Question about FIDO2 capabilities of Apex Flex

We have both a FIDO U2F and FIDO2 applet, however the FIDO2 applet is beta and not ready for real use outside of testing. I use the U2F applet in my right arm for legit things and on some sites I’ve been able to register the FIDO2 applet in my left arm, but on some sites it doesn’t work, and more recently I’ve had problems with it all together.

Also, FYI, almost everything that supports FIDO supports legacy U2F… only a few specific things actually requires FIDO2.

I’d get an ACR1252U from ACS… but any PC/SC compliant reader should work. I use one attached to my desktop workstation and I’m beepin and bumpin my U2F into github, twitter, etc. it’s super great.

Is it compatible with Microsoft yet? Or is that still in the works?

This would probably be my main use case… to replace my Yubikey… so when either Gmail or Microsoft Azure asks me to press the Yubikey, would be nice to scan an implant.

1 Like

Also, FYI, almost everything that supports FIDO supports legacy U2F… only a few specific things actually requires FIDO2.

Yeah, fair - I don’t think I NEED FIDO2, pretty sure U2F is supported by our applications at work. Hopefully by the time FIDO2 is a requirement the applet will be out of beta.

I’d get an ACR1252U from ACS… but any PC/SC compliant reader should work

Thanks for the recommendation! Looks like I can pick one up for around $100 on eBay so I’ll probably go that route. Any idea what the Linux support is like? Linux is my daily drive outside of work, would be rad if it worked with both.

I use one attached to my desktop workstation and I’m beepin and bumpin my U2F into github, twitter, etc. it’s super great.

This is the dream!

Well… what do you mean specifically? Windows Hello requires fido2 with some optional extensions enabled, and full certification from the fido alliance. I think azure can work with u2f but I don’t know if it works uncertified or if it also needs certification.

The nice thing is most security key services allow registration of multiple keys so testing is easy enough.

Was just wondering if VivoKey was planning on eventually becoming a Microsoft-compatible FIDO2 security key vendor, so that I could use a VivoKey product to log into Azure AD in the future.

Basically what is posted here, but with VivoKey Products… :slightly_smiling_face:

Ah yep that’s on our roadmap. Requires a lot of faffing around to certify and then apply… but we want to do that

4 Likes

Been playing around with FIDO2 for Windows Logon / Microsoft Account access and I can confirm that:

  1. Regular users of personal Microsoft Accounts can use the Apex Flex FIDO2 applet to login to their account on the web. I’ve tested on Edge & Chrome at my PC. Android doesn’t currently work.

  2. Users that login to Windows with their Microsoft Account currently cannot use the Apex Flex FIDO2 applet to login. (this is what @amal was talking about RE: becoming “Microsoft compatible”)

  3. Buying Windows 10/11 Pro will not allow you to sign in with a FIDO2 or U2F security key, despite what you may read online. The group policy setting will have no effect. FIDO2 & U2F sign-in is an Azure AD feature.

  4. If the account you login to Windows with belongs to an Azure AD organisation, you might be able to add the Apex Flex as a sign-in method, but only if it’s configured to allow FIDO2 as a method, self-service setup is enabled, and “Enforce attestation” is disabled. (Check by trying to login here)

  5. If you have a regular Microsoft account, you may sign up for Azure for free, and create your own, entirely free, Azure AD. You’ll need to sign up for the “pay as you go” option, but you’ll not be charged anything unless you explicitly choose to pay for something. You don’t need to. This process is frankly, irritating as hell. The Azure UI is a little janky and as this is all quite new, there is little help available. See below for my experience…

One of two lingering questions I have is - from what I’ve read in another thread here, attestation works. And, from my tests on Android, it functions as expected. However, Microsoft’s Azure AD FIDO2 support refused to accept the Apex Flex until I disabled that requirement. Is this what getting certification from Microsoft will fix?

The other is - Microsoft Azure AD has no options for allowing pin-less registration, and I don’t think it’s likely to happen. Could it possibly be linked to the current need to not enforce attestation? (IE. A pin is required when attestation isn’t available)

Finally, my experience setting up Azure AD with a personal Microsoft account, on a PC I’ve been logging into with a password:

  1. Initially, I tried to simply access the Azure AD portal, and ran into many permission-like errors. I expected this, but it looked very broken and “possibly might work”.

