Apex questionss

Support
1

I’ve been playing around with (and loving!) my apex for a few days now, and while almost everything is working amazingly, I have found a few oddities, so I figured I’d post them here and see if anyone else had run into them.

First up, Fidesmo no longer gives me options to remove/modify the NFC Share applet, which I seem to remember being able to do…

Screenshot_20241125-154320_Fidesmo
Screenshot_20241125-154320_Fidesmo1080×1464 67.2 KB

Screenshot_20241125-154323_Fidesmo
Screenshot_20241125-154323_Fidesmo1080×1384 70.4 KB

I think I may still be on the original applet before this one came out, not sure if that’s relevant:

Secondly, when trying to set it up as a passkey for the forum, it lets me scan it and seems to go well, but always returns this error:

Screenshot_20241125-011945_Firefox
Screenshot_20241125-011945_Firefox1080×461 18.5 KB

Neither really matter to be honest, I don’t really have need to change the NFC Share applet, nor do I log into the forum all that terribly often, I just thought it was kind of weird/interesting

Thanks!

2 Likes
2

Thanks for the report, which app version of the Fidesmo app are you using? The current beta has a bug which causes the NDEF service buttons to disappear. Fidesmo is already informed and working on a fix.

3 Likes
3

It says v2.13.1

I don’t believe I’m on a beta

Good to know it isn’t just me though, thanks!

4

Hm. The latest release shown to me is v2.12.1.

Try to join the app beta via the Google Play store, update the app, then leave the beta and reinstall the app again. Make sure you are on 2.12.1, that version is known to behave well still.

Strange issue, this is the second instance where the Fidesmo app was updated to a beta version without user intention @amal .

2 Likes
5

NFC sharing app removal issue is on Fidesmo’s app. We have a ticket open for it.

2 Likes
6

Hmm, nope, still v2.13.1, regardless of whether I’m in the beta

I’ll mess around with it a bit, see if I can step down somehow

7

If you have a USB reader you can use the fdsm utility to remove the NFC sharing app.

You’d run something like;

fdsm --run 61b4b03d/destroy

2 Likes
8

The NFC Share management options are back in the Fidesmo app for me already, thanks everyone!

Does anyone here use their Apex as a passkey for the forum?

I can set mine up as a 2FA security key, but it doesn’t seem to work as a passkey here

I can use my android’s built-in passkey, just not the Apex

2 Likes
9

Yep

That’s all the answer you are getting, because that’s all you asked.

2 Likes
10

Screenshot_20241130_175510_Chrome
Screenshot_20241130_175510_Chrome1080×1871 180 KB

Screenshot_20241130_175600_Chrome
Screenshot_20241130_175600_Chrome1080×1158 165 KB

Screenshot_20241130_175655_Chrome
Screenshot_20241130_175655_Chrome1080×796 130 KB

Screenshot_20241130_175714_Google Play services
Screenshot_20241130_175714_Google Play services1080×1510 112 KB

Screenshot_20241130_175726_Google Play services
Screenshot_20241130_175726_Google Play services1080×1227 100 KB

Screenshot_20241130_180000_Google Play services
Screenshot_20241130_180000_Google Play services1080×1548 83.3 KB

2 Likes
11

A most excellent answer, and pretty much exactly what I was looking for as a start :classic_tongue:

It does work with that method, and maybe I should play with it more, but I was hoping specifically to play with the passkey option:

Screenshot_20241129-210413_Firefox
Screenshot_20241129-210413_Firefox1080×1812 164 KB

I was hoping to play with the “login with passkey” option:

Screenshot_20241129-210636_Firefox Nightly
Screenshot_20241129-210636_Firefox Nightly1080×1115 57.3 KB

But I’m still learning about this whole security key thing is, so I’m not entirely sure what the different protocols are, and which of them the Apex even supports…

2 Likes
12

Screenshot_20241130_182257_Chrome
Screenshot_20241130_182257_Chrome1080×728 121 KB

Screenshot_20241130_182429_Chrome
Screenshot_20241130_182429_Chrome1080×1384 131 KB

Screenshot_20241130_182607_Chrome
Screenshot_20241130_182607_Chrome1080×1446 144 KB

Screenshot_20241130_182641_Google Play services
Screenshot_20241130_182641_Google Play services1080×1432 105 KB

Screenshot_20241130_182655_Google Play services
Screenshot_20241130_182655_Google Play services1080×1451 136 KB

Screenshot_20241130_182829_Google Play services
Screenshot_20241130_182829_Google Play services1080×1428 137 KB

2 Likes
13

Password and Apex?

I suppose the questions I’m slowly heading towards are: What’s the difference between a security key and a passkey as it relates to Discourse, and does the Apex support whatever protocol Discourse wants for passkeys?

