive Order OMB M-22-09
  • Phishing-resistant MFA
  • Passwordless
  • Compliance
  • Cyber Insurance
  • Secure supply chain
  • Hybrid & remote workers
  • Secure privileged users
  • Mobile restricted environments
  • Call centers
  • Shared workstations
  • Microsoft ecosystem
  • Salesforce workspace
  • IAM solutions
  • AWS environment
The Bridge to Passwordless

Begin the journey to make your organization passwordless

Get the white paper
Accelerate your Zero Trust Strategy

7 best strong authentication practices to jumpstart your Zero Trust program

Get the white paper
Federal cybersecurity requirements

See guidance for CIOs and leaders to prepare for the modern cyber threat era

See Gartner® Report
Industriesexpand_more
Industries overview
  • High tech
  • Federal government
  • State & local government
  • Education
  • Financial services
  • Manufacturing
  • Energy & natural resources
  • Retail & hospitality
  • Telecommunications
  • Healthcare
  • Pharmaceuticals
  • Cryptocurrency
  • Elections & campaigns
Manufacturing and supply chain security

Authentication best practices for manufacturing using highest-assurance security

Get the white paper
Phishing-resistant MFA: Fact vs. Fiction

Meet requirements for phishing-resistant MFA in OMB M-22-09 guidelines

Get the white paper
Secure energy and natural resources from cyber threats

Best practices for phishing-resistant MFA to safeguard your critical infrastructure

Get the white paper
Resourcesexpand_more
All resources
  • Yubico Blog
  • Cybersecurity glossary
  • Authentication standards
  • Resource library
  • Developer program
  • Product briefs
  • Solution briefs
  • Case studies
  • Get a pilot started
  • White papers and reports
  • Webinars
BeyondTrust: secured with a subscription

A leader in Privileged Access Management simplifies YubiKey deployment

How they optimized ROI
S&P Global Market Intelligence report: old habits die hard

Only 46% of respondents protect their applications with MFA. How about you?

Read the report
Secure shared workstations against cyber threats

Shared workstations can be secured with phishing-resistant MFA

Get the white paper
Supportexpand_more
Support home
  • Find the right YubiKey
  • Set up your YubiKey
  • Downloads
  • Product documentation
  • Support articles
  • Support Services
  • Professional Services
  • YubiEnterprise Subscription
  • Works with YubiKey Program
  • Buying and shipping information
  • Security advisories
  • Help center
How to set up your YubiKey

Follow our guided tutorials to start protecting your favorite services

Set up your YubiKey
Find the best YubiKey for your needs

Take the guided quiz and see which YubiKey best fits your or your businesses needs

Take the quiz
Accelerate your YubiKey deployment

Technical and operational guidance for your YubiKey implementation and rollout

Professional Services
SubscribeStore
  • Home » Support » Issue rating system » Security advisories » Security Advisory YSA-2020-04

    Security Advisory YSA-2020-04

    Security Advisory YSA-2020-04 – Access code not checked for NDEF updates

    Published date: 2020-07-08
    Tracking ID: YSA-2020-04
    CVE: CVE-2020-15001

    Summary

    The OTP application on the YubiKey 5 NFC allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. It was discovered that the access code is not checked when updating NFC-specific components of the OTP configurations. This may allow an attacker to access configured OTPs and passwords stored in slots that were not configured by the user to be read over NFC, despite a user having set an access code. Users who have not set an access code, or who have not configured the OTP slots, are not impacted by this issue.

    Affected devices

    YubiKey 5 NFC with firmware versions 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1.

    Not affected devices

    • YubiKey 5 Nano
    • YubiKey 5C
    • YubiKey 5C Nano
    • YubiKey 5Ci
    • YubiKey FIPS Series
    • Security Key Series
    • YubiKey NEO
    • YubiKey 4 Series

    How to tell if you are affected

    1. Identify your YubiKey. If you have a YubiKey 5 NFC continue to step 2. There are two ways to identify your key.

    a. Use YubiKey Manager GUI to identify your key. The series and model of the key will be listed in the upper left corner of the Home screen. In the following example, the Yubikey is a 5 NFC.

    YubiKey 5 NFC

    b. Physically identify your key based on the logo on the key. The YubiKey 5 NFC will feature the letter ‘Y’ with a connectivity symbol above it inside of the gold circle on the front of the key, as pictured below.

    YubiKey 5NFC

    2. Identify whether or not you have configured an access code following the steps below. Note: If your YubiKey was provided to you by an IT administrator or similar, contact your IT administrator for next steps.

    a. Use the YubiKey Manager command line interface (CLI) to attempt to swap OTP slots.
    $ ykman otp swap
    b. If you receive the following error, it’s likely you’ve configured an access code and you are affected by this issue.
    Error: Failed to write to the YubiKey. Make sure the device does not have restricted access.
    c. If the command was successful, swap your OTP slots back.
    $ ykman otp swap

    Customer actions

    If you followed the steps above and have identified that you are affected by this issue, there are several mitigation strategies that are available to you.

    Mitigations

    Disable OTP over NFC

    If you use an access code and are not using OTP over NFC, disable the OTP application over NFC from the YubiKey Manager. This will still allow you to use the OTP application over USB and will still allow you to use other YubiKey applications such as FIDO2 and PIV (smart card) over NFC.

    1. In YubiKey Manager select Interfaces
    2. Uncheck OTP in the NFC section
    3. Click Save interfaces
    Yubico Interface options for USB and NFC

    Note: If you are using an access code, and you also use OTP over NFC, we recommend reaching out to our support team for further assistance.

