YubiKey 5 NFC with 1Password on iOS

tl;dr Yubikey 5 NFC works great with 1Password on iOS (assuming your phone has NFC).

I just got 1Password to use on my iPhone and my Mac. The website allows using a Yubikey as a second factor (in addition to apps, like Authy or Google Authenticator). Turns out, the iOS 1Password app also handles the Yubikey 5 NFC properly: open the app and it asks for the password, and then for the second factor. If you scan your Yubikey using NFC, the app recognizes it. 

The alert pointing to the special website also appears, but it is not necessary to go to it.


Ubuntu optical drives

After spending about 45 minutes trying to figure out why the optical drive (ASUS BW-16D1HT) I installed in my new computer build was not being seen by Ubuntu 18.04, a post at AskUbuntu (I did not save the link) mentioned that the optical drive should be installed in the first SATA slot (ID 0 [zero]). After I did that, and rebooted, it worked fine:

  • insert a DVD or Blu-Ray disc, and the Nautilus file manager mounts it automatically
  • open VLC, and select the drive (now correctly known as /dev/cdrom or some similar friendly name), and it see the DVD properly and can play it

Regarding playing DVDs: you need to install VLC, and a bunch of codecs, typically in a “restricted” repo. Here is the official documentation -- no need to add third-party repos.

sudo apt install libdvd-pkg && sudo dpkg-reconfigure libdvd-pkg

You will also want to use "sudo apt install vlc" to install VLC. For some reason, installing using the graphical Software marketplace app gives you a slightly older version.

sudo apt install vlc

If you want (or need) to set your device region code:

sudo apt install regionset && sudo regionset

You may need to specify a device to regionset, e.g. /dev/cdrom


Using the Yubikey 5 NFC on iOS (and Android, and macOS, and Linux)

TL;DR Works in principle on iOS, but does not work in practice. If you're thinking of getting one to NFC tap the key to your phone when prompted for a security key as a second factor, this does NOT work.

PROTIP: Set up BOTH your primary key and a backup at the same time, especially for accounts where the physical key is required and is the only U2F accepted.

I just bought a pair of Yubikey 5 NFC security keys, as a more convenient alternative to phone apps like FreeOTP, Authy, Duo Mobile, or Google Authenticator to generate a numeric one-type second factor for logins.

Despite the description, the Yubikey 5 NFC does not work well with iOS. I have an iPhone 11 Pro running iOS 13.3 Beta. If you hold the Yubikey up to the back of the phone (near the top, next to the camera lens cluster), it will pop up an alert that asks if you want to open a web page in Safari for verification. This is the WebAuthn protocol  

 

58B7FE4E-2412-48E0-998E-E1673A244CF9
 

I set up all my Google accounts to use the Yubikey, and also Facebook and Github. When trying to sign in using the Chrome browser in iOS, tapping the Yubikey to the phone does not work as a second factor. It just pops up the "Open NFC link in Safari" alert.

They do have a Yubico Authenticator app. This app is available on iOS, Android, macOS, Windows, and Linux. It takes the place of Google Authenticator (and the usual mobile time-based OTP apps). The difference is that you need to tap the Yubikey to the phone (or plug it in to USB if you're using it on a computer) to generate the numeric second factor to be typed in.

The vulnerability of all the usual phone-based OTP apps (besides the possibly weaker crypto parameters used) is that the cryptographic secrets are stored on the phone, and may be compromised by malware. Using Yubico Authenticator moves the cryptographic secret to the physical key.

HOWEVER, the Yubikey 5 NFC does not work as expected with this app on iOS: all it does is again pop up the alert to open Safari with a verification URL. It seems to only work if you have the Yubikey 5Ci with Lightning and USB-C connectors. (I am assuming, since I do not have one of these to test.) Even using Chrome and then trying to login to Github, it does not work.

So, all in all:

  • I like that logging in on a computer or laptop is now simplified
  • I am annoyed that it does not work on the iPhone: I would have gotten the cheaper Yubikey (less than half the price of the Yubikey 5 NFC)

Maybe the product I am looking for is the yet to be released Yubikey 5C NFC. Honestly, why is there such a broad product line?

On Android, using a Nokia 6, things seem to work as expected, with a minor hiccup. Note that I am not using the Yubico Authenticator app.

I run Chrome, and login to Github. I select “Security key” as the second factor, when prompted. Then, hold the key to the back of the phone, and I am in. The glitch is that a new tab also opens on the Yubico verification website. I think the URL is embedded in the NFC.

On the macOS side of things, everything works as expected using Google Chrome. (Safari does not support USB security keys.)

This post will be updated when I try this on Ubuntu Linux and a Chromebook at work, tomorrow.

UPDATE 1: Works fine on Firefox macOS.

UPDATE 2: Works with Chromebook since it's a Chrome browser. HOWEVER, there seems to be no setting to use it as a second factor for logging into the Chromebook itself.

UPDATE 3: Works with Chrome and Firefox on Ubuntu, as expected. U2F for sudo following the instructions from Yubico also works: as noted there, if the u2f_keys file has been moved to a root-only directory /etc/yubico, the option “authfile=/etc/yubico/u2f_keys” must be appended to the line. The same setup will also require the USB key for logins: after you type in your password and hit Enter, the USB key will start flashing, and you touch the flashy bit.

