Should I get an Apex or FlexSecure?

What are the differences truly? I get that there’s no fidesmo support on the flexsecure but I’m not entirely sure what that means. I want to be able to do OTP and NAK but I don’t know which implant is better for me.

See flexsecure-applets/docs/ at master · DangerousThings/flexsecure-applets · GitHub for a writeup.

Essentially, he flexSecure is an Apex Flex,

  • Without the Fidesmo App store
  • Without the possibility to get payments working ever
  • With the administrative root key available for you
  • With more memory for free use
  • Without the ease of use of a mobile app
  • With the requirement to know development tools and console programs

The only other thing I can think of is that the official certified fido2 app release from VivoKey won’t be available to the flexSecure but U2F is / will continue to be.

Is it possible to “apexify” an installed flexSecure, and if not: why? Would be really cool to have at least a part of the space usable for the apex ecosystem…

Technically, it might be possible, but that won’t happen.
Fidesmo won’t trust anyone outside their certified procedures to handle the secret master key for a chip or the keys that make payments possible.
And i don’t see them provisioning individual chips if you show up at such a place.
It’s all or nothing.

1 Like

You can install most Apex apps on the flexsecure as well, at least the ones which are open source (compile them yourself or download from GitHub)

Exceptions include (closed source):

  • Certified FIDO2
  • Payments (Not available in any implant atm due to Mastercard contracts, but possible in theory in the Apex via Fidesmo)
  • Upcoming NDEF CMAC

We are exploring options to get proprietary applets on the FlexSecure as well, but that is a low priority task at this point in time. It is also complex to bootstrap a root of trust in the field.


Sorry, but implant-payment IS available with NXTPAY or Walletmor. How comes that they have it working? Cause they don’t run something else on their chips? Or what is the exact problem for VivoKey?

They operate in a legal gray zone. MasterCard is not able to know which chips are made into an implant. Fidesmo does not use credit card chips which expire, instead they do actual tokenization. @amal might he able to comment on details.

1 Like

In short, Walletmor and nxtpay are conversions. A working certified payment device has it’s chip extracted and made into an implant. It’s not sanctioned by any payment network.

1 Like

This makes things much clearer, thanks!

I got an Apex Flex installed almost a year ago for OTP and random storage, 10/10 would recommend.

1 Like

The FlexSecure … bricks itself after too many failed master password attempts … welp thats a really stupid approach for subdermal implants if ive ever seen one

The Apex will brick itself just the same if you try to access it like you would a FlexSecure via GlobalPlatform, using the wrong key (i.e. not the one Fidesmo uses internally).

This behavior is implemented in hardware in the P71 chip by NXP as a security measure for the actual intended use for credit cards, passports, etc. and cannot be changed (?). I agree that it is not optimal for implants, however at this point in time we don’t have the volume to order a batch of custom chips from NXP. Best be careful with what keys you use for authentication, if you decide to change the default key.

We are exploring ways to circumvent these issues, but this is still under research.

GlobalPlatformPro even warns you repeatedly when using the wrong key. This is a well known security feature of secure elements like the P71. The flexSecure is meant for people who understand these risks yet prefer to operate fully autonomously. If you’re looking for “just works” out of the box performance, the Apex Flex is probably your better bet.

1 Like