Important note on the use of Yubikeys with ID Austria / xIDENTITY

For security reasons, FIDO tokens from the manufacturer Yubico can no longer be re-linked with the QES from A-Trust (e.g. ID Austria or xIDENTITY). The reason for this is a recently discovered possibility to manipulate the identification of a FIDO token when rebinding with ID Austria or xIDENTITY in such a way that they pretend to be an authorized device, which could result in tokens being linked to the certificate that are not authorized for this purpose. Detailed information on this can be found in the following paper and the manufacturer's statement can be foundhere.

As a precautionary measure, A-Trust has responded by adjusting the linking option so that Yubikeys can no longer be linked to A-Trust certificates. Suitable FIDO tokens from other manufacturers can still be linked to ID Austria or xIDENTITY as usual. The manufacturer Yubico has already announced a new firmware - further information on this is not yet known.

No significant risk when initiating signatures

In order to be able to exploit this problem at all when initiating signatures, attackers would not only have to have gained possession of the device, but also knowledge of all other secret user data (signature password, as well as secret PIN or biometric feature of the FIDO token), which is why, according to current knowledge, there is no significant security risk.

All important steps to mitigate the risk of such potential vulnerabilities have already been taken by A-Trust in advance:

• Verification of user name or telephone number and signature password before accessing the FIDO token and triggering a signature by ID Austria/xIDENTITY
• Mandatory PIN or biometric feature when using the FIDO token as an additional factor
• Verification of the signature counter, which makes manipulation recognizable

Based on current knowledge, there is therefore no significant safety risk. We are monitoring the situation closely and will keep you informed of any changes.

Important reminder on the use of FIDO Token

In view of the current situation, we would like to remind users of FIDO Tokens of important security precautions:

• Do not give your FIDO Token out of your hand and keep your FIDO Token in a safe place.
• Keep your signature password and the PIN of your FIDO Token secret and protect them from possible prying eyes or other access.