Best Implant for Recovery Code Storage?

I apologize in advance if formatting is off, I’m typing this on my phone.

I’ve been looking into getting an implant to store my TOTP secret keys and account backup codes so I always have them on me. It would really only be used as ‘warm storage’. I may need to write data to it every now and then.

I also want to be able to set a pin or password on it. I’d prefer having it so that no data is sent without the correct pin, but I’d be okay with just having an encrypted file that gets transferred and decrypted on my phone. I’d feel more secure with the first option though as I feel like I wouldn’t need to create and remember a super long password for it.

I only have an iPhone right now so I’d need to be able to decrypt it off there.

I would only be storing:

• Around 10 TOTP secret keys.

• Master passwords to password managers

• And recovery codes for my accounts.

I don’t know how much space it would take in total but I can’t imagine it being over 2500 characters long.

I’m not sure which implant would be best:

xDF2 - This one seems like the best option for me as it has the largest storage size, but from looking through the forums it seems like the process of encrypting, storing, and decrypting the data after is a pain. It also doesn’t seem to support unlocking with a pin.

xNT - I thought of buying this one and just using it to store the password to an encrypted KeePassXC vault that holds my backups, but I saw the note saying the password protection isn’t very secure.

I’d only get the xNT if I can lock it so that there’s no data transfer without the correct pin. Having to memorize a long password would defeat the purpose for me as at that point I could just memorize the password to the KeePass vault

I also just feel more comfortable having all of my codes implanted as I’d literally never be able to lose them.

VivoKey Apex Flex - This one is out of my price range and it’s overkill for what I’m trying to do.

I probably won’t be able to get one soon (next 1-2 months maybe) so I’d be happy to hear about any that may be coming out in the near future.

Also, I noticed there’s flexible implants along with stiff implants. Is one type more durable than the other?

Sorry for the long post, I realize I’m kind of asking to be spoon fed here I’m just completely new to this and really don’t want to mess it up.

Thank you in advance, any advice or info is appreciated.

EDIT: I’m thinking about buying an android phone in the future, if that opens up any possibilities.

EDIT2: Also wondering what the average lifespan of the implants are. Are there any steps I would need to take if I want them to last 5+ years?

Hey Buddy, Quite a lot to unpack there, But I think most of it should be easy to answer

In fact, I think I can answer it pretty easily. with only 1 implant (2 options)

I actually think this is your best option, and not overkill

I think you could get SOME things to work with other options, but if you want it all to work, just save up the money.
Do it once and do it properly

( the only alternative that would do everything you want is the FlexSecure, effectively the same, but it is not built around Fidesmo, and there are pros and cons to that )

Easy,I have around that, if not more on my ApexFlex

I use KeePass in conjunction with my ApexFlex

You could easily do that in the NDEF records ( upto 16kb i think ) and you could encrypt / decrypt this using 3rd party PGP

Here’s some explanation

No problem whatsoever

VivoKey Apex Flex and FlexSecure can do this

So we generally refer to the glass capsules as xSeries, they come preloaded in a syringe.
They are similar to, but safer than a pet implant chip
heres more info

The Flex come in a range of shapes and sizes, but, the term flex actually refers to the encapsulation material, the implants are not particularly flexible, more like semi rigid.
They “narrow” flex normally comes with a custom needle, or can be bought seperately, whereas the “Disc Flex” would require a scalpel for the install

The VivoKey Apex Flex and FlexSecure I am recommending are the “narrow flex” type, but there is also a ApexMega (“Disc”) with extended range, and the Apex Spectrum “Disc” with LEDs and I believe slightly reduced range to the Mega ( This one MAY become available again shortly)
Heres some more info on the Flex

Understandable, we are here to help, but also the forum search function works very well.
also some of the Primers, Info and Wikis may be of help to you.

Heres a good “all rounder” to get you started

I hope what I have given is of use to you, remember, it is mostly just my opinion, so continue to do your due dilligence, and ask questions if you get stuck

Let me add a few more basic details about the different implant types.

Since the glass x-series chips are installed with an injection needle, you may have an easier time getting help installing them if the laws in your area only allow doctors to use scalpels. You also probably won’t need to deal with stitches and the like because of this. However, it may take more effort and practice to get a read on the x-series implants because most readers you encounter out in the wild aren’t designed to pair with cylindrical antennas. (Thankfully, I think they all come with a keychain-like LED indicator that you can practice with.)

The flex series, from what I hear, are easier to use with readers because they have flat antennas, more like what’s used in cards and fobs.

Xnt can have a pin set and the prot bits changed to one to prevent unauthorised read. Regurgitating Amals’s nfc shell example

1B h1 h2 h3 h4
A2 E3 04 00 00 04
A2 E4 80 05 00 00

It’s a manual process rather than automated like the Apex

Unfortunately the xNT only has 888 bytes of user storage too, so it falls shy of what it sounds like he needs

An xDF2 should have the size, but I don’t know if they lock like the ntags

Those are very different when it comes to that. I think that it can still be done but not easily.

