It looks like everyone's favourite FIDO token provider might have an unpatchable vulnerability! Much Sturm und Drang from the usual sources. But how bad is it really? Not so bad - but it does expose some weaknesses in the very idea of having physical tokens.
It also looks like the attacker will need:
- Physical access to key
- Username & password tied to account protected by key
- $11,000 worth of equipment
So yes, it doesn’t seem to be an “easy” attack, but geez…it’s always something.