I installed the “FIDO Security” app and it seems to work just fine, however I can’t find any way to remove keys. When I tap “U2F” in apex manager it just tells me it doesn’t need any configuration, but presumably it’s going to run out of space at some point and I’ve got a few keys I created just for testing that I’d like to delete.
I tried the Yubico Authenticator app just for kicks and was surprised to see OTP codes show up, but nothing about U2F/FIDO
Guessing you could always do the “nuke it from orbit” approach, and destroy/reinstall the FIDO2 applet.
Yes, but assuming there are some keys I do want and some keys I don’t.
Does it create individual keys like that? I thought most security keys were sort of one-per-device and you just enroll that to the services
In other words, can you just un-enroll it from the service?
There’s a pretty decent chance I’m completely wrong there though
I don’t fully understand it either, but I’m pretty sure U2F is the old standard and works as you describe (and apex flex supports it), while FIDO2 (aka passkeys?) is the newer standard and does require storing information per-service.
See for example yubikey’s docs on how to do this for their devices: Passkeys: FIDO2 — Yubico Authenticator User Guide documentation
I would also like to know this. I know I have a few wasting space.
Fido is basically U2F which is universal two-factor.
Fido2 is designed for passwordless operation. This means it’s the primary factor, not a secondary factor. The difference comes down to, for lack of a more nuanced explanation, supporting user authentication of some sort on the security token. Typically this means setting and using a PIN code for the token. In this way, nobody can simply find your security key and log into your stuff without knowing at least some factor. You could call it a simplified password if you want but basically it’s the primary difference between U2F and Fido2.
The industry is, of course, muddling things as they often do.
Passkeys are based on Fido2, however they are based on a very specific type of Fido2 - resident keys. There are two ways you can authenticate with a fido2 security token. The first is similar to u2f where the relying party (website, service, etc.) basically challenges your token and stores the public key of your token in its database. The next time you show up, it issues challenges based on that public key and if your key response correctly then hooray. It’s a little more involved than that to tie in url data and spoof protection and phishing attack protection, but that’s basically how it works.
Resident keys work a little differently. As you might surmise, the relying party creates a unique key that resides on your security token which is used to authenticate in a similar fashion.
Passkeys are basically a marketing term that is struggling to come to grips with also trying to become a technical specification. Basically, we have been going through a series of big bumps the last 24 months or … some websites say hey you can register a fido2 security key and when you do that it’s putting a resident key on your security token, while Apple and Google started pushing the idea of passkeys which are really no different but they created this term basically to push the idea that your device is the key… and by device they mean your phones and computers. They wanted a way to differentiate what they are leveraging the fido2 standard for vs traditional security keys.
My personal thought is that this is a terrible idea. If you are securing your access to cloud services and effectively securing your personal identity across the entire cloud using a device that is easily hacked, stolen, lost, forgotten, whatever… that’s like putting all your eggs in one basket. Of course the idea is that you would be able to do passkey revocation if you lose one of your devices but managing all of that is a it show nightmare once you get beyond just a few services.
Keeping your passkeys or resident keys or whatever you want to call them with you at all times in your body seems like a much easier management issue. Particularly if you have two Apex so you have a backup just in case. Management however is still the name of the game.
Basically, you could use any standard fido2 resident key management software package to manage the resident keys on your Apex… the problem is it’s just not a software suite out there. I think Yubico something, but I’m pretty sure it only works with their security tokens.
We do have plans for integrating better management for other applications on Apex into the Apex manager smartphone app. This includes Fido key management, but there is no ETA for these features.
Anybody with development skills who might want to contribute, let me know 
I was able to find a demo which would require a resident key Usernameless | YubiOn FIDO2 Demo and android didn’t even give the option for nfc which is a little dissapointing
so I think I can conclude there aren’t any resident keys on my apex, since everything I’ve added has been through android.
Hmm no that’s a Google bug… this has been hashed and debugged numerous times over the last few years. Likely your Google Fido stack is shitty
Or also I think the site itself can actually specify which types of security tokens it wants to accept… it might be omitting NFC specifically
You can use the Yubikey manager CLI (ykman) with the ykman fido credentials list command to list the credentials stored on the Apex / FlexSecure. You need to specify the reader you use using “–reader”.
General info, note that FIDO2 is shown as not available, but that is incorrect, it works regardless:
❯ ykman --reader "NFC NCI 00 00" info
Device type: YubiKey 4
Serial number: 279773097
Firmware version: 4.0.0
NFC transport is enabled
Applications USB NFC
Yubico OTP Disabled Enabled
FIDO U2F Disabled Enabled
FIDO2 Not available Not available
OATH Disabled Enabled
PIV Disabled Enabled
OpenPGP Disabled Enabled
YubiHSM Auth Not available Not available
Check out FIDO options, fingerprint stuff and config is not supported by our Applet. Reset must be done by re-installing via Fidesmo instead.
❯ ykman --reader "NFC NCI 00 00" fido
Usage: ykman fido [OPTIONS] COMMAND [ARGS]...
Manage the FIDO applications.
Examples:
Reset the FIDO (FIDO2 and U2F) applications:
$ ykman fido reset
Change the FIDO2 PIN from 123456 to 654321:
$ ykman fido access change-pin --pin 123456 --new-pin 654321
Options:
-h, --help show this message and exit
Commands:
info display general status of the FIDO2 application
reset reset all FIDO applications
access manage the PIN for FIDO
config manage FIDO configuration
credentials manage discoverable (resident) credentials
fingerprints manage fingerprints
Query info about the FIDO applet:
❯ ykman --reader "NFC NCI 00 00" fido info
PIN: 8 attempt(s) remaining
Minimum PIN length: 4
Always Require UV: Off
Credential storage remaining: 22
Check out credential operations:
❯ ykman --reader "NFC NCI 00 00" fido credentials
Usage: ykman fido credentials [OPTIONS] COMMAND [ARGS]...
Manage discoverable (resident) credentials.
This command lets you manage credentials stored on your YubiKey. Credential management is only available when a FIDO PIN is set on the YubiKey.
Examples:
List credentials (providing PIN via argument):
$ ykman fido credentials list --pin 123456
Delete a credential (ID shown in "list" output, PIN will be prompted for):
$ ykman fido credentials delete da7fdc
Options:
-h, --help show this message and exit
Commands:
delete delete a credential
list list credentials
List existing credentials:
❯ ykman --reader "NFC NCI 00 00" fido credentials list
Enter your PIN:
Credential ID RP ID Username Display name
f██████9... g█████.com StarGate01
d██████9... g█████.com c████████████████████e
2██████2... v█████████████n.com c████████████████████e
f██████1... w█████████.com c████████████████████e
You can the use the ykman fido credentials delete command to delete a specific credential by specifying its ID.
How do you find the reader id ?
On Linux, use the pcsc_scan command. On Windows, look into the device manager under “Smartcard Readers”. On any system: Check which interfaces the Yubico Authenticator GUI offers.
On Windows you can also do a certutil -scinfo command in a cmd prompt and it’ll spit out the package reader names as they appear to the pcsc stack. This includes the reader name and device number which might be needed.