Apex Flex won't as U2F device

wolfy · January 4, 2023, 3:48pm

I added the U2F applet to my ApexFlex, went to the Yubico demo website website to test it out, installed the Yubico Authenticator in my mobile logged in and pressed the ‘Add Application’ button under ‘Authenticator Application’, the website gave me the QR, I scanned it with phone. When I touched the ‘Save’ button and put my implant into the back of my phone it vibrated, means it detected but did nothing. I did this for a few times to make sure I’m doing it right, but nothing. When I went back to the main screen of the authenticator then it gave the error message:
“Application not supported”
Anyhow it detects my implant as a YubiKey NEO.

What am I doing wrong what cause this?

turbo2ltr · January 4, 2023, 4:04pm

Have you tried using the Vivokey Authenticator instead of the Yubikey Authenticator? As far as I know they are not necessarily compatible with each other as Yubikeys use different IDs of some sort (application IDs? not sure.)

StarGate01 · January 4, 2023, 4:29pm

Yubico Authenticator support is not a development priority currently, it might work for some features but is broken for others. Anway the U2F applet is standard conforming, but does not implement proprietary Yubico functionality. You should be able to use it with any services which would require a FIDO device.

tac0s · January 4, 2023, 6:26pm

The U2F app works with GitHub, at least. Most of the Yubico stuff seems to require touch.

ethan_rose · January 4, 2023, 6:28pm

This has been my experience also, but some wesites use U2F and some use the FIDO so you need both installed for it to work almost everywhere.

amal · January 4, 2023, 11:28pm

To be clear, U2F is a FIDO protocol, and FIDO2 is a new set of FIDO protocols that supersedes U2F. You cannot have both U2F and FIDO2 installed at the same time, because they are mutually exclusive. They both use the same AID when selecting the application on chip, so you simply cannot have both installed at the same time.

When it comes to OTP, we must understand that “OTP” is a heavily abused term that means different things in different contexts. In generael it means One Time Password, but when we say OTP we typically mean TOTP.

OATH-TOTP / OATH-HOTP

• OATH-TOTP = Time-based one-time password (TOTP) is a computer algorithm that generates a one-time password (OTP) that uses the current time as a source of uniqueness. As an extension of the HMAC-based one-time password algorithm (HOTP), it has been adopted as Internet Engineering Task Force (IETF) standard RFC 6238

• OATH-HOTP = HMAC-based one-time password (HOTP) is a one-time password (OTP) algorithm based on HMAC adopted as Internet Engineering Task Force (IETF) standard RFC 4226.

The key generates a 6 or 8 character OTP (or one-time password) for logging into any service that supports either TOTP or HOTP.

The difference between TOTP and HOTP is the former is time based, meaning a new password is generated at a set time interval, typically every 30 seconds. The latter is counter based, meaning a new one-time password is generated for each event.

YubiKeys

Yubico is a slightly different beast. Yubico has different USB interfaces, and each one of them supports one or multiple modes/protocols.

FIDO: This interface only supports the U2F or FIDO2 protocol.
OTP: This interface has 2 slots (short-press and long-press). Each one of them can be configured and used as: OATH-HOTP, Yubico OTP, Challenge-Response or Static password. By default, Yubico OTP is preconfigured in the first slot.
CCID: This is the interface allowing the key to act as a Smart Card. It supports up to 32 OATH-TOTP/OATH-HOTP codes, PIV and OpenPGP.

Yubico OTP

This is a proprietary protocol created by YubiKey. As part of the process of manufacturing every YubiKey, a Yubico OTP credential is programmed into slot 1, and its information is also transferred to YubiCloud. Yubico OTP generates a long rotating password which is only possible to validate online using YubiCloud (Yubico’s validation service), or by implementing a locally hosted validation server via YubicoLabs. This is the weird string you will get if you touch your YubiKey when focused on a text input.

VivoKey HMAC-SHA1

The Yubico OTP password output is based on HMAC key hashing RFC 2104. The VivoKey HMAC-SHA1 applet supports this type of key hash output, and has two separate key slots available. However, the HMAC-SHA1 applet is not necessarily directly compatible with Yubico OTP.

amal · January 4, 2023, 11:43pm

If you want to test U2F with Yubico’s demo site, you need to use the following demo site which supports U2F;

https://demo.yubico.com/webauthn-technical/registration

wolfy · January 5, 2023, 12:03am

Thanks for making this sure. I guess then next month I’ll buy an NFC reader what I can connect to my laptop.

ethan_rose · January 5, 2023, 12:18am

Ah yes!

Apologies for muddying the water, I have the FIDO applet installed and it seems to be working well with sites such as Github.

StarGate01 · January 5, 2023, 6:36pm

The FIDO2 applet will eventually include a U2F fallback mode which will deprecate the standalone U2F applet.