New FIDO2 Applet

VivoKey Apex
1

The FIDO applet on Fidesmo for Vivokey devices has received a huge update! In fact, we switched to an entirely new codebase. What does this mean?

  • The codebase is now open-source! A huge win for the FlexSecure crowd as well. The code is hosted at GitHub - BryanJacobs/FIDO2Applet: FIDO2 Javacard Applet and primarily developed by @BryanJacobs , who has been really kind and helpful in assisting us with set up and bugfixes. If you are a developer and interested in building your own / improving your FIDO2 applet, you now can . This is the first fully featured open-source FIDO2 applet to my knowledge.
  • The FIDO standard supported has been upgraded from CTAP 2.0 to CTAP 2.1. This enables a few new cool functions, like blob storage and credential management.
  • The old U2F applet has been deprecated and removed. The FIDO2 applet is fully backwards-compatible to the U2F standard.

Documentation in the FlexSecure-applets repository will be published soon. We are also actively working on officially certifying this applet with FIDO for the Apex!

If you encounter any issues with the new applet, please report them.

14 Likes
2

Hell yeah! Thanks for your hard work on all of this. Now I just need to get my flexsecure installed :grin:

3

Maybe won’t be a bad idea to update fidesmo applet description as well :slight_smile:
I am very happy to see those efforts reached prod
p.s. wow this applet is a big boy. I had to remove bunch of stuff from the Apex to make space for it. I have free mem, smartpgp with ecc and fido2 and only 14% storage left

2 Likes
4

Thanks for the heads up, I updated the description!

Memory requirements have increased a bit compared to the old FIDO2 applet, but so has its functionality.

1 Like
5

Yup, PGP and FIDO2 apps both have to do a surprising amount of stuff so they are quite large.

1 Like
6

Way to go! I’m glad I got on board with the Apex Flex sale last month so I can play with cool tech like this. (Next thing you know, I’ll be in the market for a second Apex Flex or a Flex Secure to use as a backup.)

While we’re on the subject, what readers are people using to test NFC FIDO2 on the computer? I’m learning about all this kind of backwards but most FIDO2 implementations on the consumer market tend to assume that the device has some sort of physical connection… Not quite possible for these wondrous implants. :rofl:

1 Like
7

On windows NFC works great… an acr1252u works

8

For Linux there are three gateways that make an NFC reader pretend to be a USB authenticator, fooling the software into working.

And you can get a libfido2 supporting NFC for the apps that use that (like ssh and systemd).

I’m working on the equivalent for Mac.

Windows is no problem and works already.

2 Likes
9

Great job!

I really need to setup ssh and webauth on Linux too so I get full use but apex been awesome :grin:

2 Likes
10

how worth it is it to unpair all websites using it as a security key, destroy the app, install the new one, and re add it to websites if i already have the previous fido2 app installed? or is there an easier process i didnt realize?

11

That’s the process unfortunately.

The new applet supports ctap2.1 and will eventually be certified. Worth it depends on how annoying it may be to do that.

12

I’ll probably do it but im gonna call that a later problem

13

Do I just need to destroy and redeploy the applet to update?

And will I have to register it again on sites that I use FIDO?

What can you actually do with credential management? Weighing whether it’s worth updating.

14

Credential management allows you to view the discoverable credentials on the card, change usernames, and delete individual credentials. That’s all.

This applet also improves security over the old one by supporting PIN Protocol 2, which helps defend against NFC eavesdropping attacks.

It’s up to you whether you switch, and if so, when.

2 Likes
15

I had the latest(?) version of the old closed-source applet installed, but I hadn’t tried using it yet. Removed it and installed the new version (I had to use an Android phone to do this) and was able to register it with Google using my iPhone. But if any significant changes happen when it’s certified and hits 1.0 then I’ll probably remove it and install the updated version. (I won’t be using it much until I get the implant installed sometime between now and January, anyway.)

It’s really cool to see that we’re involved in the first complete, open-source FIDO2 applet out there for java cards. I’d love to see other people trying it out, even on more mainstream Java cards.

16

Wow, really glad to hear about this opensource implementation, well done @BryanJacobs!

I kinda understood the reasoning for making the prior version closed source, but it sucked and never sat right with me, so this is a massive leap forwards :slight_smile:

17

There shouldn’t be any changes… unless certification changes significantly in the next few weeks / months.

1 Like
18

Greetings folks, I had some time to play with the new applet today. Unfortunately neither google nor facebook are accepting the security key. This was not the case with the old u2f applet which I’ve already destroyed. Can anyone comment? Thanks

19

Which device and browser are you using?

20

Using my onePlus 7pro phone + brave browser for google and the facebook android application for facebook. Same as I was doing it before.
The error message for google is: “Couldn’t connect Remove your key and reconnect it. Then try again.”
When trying to add to facebook app, the security key is being red successfully, but then application interface does not proceed, and shows loading indefinitely.
P.s. I’ve reinstalled the fido2 applet, but the issue remains
p.p.s. I have no issues adding yubikeys for example with the same hardware/software configuration