Excellent writeup, thank you so much for this - what an awesome resource! You are of course invited to contribute to flexsecure-applets/docs at master · DangerousThings/flexsecure-applets · GitHub via PRs as well if you want to - especially the FIDO2 doc there needs work as it has not yet been updated for the new open source applet.
A few small additional tips:
Cybernetic apps cannot be installed on Vivokey-branded chips and vice-versa, as the apps are limited / scoped via the product families.
You can also use the yubikey-manager CLI (ykman, see yubikey-manager ) to program and interface the HMAC-SHA1 applet by specifying “otp chalresp” mode and using the -r flag to specify an external reader, see flexsecure-applets/scripts/test/flexsecure-ykhmac.bats at master · DangerousThings/flexsecure-applets · GitHub .
I am working on improving this as it annoys me as well, and I still maintain the PCSC driver in KeePassXC. (See e.g. Hardware keys: Fix PCSC daemon recovery on Linux by StarGate01 · Pull Request #11082 · keepassxreboot/keepassxc · GitHub )
TOTP can be interfaced using the Yubikey manager CLI as well, by using the “oath accounts” verb (see flexsecure-applets/scripts/test/apex-totp.bats at master · DangerousThings/flexsecure-applets · GitHub )
FIDO2 actually needs additional configuration to be set up “properly”. This concerns the attestation certificate, which is how the chip proves its authenticity to other parties. On the Apex deployments, we use an attestation certificate signed by Vivokey, on your own deployments (i.e. on the flexSecure), you need to generate and sign a certificate by yourself. It does not matter that the certificate is self signed and not listed anywhere, but it does matter that the chip actually has one.
Documentation on that process is lacking and thats on me really. You can find the basic instructions at GitHub - DangerousThings/fido-attestation-loader: Tool to generate and load U2F and FIDO2 attestation certificates to vk-u2f, u2f-javacard, or Fidesmo . You have to run the “show” and “upload” verbs in the new FIDO2 mode (-m) , which is called “fido21”, that one is able to interface with the open-source FIDO2.1 applet we currently distribute. The other “fido2” mode was used to interface the previously used closed-source Vivokey FIDO2.0 applet.
You can ignore all the Fidesmo and Metadata service instructions in that repo, thats really only for our large scale deployments. However the installation parameter emitted by the “show” verb contains the private key of the attestation certificate. That parameter has to specified at GlobalPlatform install time using the “–params” flag. After applet installation, the public certificate must be loaded to the chip using the “upload” verb. If everything was done properly, the applet can now perform direct attestation and the certificate metadata (defined in settings.ini) will show up at e.g. Yubico demo website in the details view.
Nice small trick to mass deploy TOTP secrets from a (cold stored) KeePassXC database to a chip: TOTP Code Backup - #6 by StarGate01