user submits helpdesk ticket for new key, helpdesk doesn't revoke old one

They could actually make that type of attack much harder if they made the overmolding of these things in a nice swirly two-color process so each one is a bit different.

honestly 90% of super fancy attacks feel useless in comparison with basic stuff designed to exploit "assume the user and support folks will be confused by something not working and take little to no remedial action". it should be a hard rule that everyone assumes computers will break in weird ways and will easily accept random-ass failures as a fact of life.

This is why my (not yubi) FIDO key is decorated by me. Also because I like it better that way, but obviously an important security thing that totally justifies me spending too many hours carefully engraving in plastic casing and painting in the lines...

shit. Can you please stop getting to the point so fast?
At least add a few pages of not quite relevant, but obtusely related content before you get to the leed!

How can we get a Mission Impossible 9 if the ubikey isn't going to be cloned??
To steal it is too much MI2

@securingdev nobody will publish this research :)

Now you'll make me paranoid bc mine almost never works right!

I am reminded of this classic: https://xkcd.com/538

This. Social engineering and breaching physical security are the most likely attack vectors for most people! Keep your devices in your custody, and preferably, especially when in an environment that's easily accessible for hostiles (such as an office where I could just walk right in), keep the key on your body. I'd recommend a necklace or collar for that.
@tthbaltazar

That's why I write "MINE" on my keys with a permanent marker

exactly! With a blank or a defective one, and the user will just procure a new one assuming it died

That's because physical 2FA tokens combine the drawbacks of the 2FA process with the drawbacks of physical keys.

this featured in @riskybusiness ‘s podcast if you didn’t already know heh