Wondering if there is a maximum number of OTP credentials supported by the Apex Flex? I have 20 credentials on the flext right now, but trying to add new ones just comes back with an error “error adding credential” from the Apex manager on my phone, and “SW:6f00” when trying to add the credential from the Yubico authenticator on my desktop.
Given that this issue has come up after 20 credentials I am wondering if there is a limit, and if there is any way to allocate more memory to the OTP applocation so I can add additional credentials.
It’s based only on available memory. We made sure this was the case for otp as well as fido2 resident keys (passkeys). Keep an eye on memory with Apex Manager.
Thanks for the speedy reply Amal! I’ll assume I’m bumping into a memory limit then. I’m assuming if I try removing one of the other applications, such as the NDEF data or PGP the OTP app will start accepting more credentials? Or do I need to remove and re-install the OTP app to take advantage of the available memory?
Keep an eye on memory with Apex Manager.
Do I need the ‘free memory’ application for this? Ironically I don’t have enough memory to install it
In theory yes removing another application will make more memory available for otp keys. Yes you need free memory installed to get your free memory reading haha
I ran into this issue as well when getting my Apex set up (install coming next month).
I’m using my Apex essentially as a Yubikey clone and installed the OTP, FIDO2, HMAC/SHA1, andf ree memory applets. That takes up most of the available space, and there isn’t much room left for all of my TOTP accounts.
One solution is to create a dedicated KeePassXC vault just for TOTP passwords, then secure it with the HMAC/SHA1 applets of your Apex (with or without a password). Both KeePassXC (desktop) and Keepass2Android support HMAC/SHA1 as an option for securing the database (unsure about iPhone)
If you are using KeepassXC as a password manager already, then I’d suggest having two dedicated vaults – one for passwords and another for OTP codes, perhaps only ever storing or using the OTP one from a single phone. You can also configure each of the two slots of the HMAC/SHA1 applet with a different key which will somewhat reduce the risk of a replay attack.
One solution is to create a dedicated KeePassXC vault just for TOTP passwords
Thanks for the suggestion. So the idea here would be to store all OTP creds in a Keepass vault, then only use the Apex to unlock the vault. I suppose I would need to synchronise the vault between devices (I use multiple different phones/PCs on a day to day basis) which would be inconvenient, but doable using a cloud storage.
Interesting suggestion! I’ll keep this in mind if I bump into storage limits again.
Yes – if you need to access the OTP codes on multiple devices. KeePass works well when stored in the cloud. Both the Desktop and Android apps offer change synchronization, although you can still potentially overwrite entries if you forget to save and are editing the same entry from multiple locations.
On Android, keepass2Android lets you use Android’s built-in Google Drive browser and everything pretty much just works. The app caches a copy of the database in its local data folder so you can still access it even if offline.
From a security perspective there are some tradeoffs however.
single cloud-stored database for both passwords and OTP codes:
This is the easisest to use, but you are essentially using the same two factors to access both the password and the OTP code. It is still a huge improvement over over just a password since an attacker would need access to the database file, the master password, and either the secret that was programmed into HMAC/SHA1 applet, or an intercept of key exchange during a database unlock.
separate cloud database for passwords and OTP codes
A little more secure than the above if the two databases were secured with different HMAC/SHA1 slots, since an attacker would need either both programmed secrets, or an intercept for each database
cloud database for passwords, phone-only database for OTP codes
Now an attacker needs access to your phone directly in addition to the secrets/intercepts from above
cloud database for passwords, OTP codes only on the Apex
Most secure. An attacker needs close proximity to your Apex
And you can protect your Apex OTP codes using a password or passphrase such that a direct covert attack would be impossible to accomplish in the limited time your Apex was available to the attacker. To succeed they would need to sniff the interaction between your phone and Apex, while you were pulling OTP codes, and then they would have 30 seconds (typically) to make use of that attack. Very unlikely.