Hey, thanks for giving such a detailed answer!

After doing some digging I think you’re right. The Apex Flex does seem to be the best option.

I thought it’s ability to be used as a security key was overkill as I was only looking for storage and since I already have two YubiKeys, but it would be worth it to have an implanted key as well.

This could also work, I would be fine with just creating a KeePass database on a USB stick and storing the password on the xNT.

For the xNT:
This one seems promising, my only concern is security. According to this post it isn’t secure but I don’t completely understand why. Is it a password length issue or is the method of authentication just easy to crack?

If want my data to be safe from someone with 5-10 min of uninterrupted access to the implant, would this be enough? And does it have a limit for incorrect password attempts?

I would tag the author of the post I linked but I’m not sure if that’s breaking any rules.

For the Apex Flex
The only thing making me hesitate on the it now is the price for two reasons:

• If it breaks or stops working, I’m out $350 depending on what happened.

• I’d want to have a couple of them implanted in different areas as backups. I could have 5 xNT implanted for the same price as one Apex. With this I’d feel comfortable enough to store my backup info exclusively on the implants and nowhere else.

From the links you provided I see they’re pretty durable but I don’t want to have a single point of failure in the worst case scenario.

I read in another post that both the Apex Flex and FlexSecure can be permanently bricked if an incorrect password is input too many times. Im having trouble understanding all the terms so please let me know if this is wrong, but from what I understand:

The password they’re referring to is the password that’s used to access the entire chip, and is NOT used to actually interface with FIDO2, OTP, or other applets. It’s strictly for managing and installing them.

Assuming I got it right I have a few questions:

• Can I set a unique pin for each app? So that for FIDO2 logins it’ll ask for my pin on websites that support it and so OTP codes won’t be revealed without it.

• If someone somehow figured out the password, would it be enough for them to view what’s inside the applets? Basically just bypassing the pins set for each app and just extracting the TOTP secret keys for example.

Thanks again for taking the time to answer my questions.

I’m don’t know the laws on implants in my country but I’m in the EU so I could just go to another country to do it if it comes to that . Not sure if doing that would get me in trouble in my home country though.

Yeah the xDF2 would be perfect. I just can’t find any info on if it supports read protection. Do you know what kind of work it would involve assuming it is possible? I’m completely new to this but I’d be down to order some regular desfire v2 tags and experiment.

Not in the EU or anywhere near it, but I’m pretty sure the only thing you have to worry about regarding laws is the willingness of prospective installers in a given area to work with you. Nobody’s gonna x-ray you when you head through your home boarders (or any boarders, really) to make sure you didn’t get any unauthorized implants.

Quite a few people here are from the EU, and I’m sure that some people will recommend installers if you mention where you live.

We are not strict here, just use common sense and you’ll be fine.

Dangerous Things are awesome, The Warranty should cover you for almost everything.
Just have a read of the warranty info.

Basically, do yourself a favour and video the install, although some installers might not like that, but you can be very discreet, just do as it says in the Warranty part and they should be fine.

As such, flex products carry a 1 year limited warranty, under the condition that the installation must be done by a professional and the installation procedure must be recorded in one single or multiple smaller videos which show;

1. the flex device being removed from the vial, pouch, or polymer bag on to the sterile field.
2. the flex device being picked up and manually installed by the professional without tools.

Only these elements must be shown. You do not need to record or show the installer’s name, face, location, procedure prep, etc., only the handling of the flex device from shipping condition to sterile field and the installation from sterile field to incision must be shown. Audio is not necessary to record or provide either. Should a flex device fail to work due to manufacturing defect, and videos of the installation can be provided, you will be entitled to a free replacement. Failure due to damage including mishandling, programming errors, data tearing, handling with forceps or any tooling, personal injury, etc. is not part of the warranty but will be considered on a case by case basis.

Whilst I can’t promise anything, I can tell you that Amal is not a dick, and he will look after you.
This should ease your concerns

I don’t blame you, as for any data storage a backup is always a good idea.

I know this hasn’t answered all your questions, but if you do go down the Apex Flex or FlexSecure path, you can ignore most of your other questions, and in my opinion, this is where I think you should head.

I hear what you are saying, and of course you can do that, although you will lose some functionality.

This is not a great argument, but I would also say the Apex and Secure are at least 5 x better than an xNT

OTP and FIDO both support a PIN, however those are completely separate. The apps cannot access each others data, they are segregated in memory. You end up with two different PINs which give access to two different sets of keys and protocols.

I assume by “password” you meen the root ISD key, used to e.g. install applets. For the Apex, this key is only known to Fidesmo inside their secured facility, for the FlexSecure it is the default GP one.

Now, the applets are written in a way that even if you know the administrative keys, there is no (software) way to extract the secret material from the applets (e.g. FIDO credentials or TOTP codes). This is by design of the smartcard / javacard chip. All you could do is delete the data, but not read it.