Apex Flex FIDO Setup - Going Passwordless

Decomas · October 22, 2023, 5:24pm

Hello,

I’ve had the Apex Flex for a few months now and it’s neat. I’ve successfully setup a FIDO key for 2FA logins and could only get them to work with Facebook and Google, which is cool. I’m interested in going passwordless, is that only with FIDO2, if so, do you configure it the same way as I did with 2FA on these sites? I understand that FIDO2 is still in Beta on the flex, but I wanna start playing around.

Also, I saw that you can use your Vivokey to authenticate to log into the forum here within browser, but it flashes red when I scan my Apex. Does this not work with that specific implant and only on the old Spark Vivokey?

Thanks! This is my first post here and I look forward to all the awesomeness

Pilgrimsmaster · October 22, 2023, 6:02pm

So when you installed Fido you chose Fido2?

It sounds like you are all over this.
Im sure you read the following

Vivokey offers two FIDO Security deployment
options to enable your VivoKey Apex implant or
vearable as a FIDO2 or FIDO U2F authenticatior
token. Our FIDO2 app is still in BETA and should
not be used for anything but testing purposes
Installation of a FIDO app and the VivoKey
attestation certificate will take a considerable
amount of time.

But if you havent seen these, they might be of interest to you

First one has some good info
(Ignore the fact that it says FlexSecure, Its basically the same chip as the ApexFlex, but untethered.)

https://forum.dangerousthings.com/t/applets-universal-two-factor-authentication-using-fido/15952

And especially this one as you seem interested in testing and capable of doing so

Mine is setup for my Spark, I have not tried with my Apex

There is some development/revamp in the Spark area, I dont have the full details, but I BELIEVE The Sparks will benefit from the Apex and be more functional, but it will be limited, as there are limitations with the Spark chip itself, but I GUESS the Apex will get some backward compatibility also.

Of course, I could just be talking through a hole in my arse, so basically, if you cant get it to work just now, I would suggest you wait and see what comes of tge Spark revamp…

Decomas · October 22, 2023, 6:17pm

Thanks for the response. That link you dropped says it doesn’t exist when I click on it.
https://forum.dangerousthings.com/t/applets-universal-two-factor-authentication-using-fido/15952

Yeah, I’m running FIDO not FIDO2, cuz I shied away from the beta, but maybe I should experiment with it some.

Do you know what’s the difference between the Apex and FlexSecure? What do you mean by untethered?

amal · October 22, 2023, 6:38pm

Works for me? Try again?

When it comes to Fido and passwordless authentication, it can get a little confusing.

First there was U2F or universal two factor. It allowed a security token to be used along with a password to authenticate.

Next came fido2 which enabled passwordless authentication, but can also support U2F fall back if that feature is implemented in the security key. Our application for Apex supports fallback.

Many sites that have implemented Fido still only support U2F for two factor. Some supported fido2 properly, but only very few.

Then came passkeys, and the implementation of them has started a race to completely own your identity by the big tech firms. What was designed to give you autonomous security is being corraled. Besides a confusing change of terms (fido2 vs passkeys) and complicated support for security keys vs phone based passkey authentication, there is evidence that companies that want your passkey stored on their platform are actually purposely making it much more difficult to use a traditional security key for fido2.

Case in point, if you want to register a security key for your Google account, it is now hidden under other options. Passkey is now being heavily promoted over token solutions.

Pilgrimsmaster · October 22, 2023, 6:40pm

Apologies, Thats my bad.

Only visible to the Admins and the author

Its a locked thread, as it may be a work in progress.

It might still be getting worked on, and I’m sure will be made public when it is completed, as a lot of work has gone into it

move-along-nothing-to-see-here (1)

amal · October 22, 2023, 6:48pm

Oh yeah I think the content is actually moved to the GitHub repo instead. Seems appropriate the documentation stay with the code.

Pilgrimsmaster · October 22, 2023, 6:55pm

Here you go

github.com

DangerousThings/flexsecure-applets/blob/master/docs/applets/6-fido2.md

# Universal Two-Factor Authentication using FIDO2

**FIDO2 CTAP2** (Client to Authenticator Protocol) is an extension and improvement over FIDO U2F.

The FIDO2 applet is still in development, and not completely finished. For example, Windows Hello is not supported yet. Stay tuned. It is also not officially certified.

You can however already test the FIDO2 applet via the Vivokey Apex on Fidesmo.

