I see this as a non issue since it requires physical access to the key and would require them to know your email or have access to your computer.
That list of people would already be able to access your key any time anyway so they wouldn’t need to clone it 🤷🏻♀️
Yeah I don’t see this being an issue at all. They have to physically have my key? Oh no. Then they already have my key. And I will have disabled the key on my accounts. Unless they what, steal the key from me, take it to the lab, clone it with 11k worth of equipment, then sneak it back into my purse before I notice it’s gone? That’s some nation state espionage stuff and that is not in my threat model.
It feels like this vulnerability isn’t notable for the majority of users who don’t typically include “Being compromised by a Nation-State-Level Actor.”
That being said; I do hope they get it fixed; and it looks like there’s already mitigations in place like protecting the authentication by another factor such as a PIN. That helps; for people who do have the rare threat model issue in play.
The complexity of the attack also seems clearly difficult to achieve in any time frame; and would require likely hundreds of man-hours of work to pull off.
If we assume they’re funded enough to park a van of specialty equipment close enough to you; steal your key and clone it; then return it before you notice…nothing you can do can defend against them.
