Yubico Forum

IOS 11 opens the doors to NFC for developers called CoreNFC:
https://developer.apple.com/documentation/corenfc

About a month ago, someone asked about IOS NFC support here:
https://github.com/Yubico/yubioath-android/issues/58

However, it went unanswered (perhaps because the question was asked in yubioath-android).

Is anyone at Yubico aware of any plans to support NFS on iOS devices now, or does CoreNFC still not go far enough? (I'm assuming that beta access to iOS 11 allows one to test CoreNFC already)

Yubico has been experimenting with Core NFC, and has discovered two things:

1) The YubiKey NEO supports providing OTP codes via NDEF and works today with Android phones; however, the YubiKey NEO currently does not work with iOS 11 beta due to an NFC negotiation issue. We will provide further updates as we continue our investigation.

2) The iOS 11 Core NFC APIs currently allow reading NDEF tags only, with no application provided data sent to the tag. This means that without more open iOS APIs, only OTP could be supported.

Yubico has reported these issues, but because Apple wants to hear from their customers, those who are interested should let them know by submitting via bugreport.apple.com.

We hope at least #1 can be resolved before the iOS 11 release, and would love a more feature rich NFC API in the future to protect iOS users with advanced security protocols like U2F.

Has there been any progress as the iOS 11 cycle continues? I'm really interested in this and would like to go NEO even if it's just for TOTP—right now I'm using Authy to store my TOTP secrets and I'm not super happy with it.

No updates. When we have something new to share, we will comment on this thread.

Have you submitted a bug report via bugreport.apple.com as recommended above?

Not yet, but I intended to. Knowing whether you were still experiencing the problem was my first step.

Thanks for working on it!

Is there any news yet?

It seems that only developers can create a bugreport at bugreport.apple.com, normal AppleIDs are not permitted.

I think a blog will be posted on the website in a few days, but the short answer is - not really.

Developers will have to build NFC support into each individual application to retrieve the OTP from the NDEF tag. So if support for OTP over NFC is desired in an application (example: LastPass), the application developer would have to add support in their iOS app to handle the NDEF tag.

CoreNFC also doesn't allow write operations that are required for authentication protocols like U2F.

Thanks for your quick reply.

But wouldn't that enable you (yubico) to create an app that reads the OTP and esspecially TOTP codes from the yubikey?
Those codes could then be copy&pasted into the desired app.

It is not perfect, but it would be a lot better than running google authenticator on your phone. It is a first step.

I wish I understood this stuff better, but how do the CoreNFC limitations effect the possibility of PGP signing and decryption?

I will try to add some context here that will hopefully help people to understand the limitations of CoreNFC.

Functions absolutely NOT possible, as the CoreNFC API is read-only:
*Yubico Authenticator (no TOTP)
*U2F
*OpenPGP
*PIV
*Challenge-Response

The only that that could possibly work using CoreNFC is the slot-based button press credentials - Yubico OTP / Static Password / OATH-HOTP

The CoreNFC API is available from an app that explicitly calls it. That would mean that if Yubico came up with a YubiClip for iOS (example), the app would have to be launched by the user, then the YubiKey NEO could be tapped, and the OTP copied to clipboard. This adds a lot of extra steps over the Android version, where you can just tap and then immediately paste.

Where the CoreNFC API becomes more useful is for a third party app which supports Yubico OTP (example: LastPass), where the app itself calls the API when the user authenticates. This enables a more seamless user experience with NFC-based 2FA.

Yubico developers did just publish source code for a proof of concept of intercepting a slot-based credential: https://github.com/Yubico/ios-yubico-otp-nfc-demo.