    Rotate Static Password

    If you are using the static password capability, you can rotate your password using the YubiKey Manager and following the steps outlined below. You may also want to consider using your YubiKey to hold part of the password and combine it with a portion of the password you remember.

    1. In YubiKey Manager select Applications, then select OTP from the dropdown
    2. Select Configure from the slot with your static password (Slot 1 or Slot 2)
    3. Select Static password and click Next
    4. Click Generate to generate a new password or enter the password you would like to set and click Finish to save your new password

    Technical details

    Background

    The YubiKey OTP application provides two programmable slots that can each hold one credential of the following types: Yubico OTP, static password, HMAC-SHA1 challenge response, or OATH-HOTP. The OTP application also allows users to set an access code to prevent unauthorized alteration of OTP configuration. To clarify, the access code does not protect against unauthorized access of the data in the slots, it simply protects against unauthorized changes to your OTP configurations.

    YubiKey 5 NFC devices provide an NFC wireless interface in addition to USB. NFC Data Exchange Format (NDEF) messages are sent to the YubiKey via USB or NFC to update NDEF records.

    Issue

    The YubiKey 5 NFC, with firmware 5.0.0 – 5.2.6 and 5.3.0 – 5.3.1, allows for possible changes to the NDEF prefix as well as which slot is presented over NFC without an access code check.

    What parts of the OTP application can be altered using NDEF?

    • The prefix that proceeds the data programmed in the slot. Typically, this is a URI that can be used by client applications to direct users to websites for authentication or information. This could potentially be altered so an application would send the OTP to a malicious site.
    • Which slot is presented during an NFC read. By default, the OTP is configured in the first slot (often identified as the short-touch slot) and is presented over NFC. This can be altered so that the second slot is presented over NFC, even if a user has configured an access code.

    Aggregate severity rating

    Yubico has rated this issue as Moderate based on maximum security impact. The base CVSS score is 4.9

Yubico Text LogoYubico Text Logo
  • RSS
  • Twitter
  • LinkedIn
  • Facebook
  • Instagram
  • YouTube
  • GitHub
  • Product finder quiz
  • Find set-up guides
  • Buy online
  • Contact sales
  • Get Yubico updates
  • Careers
  • Events
  • Press room
  • About us
  • Partner programs
  • Affiliate program
  • YubiKey 5 Series
  • YubiKey 5 FIPS Series
  • YubiKey Bio Series
  • Security Key Series
  • YubiKey 5 CSPN Series
  • YubiHSM 2 & YubiHSM 2 FIPS
  • Yubico Authenticator
  • Zero Trust
  • Phishing-resistant MFA
  • Passwordless
  • Cyber insurance
  • More solutions
  • Industries overview
  • Yubico blog
  • Resource library
  • Cybersecurity glossary
  • Authentication standards
  • Developer program
  • Works with YubiKey
  • Help center
  • Downloads
  • Product documentation
  • Support Services
  • Professional Services
  • Professional Services
  • Contact support
Yubico © 2023 All Rights Reserved.
  • Sitemap
  • Cookies
  • Legal
  • Privacy
  • Patents
  • Terms of use
  • Trust
We use cookies to ensure that you get the best experience on our site and to present relevant content and advertising. By browsing this site without restricting the use of cookies, you consent to our and third party use of cookies as set out in our Cookie Notice.

PreferencesAccept all
Yubico Privacy and Cookies Policy

Privacy Overview

Yubico.com uses cookies to improve your experience while navigating through the website. When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually identify you, but it can give you a more personalized web experience.

Because we respect your right to privacy, you can choose not to allow some types of cookies.

Click on the different category headings to find out more and change our default settings.

Blocking some types of cookies may impact your experience on our site and the services we are able to offer.
Strictly necessary cookies
Always Enabled

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Functional cookies

These cookies enable the website to provide enhanced functionality and personalization. They may set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

Performance cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.

Targeting cookies

These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Uncategorized

Undefined cookies are those that are being analyzed and have not been classified into a category as yet.

Matomo Anonymized Tracking
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
CookieDurationDescription
_hjIncludedInSessionSample_8352762 minutesDescription is currently not available.
_hjSession_83527630 minutesDescription is currently not available.
_hjSessionUser_8352761 yearDescription is currently not available.
_schn13 minutesDescription is currently not available.
_scid_r1 year 1 monthDescription is currently not available.
_vis_opt_exp_186_combi3 months 8 daysDescription is currently not available.
_vis_opt_exp_186_combi_choose3 months 8 daysDescription is currently not available.
_vis_opt_exp_187_combi3 months 8 daysDescription is currently not available.
_vis_opt_exp_187_combi_choose3 months 8 daysDescription is currently not available.
_vis_opt_exp_188_combi3 months 8 daysDescription is currently not available.
_vis_opt_exp_188_combi_choose3 months 8 daysDescription is currently not available.
cookielawinfo-checkbox-matomo1 yearDescription is currently not available.
loglevelneverNo description available.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
CookieDurationDescription
_ga_*1 year 1 month 4 daysGoogle Analytics sets this cookie to store and count page views.
_gat_UA-*1 minuteGoogle Analytics sets this cookie for user behaviour tracking.
_hjFirstSeen30 minutesHotjar sets this cookie to identify a new user’s first session. It stores the true/false value, indicating whether it was the first time Hotjar saw this user.
_hjRecordingEnabledneverHotjar sets this cookie when a Recording starts and is read when the recording module is initialized, to see if the user is already in a recording in a particular session.
_hjRecordingLastActivityneverHotjar sets this cookie when a user recording starts and when data is sent through the WebSocket.
ln_or1 dayLinkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
Save & Accept