6

I am a proud owner of a YubiKey 5 NFC and have been using it for quite some time now. I want to replace it with another YubiKey 5 NFC running a slightly newer firmware. I have utilized almost all features the YubiKey offers including Yubico OTP, PIV (X.509 certificates), OpenPGP, FIDO2, U2F and configured a static password for the "long touch slot".

Let's assume that I want to sell my YubiKey to a stranger. Is the factory reset procedure that Yubico describes in their official documentation safe and secure enough such that it is not possible to

  • login to any of my accounts (FIDO2, U2F and Yubico OTP) where I forgot to disable the used YubiKey,
  • use or recover any of the RSA private keys stored on the device,
  • use or recover the static password I had configured on the YubiKey.

I also used the NFC functionality to authenticate against RFID protected door locks at work. Am I right that there is no way of changing the UID of the YubiKey permanently?

jnsp
  • 385
  • 1
  • 9

1 Answers1

4

Unfortunately, there is no way to tell for sure. Although the documentation is expected to be accurate, there is always a possibility that some hardware or software bugs may be discovered in the future (with any product).

Thus, you should estimate the value of your data and the risks involved.

The rule of thumb is: do not sell the Yubikey, if the potential losses/harm will be higher than the amount of money you will get from selling it.

simon
  • 161
  • 5