Yubico Forum

Re: YUBIKEY NEO with firmware 3.2.0

2015-03-19T15:51:33+01:00

squidbox wrote:

What you're quoting is correct: We ensure that new YubiKeys will function the same as older versions. That is, new YubiKeys are backwards compatible. So if you've deployed a solution including YubiKeys with firmware 3.1, you can rest assured that for example firmware 3.3 will also work with your solution.

This is a different thing from YubiKeys being upgradable ("forwards compatible").

Statistics: Posted by henrik — Thu Mar 19, 2015 3:51 pm

Re: YUBIKEY NEO with firmware 3.2.0

2015-03-19T09:11:05+01:00

darco wrote:

Where did they say they could update older keys?

I don't think they have the physical capability to do what you are asking. Being upset about it won't help.

You bought keys that did not advertise U2F. You got keys that didn't have U2F. Just because a later product was released with this feature doesn't mean you are entitled to have that feature added to your older device.

I bought my Yubikey Neo (fw 3.2) with the understanding that: "When we do release new firmware, we ensure the new YubiKey will function the same as with older versions, so there is no need to purchase new YubiKeys to ensure compatibility.", which is a direct quote from this Yubico FAQ article.

While my main usage of the Yubikey is as a physical PGP key, I was very interested to try out U2F. Now, I'll most likely look to other U2F solutions instead.

Statistics: Posted by squidbox — Thu Mar 19, 2015 9:11 am

Re: YUBIKEY NEO with firmware 3.2.0

2015-01-15T23:42:31+01:00

techstud wrote:

What if we mailed in our current/existing Yubikey for a discount? Yubico, the company, can either re-sell them at discounted prices to those that do not want/need updated hardware or destroy them, and we get a discount towards the updated hardware we need? Fair?

The administrative costs of such a scheme would wipe out the value of any credit, and Yubico would have to pay disposal costs for the mailed in keys. I cannot see any way they could be resold, as each mailed in NEO would have to be wiped of customer data in the apps and tested before resale, which isn't cost-effective.

I know a NEO isn't free but, as I said in my earlier reply, these are relatively inexpensive devices with a high level of functionality, even in 3.2.0 guise.

If you want to upgrade and offset some of the cost, why not put your existing NEO on eBay?

Statistics: Posted by DavidW — Thu Jan 15, 2015 11:42 pm

Re: YUBIKEY NEO with firmware 3.2.0

2015-01-14T21:54:02+01:00

ChrisHalos wrote:

Unfortunately there is no method for updating the firmware on pre-3.3 NEOs, and no discounts offered at this time. The cheapest way for an existing NEO owner to add U2F functionality is to purchase a Security Key ($18 with no shipping costs on orders over $35 on Amazon), or $23 with standard US shipping from the Yubico Webstore ($18 + $5 for standard shipping).

Statistics: Posted by techstud — Wed Jan 14, 2015 9:54 pm

Re: YUBIKEY NEO with firmware 3.2.0

2014-12-19T21:33:28+01:00

Public release of an updater creates a denial of service attack vector against deployed NEOs if, as I expect, it wipes the user data on the NEO.

U2F requires the device to have an attestation certificate attesting to its provenance. Yubico would dilute the value of their attestations if they distributed an update that attests a device outside their physical control.

Public release of an updater might assist with the creation of fake NEOs.

It is possible that my three concerns above could be overcome, especially if publicly distributed new firmware will only install on a device that authenticates itself as a NEO with existing firmware. Even so, distributing an updater has costs for Yubico that they cannot recoup, especially in terms of technical support.

I know the norm these days is for firmware updates to be distributed freely, but security devices require a different way of thinking. If you buy a device and an advertised feature does not work correctly, you have a case for replacement or refund. However, you do not buy any sort of entitlement to future enhancements.

The NEO is an inexpensive device for the functionality it now has.

An OpenPGP smartcard 2.0 is EUR16.40 from Kernel Concepts, or EUR17 if you want a card with an ID-000 size breakout ("mini SIM" size). A USB ID-000 reader is EUR18, so that's EUR35 for a USB device that only supports OpenPGP, has no contactless functionality and is less physically robust than a NEO. This device does support 4096 bit RSA keys, unlike the NEO, but 4096 bit RSA keys have relatively little additional entropy over a 2048 bit RSA key.

A Gemalto IDPrime PIV card is available in dual interface format from Gemalto's web store for EUR37.34. Unlike the NEO, these cards are approved for US Government and NATO use, but this is of little value to the average NEO purchaser. As a dual interface card, it supports contactless but cannot be cut down from credit card size.

On the day I'm writing this, Yubico are selling NEOs for US$50, which is around EUR41 depending on the exact exchange rate you use. Even an older NEO with 3.2 firmware would give you OpenPGP and PIV functionality, as well as the OATH applet and the Yubikey OTP slots with a pre-personalised YubiCloud OTP credential in Slot 1.

If you buy now, you get a device with 3.3 firmware which also offers U2F functionality on USB.

The NEO is more robust and easier to carry than either of the comparison devices I've given. It needs no expensive proprietary middleware for full functionality (a drawback of the Aladdin eToken devices I used to use) and merely needs a USB port or suitable contactless reader to use.

At the moment, U2F is of limited value - it works with Chrome against Google via the USB interface only. The standards for U2F over a contactless interface have yet to be finalised, so it is unclear whether whatever support exists in the 3.3 NEO firmware will comply with the final standard.

When browser and site support for U2F has grown, the U2F over contactless standard is ratified and the NEO firmware has had chance to mature further, there is more of an argument for buying a new device.

