Vivokey U2F for Google

I’ve been looking at the Vivokey stuff as I want to get started with getting some implants. I just got a new Yubikey and realized it would be really cool if this was in my hand instead.

It looks like some form factor of the Vivokey is supposed to be able to do this, but I’m not clear on if it requires interaction with the Vivokey specific app.

I’m looking to use it with Google/GMail and LastPass on iOS . Is this something it can currently do or does the U2F - 2FA capabilities require the app?

I did see the other thread where app communications on iOS are still restricted in iOS 13, so I do understand that everything you are trying to do with the Vivokey app can’t be done.

You will be able to store your 2FA keys on the Vivokey Flex. You use the vivokey authenticator app and when a service you are trying to log into asks for your 2FA code ,you scan your tag and the app will give you the code. You can use this with any standard 2FA login. I use it for a bunch of services including in place of the google authenticator app.

Hmmm thanks. Sounds like the crypo/auth is from the Flex to the Vivokey app.
The Vivokey just unlocks the app on the phone providing access to data that is on the phone or transfers the 2FA code from the Flex to the Vivokey app?

Either it doesn’t sound like what I was looking/hoping for :confused:

Good to understand better though.

The keys are stored on the flex. I don’t think they keys come off the flex, so they are never sent to the phone, but I’m not 100% sure on that. @amal would have to chime in.

Sounds like the secret is stored in the Flex and it generates TOTP pin, then transfers that to the app.

Which then gets typed manually or copy/pasted where it needs to be?

To clarify, the OTP applet that runs on the VivoKey Flex One beta stores keys and generates codes internally. The phone simply acts as an interface.

We are also working on U2F and WebAuthn applets for the VivoKey Flex One. Those will work as any other contactless U2F token.

Thanks!

That sounds great! That means they will work without a vivokey branded app?

Glad to hear this is all happening already - now I’m just gonna have to figure out where I want to install the flex one :rofl:

are their other apps that read keys off a card? What app are you looking to use?

To be clear, it would not read the keys… the card / chip / implant still keeps those internally and performs the crypto internally… the app just acts as an interface.

The OTP applet requires the VivoKey app. We removed some DoS attack vectors from the Yubico master and forked our own version without those vulnerabilities… and so to make it clear and stable, we use our own applet AID and mobile apps for OTP.

The U2F and WebAuthn will be certified standard codebases so it should work as any other contactless U2F / WebAuthn token would work.

That’s what I meant. :slight_smile:

2 Likes

coolio… i guess the correct word is “codes” which are generated from the keys inside the chip.