Apex Manager Update out!

I like the idea of providing applet update versions. We build and test all applets using CI anyway.

6 Likes

You mean for Fido creds?

1 Like

Yes sir

I’m gonna say something that’s never been said on this site before…

Soon

8 Likes

For real though, we def have plans for this in the not too distant future.

6 Likes

3 posts were merged into an existing topic: Israelserbian247 Recent post collective

Added configuration support for the HMAC SHA-1 applet

Thank you! And thanks for preserving this (and other functionality) for working with non-DT devices, such as the P71 test cards I use.

I was actually going to suggest that DT intern/implement their own HMAC-SHA1 configuration, since before this the only option that worked with both Apex and naked P71 chips was the 7-year old yktool from a developer’s personal projects.

I started a guide for configuring and testing an Apex and FlexSecure/P71 to make use of all of the Yubikey style apps (fido, otp, and hmac). I’ll update it with the new capabilities of the Apex Manager and throw it up in the next week or so.

Super cool to see how all of this has progressed over the past couple of years. Updates to the Apex Manager, new applets, the KeePassXC PR, working LUKS setups, the plans for an Apex/DT cloud, etc. All of that is making the Apex become the security device I had hoped for when I first heard about RFID implants a decade ago.

As the barriers to using the chip for really useful things gets lower I think more and more people will want it. Now if only there was a mag-style automatic door handle that worked with it…

I do have a mild concern about some of the applets and companion applications being closed source. Totally understand the (I presume) business and branding reasons are for it, but given just how high the potential stakes are for what an Apex can secure, knowing that all of the code behind it is open to being examined for vulnerabilities adds may be an important factor in the future. For now, having the source code available for most of the applets is enough, and I hope that trend continues.

5 Likes

Can’t wait to pour over your guide once you release it!

2 Likes

can this be built into the build process to basically output a file online like a public repo or something that the app can just query without us needing to host it on a deployment server?

WARNING: The question above was generated by an extremely confused and uninformed semi-concious engram construct.

5 Likes

Yes, we will figure something out.

5 Likes

Will it… be figured out… Soon™ ?
:rofl:

4 Likes

We use Duo at work, and I was able to add my Apex to the web apps that use it, but I can only add a yubi key for “offline” windows logins. If I generate an HMAC, would I be able to add the Apex as an offline key? Has anyone had success using DUO and an APEX (other than web apps? That works fine and amazes coworkers when I use it to log into the timesheet or hr sites!)

I believe there are settings in your IdP (Duo and Entra ID from Microsoft) that basically let you control which types of security tokens are able to be used. They rely on the attestation cert of the security key. I believe you load the AAGUID to the list. The Fido app we use does have a cert loaded but it’s not “certified” by Fido.

1 Like

Gotcha! Thanks!

See also: Duo Administration - Use YubiKeys for with Duo | Duo Security . FIDO2 is supported by the Apex, the custom Yubico OTP API service is not.

2 Likes