Yubico launches an SDK that lets iOS devs add support for its NFC keys May 22, 2018 https://techcrunch.com/2018/05/22/y...t-lets-ios-devs-add-support-for-its-nfc-keys/
Good, this was the big gaping hole in the line-up, and this brings it on par with Android. The problem for both platforms of course is that authentication is biometric.
Does anyone know "experientially" if Yubikey NEO will allow U2F on an NFC connection? Either Android or iOS. Simple to use the authenticator function but full U2F over NFC?
I'm not aware of any apps that do so experientially, although Yubico claim that it supports the standard for u2f over nfc (for neos after 2015). https://support.yubico.com/support/...6448-using-u2f-over-nfc-with-your-yubikey-neo Google's Advanced protection for Android relies on U2f over BLE (with the Feitian multipass dongle rather than neo+nfc), I assume that BLE is better protected rather than NFC, but that's only surmise. It's a royal pain.
iOS 12 will reportedly include new NFC features, enable iPhones to become secure hotel room keys May 25, 2018 https://9to5mac.com/2018/05/25/apple-will-reportedly-open-up-nfc-in-ios-12/
I have a newer model NEO on the way. When I get it I'll let you know how it goes. I hope I see the day when almost all my sites use U2F. Once used you will never go back!
As promised earlier in this thread I am back to report my experiential findings. I can confirm that my brand new NEO from Yubico does in fact perform well using NFC with my Android Pixel XL. I am only using the U2F functions on this chip at this point. My other chips have also been programmed in slots for TOTP, etc.. Authentication goes like this using NEO and U2F via NFC: Example: To log into Bitwarden (password manager) I click on the Bitwarden app and a screen pops up asking for my login credentials (user and password). If entered correctly the next screen that comes up looks for my U2F credential. I simply tap the NEO against the back of my phone it authenticates and I am in. Very simple. I have registered multiple chips with them and have stored paper backup codes. The ONLY access is designated chips or the backup codes. Quite secure. I have the same thing setup on all my Google accounts, and others. Interestingly many major companies like Ebay and Paypal don't offer ANY protection beyond SMS for 2fa. Not even TOTP. Amazingly short sighted.
@Palancar - thanks for the report, excellent news that there is a modestly decent solution, almost surprising! Paypal's situation is absurd, they rely on inertia and lack of effective competition in their space.
A little bit of a follow up since its security related. I have found it necessary (for my user temperament) to kill the OTP function on my Yubi 4 nano chip. I only use that chip for strict U2F and not for TOTP at all. My nano sits 100% of the time inserted in one of my family machines for my real name stuff. It is virtually invisible and only protrudes just enough for me to touch it when needed. However; accidents do happen and therein lies a small security risk. Many users are not aware of the unique operation. When the key is touched (with non U2F functions enabled) it sends a really long code, which varies depending upon who it is answering. However; the first 6 (12 hex) characters are the same. It comes from the factory with a serial number which is those numbers. You can edit the numbers but either way the numbers sent will always be the same 6 (12 hex) numbers after configuring it. Always. That can produce a risk of being tracked should a website decide to record those first 6 (12 hex) numbers. Even worse should several large companies decide to combine their stored information creating in effect a database unique to YOUR 6 (12 hex) numbers. In candor many assume this is a small risk, but if I only need U2F my take is I'll eliminate that risk by easily turning off the unneeded functions. For those using Yubikeys go ahead and use the top link below and you'll see what I mean. Its immediate and revealing. YubiKey serial in the background, you can try it out if you have a YubiKey: https://ssg.github.io/yubitell The link below is a general "paranoid's" perspective on my follow up. Just decide for yourself. https://hackernoon.com/avoid-leaking-your-identity-with-yubikey-92539b6608a Disclaimer: this does NOT cause any concerns for a "bad guy" compromising entrance into any site protected by the key, only for the ability to track a key's user if a site wanted to. You decide.
@Palancar - indeed, that's true that the serial number is obviously identifying (in being unique), and subject to inadvertent disclosure. There is an argument to get two keys, one with only U2F because that's cheap, and single functioned. I think the swiss-army features of the yubikey are great, but also prone to over-complexity/side channels. The other aspect is whether or not to have it require key-press when requesting HMAC. If using it for luks-with-yubikey, that would be needed. Naturally, we have to worry about the many other unique identifiers floating around, quite apart form machine-id, mac, nfc, pfsense also has one now (which you can disable). Another reason for strict compartmentalisation and opsec.
