Upgrading OpenWRT
Cheap TLR focusing screens from eBay

Using the Yubikey 5 NFC on iOS (and Android, and macOS, and Linux)

TL;DR Works in principle on iOS, but does not work in practice. If you're thinking of getting one to NFC tap the key to your phone when prompted for a security key as a second factor, this does NOT work.

PROTIP: Set up BOTH your primary key and a backup at the same time, especially for accounts where the physical key is required and is the only U2F accepted.

I just bought a pair of Yubikey 5 NFC security keys, as a more convenient alternative to phone apps like FreeOTP, Authy, Duo Mobile, or Google Authenticator to generate a numeric one-type second factor for logins.

Despite the description, the Yubikey 5 NFC does not work well with iOS. I have an iPhone 11 Pro running iOS 13.3 Beta. If you hold the Yubikey up to the back of the phone (near the top, next to the camera lens cluster), it will pop up an alert that asks if you want to open a web page in Safari for verification. This is the WebAuthn protocol  

 

58B7FE4E-2412-48E0-998E-E1673A244CF9
 

I set up all my Google accounts to use the Yubikey, and also Facebook and Github. When trying to sign in using the Chrome browser in iOS, tapping the Yubikey to the phone does not work as a second factor. It just pops up the "Open NFC link in Safari" alert.

They do have a Yubico Authenticator app. This app is available on iOS, Android, macOS, Windows, and Linux. It takes the place of Google Authenticator (and the usual mobile time-based OTP apps). The difference is that you need to tap the Yubikey to the phone (or plug it in to USB if you're using it on a computer) to generate the numeric second factor to be typed in.

The vulnerability of all the usual phone-based OTP apps (besides the possibly weaker crypto parameters used) is that the cryptographic secrets are stored on the phone, and may be compromised by malware. Using Yubico Authenticator moves the cryptographic secret to the physical key.

HOWEVER, the Yubikey 5 NFC does not work as expected with this app on iOS: all it does is again pop up the alert to open Safari with a verification URL. It seems to only work if you have the Yubikey 5Ci with Lightning and USB-C connectors. (I am assuming, since I do not have one of these to test.) Even using Chrome and then trying to login to Github, it does not work.

So, all in all:

  • I like that logging in on a computer or laptop is now simplified
  • I am annoyed that it does not work on the iPhone: I would have gotten the cheaper Yubikey (less than half the price of the Yubikey 5 NFC)

Maybe the product I am looking for is the yet to be released Yubikey 5C NFC. Honestly, why is there such a broad product line?

On Android, using a Nokia 6, things seem to work as expected, with a minor hiccup. Note that I am not using the Yubico Authenticator app.

I run Chrome, and login to Github. I select “Security key” as the second factor, when prompted. Then, hold the key to the back of the phone, and I am in. The glitch is that a new tab also opens on the Yubico verification website. I think the URL is embedded in the NFC.

On the macOS side of things, everything works as expected using Google Chrome. (Safari does not support USB security keys.)

This post will be updated when I try this on Ubuntu Linux and a Chromebook at work, tomorrow.

UPDATE 1: Works fine on Firefox macOS.

UPDATE 2: Works with Chromebook since it's a Chrome browser. HOWEVER, there seems to be no setting to use it as a second factor for logging into the Chromebook itself.

UPDATE 3: Works with Chrome and Firefox on Ubuntu, as expected. U2F for sudo following the instructions from Yubico also works: as noted there, if the u2f_keys file has been moved to a root-only directory /etc/yubico, the option “authfile=/etc/yubico/u2f_keys” must be appended to the line. The same setup will also require the USB key for logins: after you type in your password and hit Enter, the USB key will start flashing, and you touch the flashy bit.

UPDATE 4: If you use KeePassXC for storing passwords, it can be configured to require a YubiKey for challenge-response. This has to be manually set up with Yubico's YubiKey Personalization Tool. A setup tutorial video is here.

Comments