  2. I then tried to sign-up for Azure using their promo link, only to get turned down (I think I may have used Azure in the past). I then tried signing up for pay-as-you-go, which also turned me down right at the very end. However, once I did that, I had access to the Azure portal and didn’t run into any errors.

  3. I found my way to the FIDO2 page (Manage AD > Security > Authentication Methods > FIDO2) and enabled it. There weren’t any clear directions about how exactly to test/use/check any of this so I tried the “Security Key” sign-in option in Windows Account Settings, gave it the ol’ boop, and tried to login. No dice, no reaction on the lock screen. No change after reboot.

  4. After a bit of reading around, I realised I had to register the security key online, via this page. Previously, when I accessed this page, I was told that my account was not recognised. After signing up for Azure, I was now able to login here. I tried to add my key, but ran into an error. There was no message at all, just a “correlation ID” (which you can view in the Azure portal under “Audit Logs”, after a few minutes have passed).

  5. After a bit more reading around, I attempted to manually get, and add, the Apex Flex FIDO2 AAGUID to the “Configure” page in Azure AD’s FIDO2 setup. I managed to snag it as a base64-encoded AAGUID from one of the webauthn test sites, converted it to a traditional GUID, and entered it into Azure AD. No change when I tried to register my Apex.

  6. After even more reading, I found a Github thread where it was mentioned that “Enforce attestation” needed to be disabled for Azure AD FIDO2 to function, for some other FIDO2 implementation. I tried this, and it worked! I was able to add my Apex Flex as a sign-in option. Login via Chrome & Edge was working beautifully, using my personal Microsoft account’s email address.
    image image image image

  7. After rebooting (for no reason other than making sure my PC had “current AD config”), I attempted login with my Apex Flex. Once it was recognised, my profile picture disappeared, and I saw “Other User” instead. I entered my security pin, and Windows created a brand new account for me. WTF.

  8. I logged back into my actual account, and deleted the new one. I dug around more and figured out that it was the “principal name” of my user in Azure AD. I have a custom domain for my account, so that’s not unexpected. Microsoft had generated me one that was completely different to my actual email address. I registered my domain with Azure and updated my principal name. Another reboot later, and I attempted login again. Same thing, except now, the new user had a name that made sense.

  9. Switched back to my normal account and I noticed that the “new account” isn’t visible in any control panel, settings window, nor console command. The user profile folder exists, but otherwise this user doesn’t. No idea what’s going on here and I’m concerned that I may have to re-create my user account just to get this working via Azure AD.

I enjoy dicking around with stuff like this, but at the moment I think I’m at a brick wall. My limit for jank and “special setup” ends at requiring me to move user accounts on this PC, so for now I’m gonna sit tight and see what happens.

So close!

5 Likes

Can confirm, thats standard WebAuthN flow.

This is not up to us, this is up to Microsoft if they ever want to enable Windows machine login via FIDO for Microsoft or Local accounts. Nothing we can do about it except invest a lot of engineering to write our own authentication provider (which then would only work for local accounts anyway)

Correct. FIDO requires an authoritative relying party if no special HMAC algorithm is used. At the time of writing, Microsoft supports FIDO machine login ONLY for Azure AD and Azure Hybrid AD enrolled machines. Microsoft declined to comment on my question if they plan to bring this to enduser Microsoft or local accounts.

This can work if your Azure AD admin registers the Apex AAUID as allowed in the AD confuguration, and only once we have a FIDO certification as well as a Microsoft certification. Both we currently don’t have so AD login wont work.

Interesting that you got that far, I always thought Azure AD had a hard requirement on certification from both FIDO and Microsoft.

So, moving forwards:

  • Hope and beg for Microsoft to enable FIDO machine Login for end user Microsoft account and local accounts.
  • Or write a custom credential provider for local accounts using hmac-secret. This requires substantial effort and careful consideration of LSA security.
  • Or join a Azure (Hybrid) AD.

There might be an option to log into your PC using certificate auth using the PGP applet, or maybe the (future) PIV applet.

3 Likes

Thanks for the reply!

It certainly works end-to-end here - disabling enforced attestation is the key detail. I honestly think that if you were setting up a PC from scratch, or, unlike me, you didn’t care about keeping the exact same user profile, what I got working would be “just done”. Nothing else to do!

Given you can set up Azure AD for free in around an hour, I think it’s probably enough for people who want a login-to-windows-with-apex solution. The bonus is that there’s zero third-party anything involved :grinning:

Every single digit is crossed.

