The Molotov cocktail is a term coined by the Finns during the Winter War, as a generic name used for a variety of improvised incendiary weapons. During the Winter War, the Soviet air force made extensive use of incendiaries and cluster bombs against Finnish civilians, troops and fortifications. When Molotov claimed in radio broadcasts that they were not bombing but rather delivering food to the starving Finns, the Finns started to call the air bombs Molotov bread baskets. Soon they responded by attacking advancing tanks with “Molotov cocktails,” which were “a drink to go with the food”.
Occasionally someone on Hacker News or Reddit wonders whether or not a YubiKey (or other FIDO/U2F security key) could be duplicated in transit.
Never say never, but FIDO/U2F has specific mitigations designed to make it easy to quickly detect duplicate keys.
A U2F token must increase a counter each time it performs an authentication operation. This counter may be ‘global’ (i.e., the same counter is incremented regardless of the application parameter in Authentication Request message), or per-application (i.e., one counter for each value of application parameter in the Authentication Request message).
U2F token counters should start at 0.
The counter allows relying parties to detect token cloning in certain situations. Relying parties should implement their own remediation strategies if they suspect token cloning due to non-increasing counter values.
Similarly, while it would be possible to create a fake YubiKey, actual YubiKeys are signed with an attestation certificate. The certificate chain of a given key can be checked to ensure it is genuine.
Yubico has an online YubiKey Verification site that will tell you whether a given YubiKey is genuine.