YubiKey to Release New Firmware, But Existing Keys Won't Be Supported

Yubico, a leading manufacturer of FIDO-based hardware security keys, is set to release new versions of its YubiKey 5, Security Key, and Security Key Enterprise Edition series of authentication hardware.

The new YubiKey devices, equipped with the latest firmware, will be available by the end of May, offering enhanced security features such as expanded key storage and mandatory PIN complexity.

Unfortunately, due to security reasons, Yubico has revealed that existing YubiKey devices cannot be updated to the new 5.7 firmware, which means users will need to purchase a new YubiKey to access these advanced security features.

The new YubiKey devices will provide enterprise-grade identity proofing (with customizable programming), FIDO2-compliant PIN length restrictions, and storage capacity for up to 100 keys, 24 PIV certificates, 64 OATH seeds, and 2 OTP seeds.

Starting today, Yubico Authenticator 7 has received a major update, supporting the aforementioned new features, including support for PIV's new public key algorithm and advanced management capabilities. The update is currently only available for Android devices, with an iOS update expected to follow later.

Why can't existing YubiKey devices be updated? Simply put, Yubico's design philosophy has always been to prevent firmware modifications or updates, as allowing such changes could introduce security vulnerabilities, such as supply chain attacks, where attackers could purchase YubiKey devices, modify the firmware, and redistribute them.

As a result, all YubiKey devices are not allowed to receive firmware updates once released, which is why the new 5.7 firmware is only compatible with new products. If users want to access these new features, they will need to purchase a new key.