Installed Apex Flex

Finally! After 2 years of waiting for this device I had my Apex Flex installed! Ryan at Monkeys to Go in Fullerton did the install and it seems to be healing pretty good. It was about an hour ish from LA where I live but they were even willing to stay open a little late for me since I was driving out after work.

My next question is, is anyone using their Apex Flex with a password manager ? I’ve got the otp app going and it’s way better than bringing out my yubikey every time I need to login.


I haven’t figured out how to use the apex with a password manager yet, but I think some password managers (like keepass XC) support hmac-sha1 so that should work. I believe this applet is still in development at this time though

I too am keen to use this as a (limited) password manager. Mainly to keep secrets I don’t want on a disk or cloud somewhere.

2FA for a normal password manager is not enough?
1Password and I bet lots more support OTP.

That’s exactly what I’m doing now, have already enrolled my Apex as a 2FA device on most things just waiting to put it in me now :innocent:


Yeah this is the same setup I have. I’ve also installed the u2f for some 2FA accounts but it would cool to find a password manager that unlocked by scanning my chip.

I can’t find anything about 1password (or any password manager tbh) using otp codes to unlock/decrypt the pw manager database, just that they support generating otp codes in the app (which vivokey authenticator app already does)

Unless I’m misunderstanding…

Are you saying 1password let’s you protect your database with an otp code that you can generate with Apex in the vk authenticator app?

I think KeepassXC only works with the Yubikey hmac-sha1. I just installed it on a spare machine to check. I have the applet installed but I didn’t get any response out of the application when I had my apex on my ACS122u. It is also a fresh install of ubuntu so I could be missing a driver given the applet is completed (this doesn’t say in development like the FIDO applet does but I could be wrong).

my understanding is the hmac-sha1 applet still needs something else pushed to it before it will work

The only way I’m aware of using Apex with 1P is as a 2FA device which is prompted when logging in on a new device only.

I think so, yes.

Yes, this. Well, that’s at least something…

Practically all of my devices these days have Windows Hello or Touch ID/Face ID except one and 1Password integrates perfectly with all of the above.

I believe MacOS will use a PIV card and PIN in the same way, but Windows seems to entangle PIV with Windows Server/domain credentials so it’s not easy to use for the average person.

I do have another slight quandary which is, until recently, I used OTP codes stored in 1P for 2FA on most services. Due to the apparent rise in phishing+2FA relay attacks I now have Yubikeys (and Apex!) performing this function but I’m not sure if I should remove the OTP codes now. :man_shrugging:t2:

KeePassXC is compatible to the HMAC-SHA1 applet published by Vivokey on the Fidesmo platform since KeePassXC version 2.7.0 thanks to my PR. I actively use it and it works fine, you need a PCSC reader for PC or use Keepass2Android and ykdroid on Android.

To program a secret, see flexsecure-applets/ at master · DangerousThings/flexsecure-applets · GitHub , eventually this functionality will be available in the new Vivokey app in a more user-friendly way.

For other Password managers, the FIDO U2F applet might work, I have not tested this yet.

A second PR is on track to be release with the next KeePassXC version, which will add proper display names for the Apex and its brother.


@aaronbot5000 (or anyone else)

Where did you decide on the install location? I’m getting mine installed in a few weeks. I’m thinking underside of my left forearm, a little above where the clip for a watch band would rest, but not sure if veins would be a problem.

Basically looking for an area that is easy to hit with both a phone and ACR122U USB reader.

Are you referring to the Mega :flexem: : or Flex :flex: ?

I put my Flex in #1

I ended up getting it put on the inside of my forearm, in the meatiest part (closer toward the elbow rather than the wrist)

I ended up picking this spot by resting my cell phone on various parts of my forearm to see what was comfortable to do repeatedly and also what seemed like an area I was least likely to bung on something. Also, the piercer Ryan suggested that if I was going to be the only one to read it (for the most part) it made more sense to put it on the inside rather than the outside of my forearm.

I’m referring to the Apex Flex (didn’t know the Megas were out in the wild yet). Thanks for the link to the location guide. 1 - 3 on my hand looks like it would be close to some veins. Is that a consideration? Not sure if the installer just works around them, or whatnot.

For the Apex, looking for the best location to read from both my phone and desktop scanners, which was why I was looking at the underside of my wrist. But I didn’t see any mention of those locations on the guide.

Yeah mate, My hands are vein-y as fuck and tendons also quite visible
The install technique is important
Palpate the area
“Pinch and roll” the skin to ensure the veins are not grabbed in the tent.
then Stabby stab stab
:needle_custom: :vivokey_apexflex:

Personally I would avoid there, looking at mine, I dont think it would work well for me.

Mine currently in #1, works extremely easily ( which is why I chose that location )
Phone easily rests ontp to read, and simply roll wrist 180 to desktop reader ( or you could mount your Reader under the desk )