Desktop OTP display using Yubico Authenticator and Apex Flex

EDIT: See 6th post in this thread for a better option than what’s in this post.

Link for the lazy to the 6th post: Desktop OTP display using Yubico Authenticator and Apex Flex - #6 by pockybum522

Original post:

Hello All,

Got a tip from Amal when I asked about options for showing OTP codes on a PC like I enjoy doing with my Yubikey.

He suggested modifying the AID in the Yubico OTP app, and it worked, so I figured I’d write up instructions for anyone else who wants to get codes on their PC. I have so far tried this on Windows only, but I am guessing the process is similar for other OSes.

Process:

I installed the latest release of Yubico Authenticator from:

(64 bit, but since we’re just modifying scripts I’m guessing 32 bit will also work fine.)

Once installed, I made a backup copy of C:\Program Files\Yubico\Yubico Authenticator\ and since this is a quick and dirty mod to make Apex work it also means your existing Yubikey won’t, so until we get a cleaner solution, you’ll also want the unmodified copy around for if you still need Yubikey compatibility.

Note that this is with VivoKey OTP applet in Fidesmo.

You’ll want to edit C:\Program Files\Yubico\Yubico Authenticator\pymodules\yubikit\core\__init__.py in notepad++ or VSCode. Around line 83, there should be: OATH = bytes.fromhex("a0000005272101")

Change this line to read: OATH = bytes.fromhex("a0000007470061FC54D5")

Of course, be careful to maintain indentation, and don’t tab to make the indentation, looks like this file uses spaces to indent.

You can see my file, modified, below. My cursor is on the modified line, and the original line below it is commented out.

Save that, close out the file, and open C:\Program Files\Yubico\Yubico Authenticator\yubioath-desktop.exe in the modified folder. Note that for some reason, my yubioath-desktop.exe seems to need to run with admin privs.

This is off my Apex Flex:

And it shows up as:

Meta/Semi-related Info:

My NFC reader is “Advanced Card Systems Ltd.” USB NFC Reader ACR1252
P/N: ACR1252U-M1
I purchased it on Amazon like a year or so ago.

Note that you have to set a filter in the Yubico Authenticator app under:

  1. Settings > Custom Reader
  2. Click Enable Custom Reader
  3. Select your reader
  4. Click “Use As Filter”
  5. Click Save

Only then will the Yubico Authenticator app be able to use the USB reader.

DISCLAIMER: YUBICO DOES NOT SUPPORT ANY OF THIS. NOTHING FROM DT IS AN OFFICIAL YUBIKEY, DUH. DO NOT BOTHER YUBICO IF THINGS DON’T WORK OR BREAK, DOWN THE ROAD.

6 Likes

oooh, I like this. I’ll be checking it out later.

there’s a typo, it should be

\pymodules\yubikit\core\__init__.py

Also
OATH = bytes.fromhex(“a0000007470061FC54D5”)
uses the fancy quotes instead of regular quotes.

Fixed with liberal use of disable markdown. Thank you very much!

1 Like

So this worked great. Was hoping you could run both versions at the same time but I guess that would be dumb since there is only one reader.

I dug into it a bit trying to get it to work with both. Got 3/4 of the way there but there is something hardcoded to AID.OATH that I’m not fully understanding… Seems there is a place where it goes through the different application IDs, but apparently the connection itself has some link to the AID.OATH value.
It doesn’t help that I don’t know python.

HOW TO MAKE BOTH YUBIKEYS AND APEX WORK IN THE SAME APP

Note: Sins will be committed.

If anyone wants to make this better by maybe catching specific exceptions or any other method of making things less suck, be my guest. I are not good at python.

The below edits look complicated and annoying, do I have another option?

Yeah, just download this:
https://www.dropbox.com/s/2lv6up3ttmgsv3d/pymodules.7z?dl=1

and extract those two folders in that archive to
C:\Program Files\Yubico\Yubico Authenticator\pymodules
overwriting existing files.

But like, for the love of god, do your own diff or something. I could be putting anything into those.

STEPS TO EDIT AUTHENTICATOR FILES MANUALLY

pymodules\yubikit\core\__init__.py

Add line: OATH_APEX = bytes.fromhex("a0000007470061FC54D5") in class AID under line OATH = bytes.fromhex("a0000005272101")

(Modified final file is on the left.)

pymodules\yubikit\oath.py

Add
try:
self._version, self._salt, self._challenge = _parse_select(self.protocol.select(AID.OATH)) # Original
except:
self._version, self._salt, self._challenge = _parse_select(self.protocol.select(AID.OATH_APEX))

in init function

Add
try:
_, self._salt, self._challenge = _parse_select(self.protocol.select(AID.OATH)) # Original
except:
_, self._salt, self._challenge = _parse_select(self.protocol.select(AID.OATH_APEX))

in reset function

(Modified final file is on the left. Note that what’s in yellow on the right are lines we’re deleting and replacing with the lines on the left.)

pymodules\ykman\device.py

In SCAN_APPLETS =

Add line on bottom:
AID.OATH_APEX: CAPABILITY.OATH

(Modified finished file is on left.)

6 Likes

Great minds think alike, I see. Enjoy my above post. I think it’s what you were asking for, anyways.

Nice works perfect!

1 Like

EDIT: eh whatever
great work :slight_smile: I like it

1 Like

Looks like a permissive license green light to me. You should make a fork on GitHub.

1 Like

I did, originally. The only reason I haven’t done the modification through that, is that the development environment to actually compile everything was a little daunting.

Anyone is welcome to that has more python experience than I. Also, the way I did it, through catching the exception and falling back to the other AID at that point is not remotely clean. I just wanted something that works.

1 Like

Has anyone with a bigger brain than myself figured this out for Mac yet?
I’ve tried but have no idea what I’m looking for.

1 Like

The people with bigger brains don’t use Mac :rofl:

Haha, not stopping in to be helpful, just funny…

3 Likes

It’s python though right? Like just swap the .py file?

Hahahahhaha touché. I’m a creative so mac is all I know.

Yeah it’s python, but I wasn’t seeing anything similar to the windows build (from comparing with parallels). Quickly got lost, I’m a complete hack when it comes to this but enjoy trying to figure it out.

That’s totally fine around here… hell I was just guessing because I’ve not even deployed it myself haha

1 Like

@amal can we get an official fork / repo? Happy to put some time in getting ci/cd builds and trying to keep it up to date.

3 Likes

absolutely :slight_smile:

done… added @pockybum522 and anyone else who wants to contribute I can add

5 Likes