I got pretty damn close to this working but hit roadblocks I don’t know enough about to solve. I’d love some help here if you know anything about it. I could work it out, given time… Endgame, I want to see some public-facing documentation about this crazy world. I dove in knowing it’d be “typical edge-case janky exploration”, but I know that even just a little documentation would help those on the fence jump in.

2 Likes

Epic find. Thank you for your research!

Be the change you want to see in this world. :smiley: Pull requests to flexsecure-applets/docs at master · DangerousThings/flexsecure-applets · GitHub are welcome and encouraged! The Azure configuration would be great to document there, e.g. in the document on FIDO2 (flexsecure-applets/6-fido2.md at master · DangerousThings/flexsecure-applets · GitHub) .

I’m looking at either the VivoKey Apex Flex or the flexSecure Java Card for use as fido2 passwordless with windows and Azure AD among others. does anyone know if there’s a card out there that I can use to test before buying the whole implant?

We are working on sourcing some cards for testing… But right now there are some issues.

Keep in mind that although planned, there is not yet a mechanism to load Vivokey closed source applets (such as the FIDO2 or the Tesla applet) to the FlexSecure. The Apex Flex can install these applets via Fidesmo.

An installation mechanism for the FlexSecure is planned, but I don’t know when it will be available.

I got my test cards from https://www.javacardos.com/store/products/11020 , some other mentioned https://www.cardlogix.com/ . Your mileage may vary, JavaCardOS goes down from time to time.

What I mean by this is Apex Card test cards… works with Fidesmo etc… just to be clear.

I’ll take a look, thanks!

Just curious, if you’re using an external nfc adapter to configure or read the card you’ll need a non-proxmark device correct? is there a keyword or type of device that’ll be the best bet for widest coverage of compatibility? I don’t think I can configure my proxmark to be used for the authentication so i’ll probably need a usb reader.

For the Apex Flex and FlexSecure chips, you need a PC/SC compliant ISO 14443 NFC reader. A popular choice is the ACS ACR1252U (https://www.acs.com.hk/en/products/342/acr1252u-usb-nfc-reader-iii-nfc-forum-certified-reader/)

Do you know what the difference between an SDK and a Keystroke reader is?

The ones I can get at a discount are the RFIDeas waveid (last 4 SKUs) but I can’t tell between the RDR-75U1AKU which is described as a keystroke vs the RDR-75U2AKU which is listed as raw-data / SDK…

Does that mean that I’ll need both a keystroke for the actual authentication and the SDK one to program and do the experiments? Ideally I’d prefer to just get the one that has the most features (i’d assume the SDK one?) but the SDK is over $50 cheaper which seems counter intuitive if it’s an SDK I’d assume it’s the complete retail / end customer unit plus development features.

I would assume a keystroke reader to emulate a USB keyboard and just dump the data from the chip. This is not what you need probably.

Unfortunately, the public documentation of the reader you linked is quite sparse. According to https://cdn.webshopapp.com/shops/25475/files/391904780/wave-id-nano-usb-c-pa-124.pdf and https://www.rfideas.com/support/tools/supported-card-types it should be able to do ISO14443A, but no idea what OS protocols it supports.

If you are set on this type of reader, I recommend emailing the manufacturer and inquiring specifically about PC/SC & CCID support for your operating system (you might want to specify the target chip as NXP SmartMX3 P71D321).

Also, I don’t know how well such a small reader couples to the implant. I guess alignment is a bit more finicky than on a full-size reader.

I got a response from the vendor:

Our CCID / FIDO readers are:
RDR-80586AKU – desktop
RDR-80086AKU – desktop
RDR-7516AKU – 13.56 MIFARE CSN/FIDO Nano
RDR-7016AKU – iCLASS ID/SE/SEOS/FIDO Nano

They’ve requested feedback on the progress of this so I’ll try to get them some info once I can learn more.

I did manage to find some more info about their fido2 compatibility here, unfortunately it looks like the only one that’s in their list of certified ones is the 7516AKU (SDK avalible) and the 80586AKU (sdk avalible “for writing apps to the reader”)

I think given that the ACS ACR125 seems to be the “starter” in the community I’ll get one of those first as that’ll let me bennefit from the known issues and contribute any solutions i find. once I get that working I’ll swap over to the RFIDEAS nano as that’ll be eassier to keep in my laptop and imbed in the monitors.