Yubico Issues Security Advisory As 2FA Bypass Vulnerability Confirmed

Two-factor authentication has increasingly become a security essential over recent years, so when news of anything that can bypass those 2FA protections breaks, it’s not something you can ignore. Be that the perpetual hack attack facing Google users, malicious Chrome extensions, or they Rockstar bypass kit impacting Microsoft users. Now, Yubico has thrown its hat into the 2FA bypass ring with a security advisory that has confirmed a bypass vulnerability in a software module used to support authentication using a YubiKey. Here’s what you need to know.

ForbesCritical Hidden Email Hack Warning Issued For Gmail And Outlook UsersBy Davey Winder

Yubico 2FA Security Advisory YSA-2025-0

Yubico is most likely the first name that comes to mind when you think about two-factor authentication hardware keys and other secure authentication solutions. And for good reason: it has been leading the market in the area of hardware key resources for about as long as I can remember, and I’ve been in the cybersecurity business for multiple decades. So, when Yubico issues a security advisory, I tend to take notice and if you are a Yubico customer, so should you.

Yubico security advisory reference YSA-2025-01 relates to a partial authentication bypass in the pam-u2f pluggable authentication module software package that can be deployed to support YubiKey on macOS or Linux platforms.

According to the advisory, pam-u2f packages prior to version 1.3.1 are susceptible to a vulnerability that can enable an authentication bypass in some configurations. “An attacker would require the ability to access the system as an unprivileged user,” Yubico explained, and, depending upon the configuration, “the attacker may also need to know the user’s password.”

ForbesFBI Confirms It Deleted Files From 4,258 U.S.-Based ComputersBy Davey Winder

Yubico Said No YubiKey Hardware Impacted By 2FA Bypass Issue

Yubico confirmed that no hardware is impacted by this vulnerability, meaning that the issue does not affect any “ previous or current generation YubiKey Series, YubiKey FIPS Series, Security Key Series, YubiHSM or YubiHSM FIPS devices.”

Yubico CVE-2025-23013 Vulnerability Explained

The vulnerability in question, CVE-2025-23013, is classified as critical and means that in certain scenarios when memory cannot be allocated or the module cannot change privileges it “does not contribute to the final authentication decision performed by PAM.” What this means is that a second or primary authentication factor, depending on the specific use case, would no longer be verified. “A key differentiator between scenarios is the location of the authfile,” Yubico said,.

Yubico recommends that affected customers upgrade to the latest version of pam-u2f either by directly downloading from GitHub or getting the latest update via Yubico PPA.

I have reached out to Yubico for a statement.

ForbesMillions Of Sign-In-With-Google Users Warned Of Data-Theft VulnerabilityBy Davey Winder

Follow me on Twitter or LinkedIn. Check out my website or some of my other work here.