In time, I expect the OpenPGP applet to support elliptic curve keys. Elliptic curve support has finally been released in GnuPG 2.1, though I'm not sure there is a version of the OpenPGP smartcard standard with elliptic curve key support yet. I realise it will be many years before elliptic curve PGP keys are usable outside small closed groups, as users are typically rather slow to update to new security software versions.

The NEO might migrate to a newer hardware platform that fully supports 4096 bit RSA keys and SHA512 (the latter is needed for a Bitcoin wallet app).

One feature I miss from the eToken is the ability to carry intermediate certificates on the device, which is a feature I didn't find in my reading of the PIV standards, so the public CA issued certificates I have in the PIV applet don't chain to a public root via plug and play.

There will undoubtedly be further enhancements from Yubico and I will have to decide when to replace my NEO 3.3 with the latest version and make my current NEO a backup device. However, unless I lose or destroy my NEO, I expect it to provide the feature set it has today for years to come. It isn't perfect, but it is an inexpensive investment in high grade security offering a wide range of functions in a single device.

Statistics: Posted by DavidW — Fri Dec 19, 2014 9:33 pm

Re: YUBIKEY NEO with firmware 3.2.0

2014-12-19T17:07:50+01:00

ur right, u dont think... u dont see an issue with having to purvhase a 4th key? also this was from their blog

With regards to the YubiKey NEO and DFU…
– The YubiKey NEO technically does support DFU, but requires the new firmware image to be signed by us. Yubico does not endorse nor support use of DFU for users

Statistics: Posted by dreamss — Fri Dec 19, 2014 5:07 pm

Re: YUBIKEY NEO with firmware 3.2.0

2014-12-01T20:32:11+01:00

Statistics: Posted by darco — Mon Dec 01, 2014 8:32 pm

Re: YUBIKEY NEO with firmware 3.2.0

2014-11-29T14:05:39+01:00

nice to see you guys wont bother to reply or even try to acomodate customers, glad I invested on several keys from you guys. not seeing why i should bother to waste more money with your company or recomend your products

you guys says your able to update our keys, and wont bother to even offer a paid service to do so once we wiped our keys

thanks for nothing

Statistics: Posted by dreamss — Sat Nov 29, 2014 2:05 pm

Re: YUBIKEY NEO with firmware 3.2.0

2014-11-10T09:51:47+01:00

ruvhell,

you have been already contacted by our orders dpt. I strongly recommend you to delete your personal order information as someone may use social engineering to get through.

I will edit the post for you, please be more mindful in the future about this.

Tom

Statistics: Posted by Tom — Mon Nov 10, 2014 9:51 am

Re: YUBIKEY NEO with firmware 3.2.0

2014-11-07T09:26:42+01:00

ChrisHalos wrote:

Unfortunately there is no method for updating the firmware on pre-3.3 NEOs...

Hello. Order Number: xxxx Invoice xxxx
Wednesday 22 October, 2014 I ordered YubiKey NEO. On Wednesday 5 November I received an order. When I ordered I read on site that it supports U2F.
in cach from 20 October 2014 17:27:00 GMT we see
http://webcache.googleusercontent.com/s ... y-hardware
that PREMIUM NEO was support U2F Security Key

But now in Neo Manager I can not run (select) it. (I see that firmware is 3.2.0 and U2F not support)

Ticket 00008413 unanswered

I want that you will have sent me a NEO key that supports U2F.

Statistics: Posted by ruvhell — Fri Nov 07, 2014 9:26 am

Re: YUBIKEY NEO with firmware 3.2.0

2014-11-05T03:18:13+01:00

can we pay and send u guys our youbkey to get it updated.. currentlyh own 3 neos

AND I DONT WANT TO FREAKING WASTE MONEY BUYING A NEW NEO EVERY YEAR TO GET NEW FEATURE SUPPORT

the lack of forsight on this its on you guys... this is freaking lame

what im gonna do with this old worthless neos? -_-

With regards to the YubiKey NEO and DFU…
– The YubiKey NEO technically does support DFU, but requires the new firmware image to be signed by us. Yubico does not endorse nor support use of DFU for users.

Statistics: Posted by dreamss — Wed Nov 05, 2014 3:18 am

Re: YUBIKEY NEO with firmware 3.2.0

2014-10-30T09:33:03+01:00

Maybe this is not right thread for this question, but:

ChrisHalos wrote:

Unfortunately there is no method for updating the firmware on pre-3.3

Does it means that firmware 3.3 is upgrdable? For example if you find bug in PGPApplet then it can be fixed? Or if FIDO finish specification of U2F NFC, then current applet can be upgraded?

You should prepare article about it. We should know if bought device will be the same to end of world, or there is a way for bugfixes or protocol changes. First release of NEO coddled us a bit

So, please, write official statement about future of latest devices with firmware 3.3.

Statistics: Posted by bmalkow — Thu Oct 30, 2014 9:33 am

Re: YUBIKEY NEO with firmware 3.2.0

2014-10-27T15:17:03+01:00

What if I own a NEO developer edition, is there an U2F applet I can download and install? Or do I have to read the spec and implement it myself?

Statistics: Posted by jborgstrom — Mon Oct 27, 2014 3:17 pm

Re: YUBIKEY NEO with firmware 3.2.0

2014-10-23T00:22:07+01:00

Statistics: Posted by ChrisHalos — Thu Oct 23, 2014 12:22 am

YUBIKEY NEO with firmware 3.2.0

2014-10-22T23:24:29+01:00

I have YUBIKEY NEO ($50) with firmware 3.2.0.
I want to use U2F with Google. So I must buy new one with firmware 3.3.0?
Is there any discount for new one?

Thanks.

Statistics: Posted by svanya — Wed Oct 22, 2014 11:24 pm