Supported features (if installed via Fidesmo):
 - Normal, chained and extended APDU support
 - Server and resident credentials
 - Credential types:
   - ECDSA P-256 + SHA-256 (ES2569)
   - RSASSA-PKCS1-v1_5 2048 + SHA-256 (RS256)
   - RSASSA-PSS 2048 + SHA-256 (PS256)
 - HMAC secret extension
 - Basic direct attestation using a fleet certificate
   - Signed by the VivoKey certificate authority
 - User verification types:
   - Client PIN protocol version 1

This file has been truncated. show original

StarGate01 · October 24, 2023, 12:31pm

The FIDO2 applets includes all the old U2F functionality and supersedes the U2F applet. It is backwards-compatible to services using the U2F standard. I recommend going with the FIDO2 applet, this gives you the maximum compatibility.

Decomas · October 25, 2023, 11:40pm

Awesome! I went ahead and upgraded to FIDO2, but I was out of room so I had to delete a few things. When I did I noticed there wasn’t an option to reinstall the BIP32 Wallet. I don’t use it, but it’s just strange that it’s no longer an option. Any ideas what might be going on? It’s not a big deal, I’m more curious.

Thanks for your input with FIDO2!

amal · October 26, 2023, 1:52am

Fidesmo is adjusting a lot of the recipes for applet deployment so I’ll resubmit to ensure it’s an option again soon.

amal · October 26, 2023, 10:01pm

It appears that Fidesmo is going through some unexpected issues with their platform which is blocking deployment of some applets. They have been made aware and they are working on it.

Pilgrimsmaster · October 27, 2023, 12:55am

Is manual deployment still possible?
Using the codes you posted (quoted below)

Fidesmo app bug for Apex on iOS / iPhone

Services

Here is a list of app IDs and service IDs for each;

30c2ea30 - VivoKey SmartPGP

install - installs the applet

destroy - removes the applet (ALONG WITH KEYS!)

e819c674 - VivoKey Tesla Keycard

install - installs the applet

destroy - removes the applet (ALONG WITH CAR REGISTRATION!)

cc68e88c - VivoKey FIDO (U2F/FIDO2)

install_u2f - installs the U2F applet

install_fido2 - installs the BETA of the FIDO2 applet

destroy - removes the fido applet (removes applet ALONG WITH KEYS!)

61b4b03d - VivoKey NDEF Container

ndef1k - installs the 1kB size container

ndef2k - installs the 2kB size container

ndef4k - installs the 4kB size container

ndef8k - installs the 8kB size container

ndef16k - installs the 16kB size container

destroy - removes the applet (and data!)

61fc54d5 - VivoKey OTP Authenticator

install - installs the applet

destroy - removes the applet (AND KEYS!)

2f2e363b - VivoKey HMAC-SHA1

install - install the applet

destroy - removes the applet (AND KEY!)

Xandie · November 9, 2023, 5:14pm

So I started playing with my implant since the swelling went down and it’s not hurting. I was testing out the applets installs again and still can’t install fido2…it at least tries now but still failes saying not enough space even when nothing is installed. Since on iPhone and don’t have apex manager app yet I started playing with the yubikey Authenticator which works great for otp codes. Any other substitute apps that I can play with for now? I also have a flipper can that be used to write to these in anyway?

amal · November 9, 2023, 5:17pm

I’ll test on my shiny new used iPhone SE purchase and contact Fidesmo with log data

Xandie · November 9, 2023, 5:30pm

I have the log data from mine if that will help too. Copied it so I could look at it as I’m the curious type lol

amal · November 9, 2023, 6:02pm

Cool could you post it? It should contain nothing of concern with regard to privacy. If you’d rather though, you can DM me with it.

Pilgrimsmaster · November 11, 2023, 5:55pm

those super long posts are not fun to scroll past; im going to collapse them for you using this

amal · November 11, 2023, 6:12pm

Actually I’ve asked them to just post the data as a text file upload.

Xandie · November 12, 2023, 1:42am

I deleted the posts and sent the text file. Sorry bout that guys wasn’t thinking earlier

b42 · November 20, 2023, 9:36pm

How many FIDO2 residential keys can Apex Flex hold? Is the number different for FlexSecure? Can the RKs just fill the available storage or is there some kind of per-applet allocation going on?

With the push towards passkeys these implants are looking more and more interesting to me.

Some context: Firstyear's blog-a-log