Hold on - doesn't having this live permanently in the USB port reduce the security possible with a 2FA device? If the user has to get the key from their pocket and plug it in, it will at least prevent an attacker from accessing the user's account in a remote-desktop scenario. Certainly the requirement to press the button will mitigate this risk to a degree, but might there be exploits that can trigger this button-press event using a carefully crafted USB signal?
I understand the security vs usability thing, just beware of the risks of something like this (perhaps bluetooth-type keys like this are more usable as you don't need to bother plugging them in, assuming bluetooth decides to play nicely)
My assumption is that if Google (which deploys the Yubikey Nano across their employees) is willing to make the leap that there'd be no way to trigger the button press via USB, then assuming Tomu has done their due diligence, it's impossible to do so on here.
I'd say it depends on the security model. I have a yubikey nano permanently in my mac, I use it for example for vpn. Of course, I don't use it to unlock my mac, and I have a pretty long passphrase for that (and an apple watch to make it easier).
For 2fa in my own gmail/facebook, I use external keys, similarly as you're saying. But I could be comfortable using this yubikey, it's just that one is personal, the other is work in this case.
The button press is shorting two contacts on the device, there’s no way to fake it. If you’re thinking that there might be a bug you can trigger to execute the “print code” routine, the good news is that ARM microcode is simple and small enough that you can audit and verify it (and the USB stack).
I admire your diligent concern, but I thought the same thing for a split second and dismissed it.
I can't imagine even a corporate churn machine with the most reckless abandon designing a device like this and missing the most basic obvious attack vector.
It might be possible if you find a hardware or software bug in the USB interface on the chip, but the Yubikey uses a chip designed specifically for security applications. Those sorts of chips are designed and tested explicitly for security applications are tested for all sorts of attacks and and exploits, both physical and in software. I doubt it's even physically possible to craft a USB packet that is able to interfere with the ADC on the chip enough to look like a touch event, but even if it was it'd be exceedingly difficult due to the nature of how USB signaling works. You don't have much direct control at the electrical level of what actually goes down the wire.
I understand the security vs usability thing, just beware of the risks of something like this (perhaps bluetooth-type keys like this are more usable as you don't need to bother plugging them in, assuming bluetooth decides to play nicely)