I’m not really trying to make my forum account more secure-ified, I’m really just looking for excuses to learn about and play with the Apex more :classic_tongue:

14

It’s U2F support not fido2/passkey

2 Likes
15

Is close to what I thought you were going to ask…
Here was my prediction I was typing as you were

Screenshot_20241130_183624_Chrome
Screenshot_20241130_183624_Chrome374×159 11.5 KB

Yes, That would be nice to be able to LogIn there

Screenshot_20241130_183651_Chrome
Screenshot_20241130_183651_Chrome1080×1306 106 KB

Here’s my answer, to the best of my knowledge, but I stand to be corrected by others more knowledgeable

Apex and FlexSecure store the authentication keys on the implant, and used in conjunction with a password or biometric etc.

Passkeys can be stored on your phone or the cloud, and can be used can be used standalone with no password required.
I don’t know why they cant be stored on an implant (or maybe they can?)

1 Like
16

Screenshot_20241130_185940_Chrome
Screenshot_20241130_185940_Chrome1080×173 18.7 KB

Prediction

Pilgrim, you are wrong and an idiot

1 Like
17

It sounds to me like the Apex supports the on-chip keys from what I’ve read around the forum. Example:

But, then I don’t know what the forum’s looking for as a PassKey that the Apex wouldn’t do, or why the Security Keys are different

I assume is about the Security Key portion?

Funny, I was thinking the same thing but with my username :classic_tongue:

1 Like
18

There is confusion because they are making it confusing.

Fido was originally a two-factor technology, which is why the first Fido protocol is called u2f… stands for universal 2-factor.

Fido2 came out and it was designed as a passwordless login technology. However, there are many extensions which some relying parties may or may not require. For example the use of a PIN code or user presence of some sort or hmac support… all of these are extensions and they are basically optional. Another optional extension is u2f fallback. This allows old relying parties to use new security keys with fido2 in a u2f capacity.

Because that is a big mess, the mobile phone industry, namely Google an Apple who want to own every aspect of your identity and security, basically carved out a term for themselves called the passkey and worked with the Fido alliance to effectively write a standard after the fact that lets them do this thing.

A passkey is nothing more than a fido2 resident key. That means a special key for a particular relying party is created and stored on the token. That token can be in Apex chip, a yubikey, my mobile phone, your laptop (with proper OS support) etc…

In order to use your Apex as a passwordless authentication token, the relying party needs to support fido2 /passkeys, and not restrict the types of passkey devices it allows (yes a relying party can say it specifically does not want a USB security key or an NFC device as a security key). This usually isn’t a problem though. In addition to this, the entire connectivity chain from browser to operating system to hardware drivers also need to basically be on the same page so that your operating system, when challenged for a Fido authentication, will present a contactless option or at least facilitate a contactless interaction.

So to clarify… u2f is designed as a two factor technology and has no pin code extension or standardized capacity to secure the u2f token. This is why you have to enter a username and password in addition to presenting your u2f token.

Fido2 / passkey passwordless authentication is designed to completely replace both the username and password, although the username is sometimes used to identify accounts. This is why relying parties require some sort of additional user authentication in addition to just having the token. This is typically done using a pin code which is set for the token itself not the relying party. It would be a catastrophe if someone was able to just steal your token and gain access to everything… so a pin code system is the most common method of ensuring the owner is the one wielding the token.

You can use a fido2 token for passwordless authentication without storing a resident key on the token. The public key is used and a challenge responses saved by the relying party is checked during authentication. This allows an infinite number of websites to use the same security key without any storage impact on the token… but this is a non-resident key and it is not a passkey.

Passkeys, or in fido2 parlance a resident key, is designed so that the relying party gets a unique key and doesn’t have to store anything because the token is storing the unique user data.

The advantage to a passkey of course is that this can be stored on a phone and synchronized with cloud services and used across multiple phones if you have multiple devices… in fact they just recently created an import-export portability standard for the private keys, although the standard is filled with Swiss cheese holes because again they are creating a standard behind the work already done by Google and apple to allow this on their platforms. The one advantage for a token like Apex is that you get to see a list of relying parties because you can manage the stored keys (with proper software which is rare and typically not sure friendly, but we’re working on something). The downside of course is that you will run out of space because each key takes up memory.

On the Apex, each key takes around 330 bytes give or take pending on memory segmentation. As you can imagine this allows for a good number of keys to be stored even on a chip like the Apex.

4 Likes
19

This is what happens when you use the Apex as a “Security Key” on the forum?

So when trying to use the Apex as a “passkey” on discourse, the problem could might be that discourse just doesn’t support that particular passkey type?

2 Likes
20

Yeah

2 Likes