There's no better way to protect yourself from the universal scourge of phishing attacks than with a hardware token like a Yubikey, which stymies attackers even if you accidentally hand them your username and password. But while Yubikey manufacturer Yubico describes its product as " unphishable," a pair of researchers has proven the company wrong, with a technique that allows clever phishers to sidestep even Yubico's last bastion of login protection.

Two weeks ago, in a little-noticed presentation at the Offensive Con security conference in Berlin, security researchers Markus Vervier and Michele Orrù detailed a method that exploits a new and obscure feature of Google's Chrome browser to potentially bypass the account protections of any victim using the Yubikey Neo, one of the most popular of the so-called Universal Two-Factor, or U2F, tokens that security experts recommend as the strongest form of protection against phishing attacks.

With a sufficiently convincing phishing site and a feature in Chrome known as WebUSB, a hacker could both trick a victim into typing in their username and password—as with all phishing schemes—and then also send a query directly from their malicious website to the victim's Yubikey, using the response it provides to unlock that person's account. (A disclaimer: WIRED partners with Yubico to give free Yubikeys to subscribers. According to Vervier and Orrù, the model WIRED offers is not susceptible to their attack.)

Vervier and Orrù, who work for the security consultancy X41, are careful to note that their technique doesn't demonstrate a flaw in Yubico's products so much as a very unintended byproduct of Chrome's WebUSB feature, which the browser added just last year. "U2F is technically not broken, but it’s still phishable, which many people thought was impossible," says Vervier. "It’s a great example of how new interfaces allow ways to attack technology that were believed to be unbreakable."

When WIRED reached out to Google, security product manager Christian Brand responded that the company became aware of the researchers' attack after their Offensive Con presentation. While Google considers the attack an edge case, the company is working with U2F standards body the FIDO Alliance to fix the problem. "We are always appreciative of researchers’ work to help protect our users," Brand wrote in a statement. "We will have a short term mitigation in place in the upcoming version of Chrome, and we're working closely with the FIDO Alliance to develop a longer-term solution as well. We aren’t aware of any evidence that the vulnerability has been exploited."

Beware WebUSB

Let's be clear: Vervier and Orrù's findings don't change the fact that adding two-factor authentication remains one of the most basic and crucial steps to protecting your sensitive accounts, and a U2F token like a Yubikey is the most secure form of that protection you can use. Even two-factor authentication methods like text messages or Google Authenticator still rely on temporary codes that the user enters when they log in; a convincing phishing site can simply trick you into handing over those codes along with your username and password. A U2F token like the Yubikey instead performs an authentication handshake with a website that not only proves to a website that it's your unique key, but requires that the website prove its identity too, preventing lookalike sites from stealing credentials.

'They put in another feature that subverts all the security they'd put in place.' Joern Schneeweisz, Recurity Labs

But a crack in those safeguards may have appeared last year when Chrome added WebUSB, a feature that allows websites to directly connect to USB devices, from VR headsets to 3-D printers. Vervier and Orrù found that they could code a website to connect to the Yubikey Neo with that WebUSB feature, instead of with the usual Chrome API for U2F that it's designed to use. In doing so, they could circumvent the checks that the browser performs before querying the Yubikey—the checks that confirm that websites are the ones they claimed to be.