UPDATE 4: If you use KeePassXC for storing passwords, it can be configured to require a YubiKey for challenge-response. This has to be manually set up with Yubico's YubiKey Personalization Tool. A setup tutorial video is here.


Upgrading OpenWRT

OpenWRT is an open source wifi router operating system. I run it on my wifi router, in place of the manufacturer’s firmware/operating system.

If you upgrade OpenWRT, you may find that the web interface (LUCI) stops working. This may be because upgrading with a binary image bundle, as recommended, may not update packages that were manually installed using opkg. In particular, the SSL feature for the LUCI may break.

To fix it, I had to reinstall libuhttpd-mbedtls:

opkg install --force-reinstall libuhttpd-mbedtls


Holy moly. After literally years of wishing for it, with the latest High Sierra 10.13.4 update, macOS’s Keychain Access application now displays passwords in a fixed width font which distinguishes between O and 0, l and 1.


Upgrading the old Hackintosh to High Sierra

I was able to update from Yosemite 10.10 to Sierra 10.12 without any problems. And then, applied the update to 10.12.6 from the App Store.

The update to High Sierra was a bit different.

  1. Create installer USB drive with Unibeast
  2. Power off machine and disconnect HDD with home folders
  3. Boot from the Installer USB drive: make sure to use the machine's boot selection option to do so
  4. At the Clover screen, go to Options and set the following
  5. Boot options: dart=0
  6. SMBIOS: model is iMac13,2

Run the macOS Installer/Updater, targeting the system drive. After a few minutes, the screen will go black in a reboot attempt. Manually press the reset button. Use the firmware boot selection to pick the Installer USB drive as boot drive. At the Clover screen, set the same options/settings as above. Then, select the "Install macOS" boot drive that is on the system HDD (not the USB drive) to boot from.

The installer/updater should come up and continue the upgrade process. It will be a white or light grey screen, with a grey Apple logo, and a progress bar saying "Installing: About X minutes remaining".


Nokia 6 smartphone

Just got a new Nokia 6 smartphone, with lock screen offers from Amazon. Only $180 cheap. It runs Android 7.1.1 Nougat, stock except for the lock screen ads. Ars Technica likes it. It has been less than a full day, but I like it so far.

It looks nice: I got the copper version. And it's the biggest phone I have personally owned. It's not particularly fast, but it's a secondary phone that I use for work. The nice thing about the big screen is that Nougat enables split screen multitasking. Just touch and hold the "switch app" button (lower right, with the square shape icon). It also conveniently flags spam phone calls.

Here's the official product image from Nokia, the split screen, and the spam warning:

Nokia_6-color_variant-Copper

 

Screenshot_20170830-134336
Screenshot_20170830-134336


Manual iOS backups via iTunes only keeps latest

I discovered this the hard way. iOS backups using the iTunes application will overwrite any older backups. I made a backup of iOS 10.3.3 and then updated to iOS 11 beta, then immediately made another backup. Then I discovered that an old app did not save data in the usual way for iOS apps; it only allowed exporting as CSV. I previously made manual backups of all applicable app data in installed apps, but this particular app did not have one.

So, I have likely lost the data in that app. I happen to have a 10.3.3 backup from this morning in Time Machine. We shall see if it works.

UPDATE: Time Machine did capture the last 10.3.3 backup, so I can downgrade. Once again, a reminder that backups are a good thing.


Lightseal replacement on old cameras

I recently acquired a Yashica Mat-124G. As usual with vintage cameras, the light seals were rotten: gummy pieces of it were falling off.

Rather than shelling out the $10 (+ shipping) or so that some people are charging for replacement seals, I thought I would try to DIY. I found a blog post where someone had used adhesive-backed felt (available at most craft stores). So, I got some from Amazon since my local craft store did not carry any.

I cleaned out the old light seals with some Goof Off. Then, cut some 2-3 mm strips of the felt. I placed one, which went in crooked, so I ripped it off. Then I noticed all the lint. Just that small operation shed lots of lint. It was clearly visible on the cutting mat, and on my fingers. So, that was no good. I would not recommend felt. Maybe there is “photo grade felt” that does not shed? Anyway, I will be buying some bulk adhesive-backed closed-cell foam for the light seals. There are many listings on eBay, typically shipping from Hong Kong.


Google AIY Project - voice assistant

I saw issue 57 of MagPi magazine, the official Raspberry Pi magazine, on the newsstand last week, and it included a hardware kit to build a voice assistant like Google Home or Amazon Echo. It is produced by Google AIY Projects which aims “to put AI into the maker toolkit, to help you solve real problems that matter to you and your communities.” 

You just have to buy your own Raspberry Pi, and the SD card for storage, and a power supply if you don't have one handy. I got the Pi 3 Model B. A phone charger works well enough as a power supply, as long as it can put out a certain amount of current. 

It was pretty fun to assemble, nothing tricky and no soldering. Initially, the button light did not work, but a few minutes of flipping the LED and jiggling connections fixed it. I would say even a kid of 10 could do the assembly. The trickier bit is in doing the authentication stuff and getting API keys, etc. If  you have not done such a thing before, it's no big deal since the directions (in the physical magazine and the AIY website) lead you through it step by step.