AMD red-faced over random-number bug that kills cryptographic security
3 views
Skip to first unread message
Arshad Noor
4:56 PM (4 hours ago) 4:56 PM
to FIDO Dev (fido-dev)
Since synced passkeys are unlikely to be using cryptographic hardware
modules for random number generation, here is a new security risk that
could render users using them, vulnerable (if using these variants of
AMD processors):
https://www.theregister.com/2025/11/05/amd_promises_to_fix_chips/
Resident keys using TPMs or other Secure Elements don't suffer from this
problem, because they usually rely on built-in random number generators
(RNG) instead of the CPU or software libraries for entropy (when
implemented appropriately).
Just another difference highlighting the risk of synced passkeys over
resident keys that were supported by the FIDO Alliance since 2015, but
lately glossed over because of the challenge of educating users to deal
with managing Security Keys. The pity is, users have been used to
dealing with secure elements and cryptographic keys for 2+ decades with
bank/credit cards; all that was needed was to extend their prior
knowledge and experience with smartcards, to highlight local control
over Security Keys. A missed opportunity.
Arshad Noor
StrongKey
modules for random number generation, here is a new security risk that
could render users using them, vulnerable (if using these variants of
AMD processors):
https://www.theregister.com/2025/11/05/amd_promises_to_fix_chips/
Resident keys using TPMs or other Secure Elements don't suffer from this
problem, because they usually rely on built-in random number generators
(RNG) instead of the CPU or software libraries for entropy (when
implemented appropriately).
Just another difference highlighting the risk of synced passkeys over
resident keys that were supported by the FIDO Alliance since 2015, but
lately glossed over because of the challenge of educating users to deal
with managing Security Keys. The pity is, users have been used to
dealing with secure elements and cryptographic keys for 2+ decades with
bank/credit cards; all that was needed was to extend their prior
knowledge and experience with smartcards, to highlight local control
over Security Keys. A missed opportunity.
Arshad Noor
StrongKey
Reply all
Reply to author
Forward
0 new messages