Hello. I have a acr122u connected to my mac. Can i use it to log in to websites with the u2f applet on my apex? It works fine on my phone
Hey, this functionality is not currently possible on MacOS. This includes use of traditional security keys like the Yubikey 5C NFC via a NFC interface on mac.
According to About Security Keys for Apple ID - Apple Support , “Near-field communication (NFC) keys work only with iPhone.” . This at least I can confirm, the FIDO2 applet works great with iPhone.
Support for NFC FIDO in Browsers which use the specified API (usually at least Chrome, Firefox and Edge) is currently only available on (as far as I have tested):
- Windows (via Microsoft API, U2F and FIDO2)
- Linux (via CTAP-bridge, FIDO2 only)
- Android (via Google Play Services, U2F only)
- Android (via microG GSM Core, U2F and FIDO2)
- iPhone (via Apple API, FIDO2 only(?))
I suppose you could port the CTAP-Bridge to MacOS, however the MacOS Kernel is missing the USB Gadget module to easily emulate USB devices, so I guess we would have to hope for Apple to add PC/SC support to their FIDO stack on MacOS, similar how Microsoft provides for Windows.
I am also toying with the idea of building a custom NFC USB reader, which can present as a USB FIDO device to the PC as well. However, that is not more than an idea currently. Edit: It might be as easy as deploying e.g. a Raspberry Pi with a PC/SC reader attached, and using CTAP-bridge to proxy NFCCTAP to CTAPUSB via a USB OTG driver.
2 Likes
This is epic f*ckery, pardon my French.
Previously I used my mac with a reader just for pgp. I got a new acs 1252 mk3 today, since my old one got um lost or should I say stolen.
Decided to finally play with the fido2 applet, the reader and the mac. So I am unhappy to report that the functionality is still missing from the mac os. I assume apple will write the code when they stick an nfc readers in their macs, but I do not see this coming because of the aluminum unibody. On the other hand I have some spare raspberries. Might explore this rabbit whole if I feel adventurous
P.S. there is a PC/CS driver asc 1252 mk3 mac os, provided from the manufacturer
1 Like
I posted how I use some apps to do automated tasks with my Mac but not login.
3 Likes
I have actually built a prototye hardware FIDO CTAP to CCID proxy at FIDO2 Hardware: Part 1 – Transport Protocol Translation – CHRZ Engineering and FIDO2 Hardware: Part 2 – USB Host Circuit Boards – CHRZ Engineering . If someone want to build this, I recommend the orange pi zero 2w instead, which has two native USB interfaces.
3 Likes
That’s a slick hat sir
2 Likes
Ehhhh kinda. It’s really bad support, but if you have the acr1252 connected and use Safari specifically, it should support contactless passkey / fido2 security key functions in Safari only. Firefox and Chrome etc. still do not support it though on macOS.
2 Likes
What I can report so far is, no matter what I do(after half day pulling my facial hairs) - install ACS CCID PC/SC Driver, or install pcsc-lite from homebrew, safari and any other browser do not allow external reader to be used for fido2/u2f
My mac os version is 14.5 (23F79), safari version is 17.5 (19618.2.12.11.6)
Yet another perfect example how good mac os is for the general use case, but in case you need something more spicy you’re completely toasted.
1 Like
Pcsc-lite maaaay be messing with things… maybe.
Can you post screenshots of this? What do you mean exactly?
What I do is nothing out of the ordinary.
Loging to gmail, when we reach the two step verification, I am choosing security key. Afterwards if I tap my apex nothing really is happening. If I insert my yubikey it works. Behaviour is exactly the same despite installing or uninstalling the pcsc-lite or acsccid. As StarGate01 mentioned, CTAP-Bridge can be made to run on mac, after all it’s python + a few shell scripts. The issue there is the mac os kernel itself. Anyways. Next step would be to try his project and find a orange pi. (like I have a few but they are big boards left over from a k3s project, and I prefer something smaller).
Sometimes I also wonder why I do not reinstall this mac with linux and just F it. for most of the cases mac os is great, but it can also push you to deepest despair, even more depressing than windows.
2 Likes
I think @BryanJacobs did a good amount of research into implementing a software bridge on MacOS. My bridge only runs on Linux, due to the mentioned kernel support requirements.
The hardware bridge is also a bit wonky. If it works it works, but I have stopped working on it as the most recent MacOS versions have native PCSC support, I think @amal actually had it working at some point.
2 Likes
If you have some code in mind, please share. I would be more than happy to compile it and give it a spin.
Edit: found it GitHub - BryanJacobs/FIDOk: Kotlin/Multiplatform FIDO Platform implementation suitable for use in many contexts
1 Like
Do you think your bridge will work with the Virtual Smart Card Driver? I got it set up on my work machine and was able to connect to it with the companion Android app. Hoping I can use that and your bridge to enable FIDO2 logins on my Linux box at work.
Yes, that will work, I use that exact constellation for debugging. The vsmartcard IFD handler presents just like any other PC/SC reader to the system.
1 Like