Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 9:49 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 8 posts ] 
Author Message
PostPosted: Sun Nov 02, 2014 10:46 am 
Offline
User avatar

Joined: Sun Nov 02, 2014 9:23 am
Posts: 1
Location: Australia
I recently purchased a YubiKey NEO to add hardware 2FA when logging in to Password Safe on my PC and Android phone. This NEO was error prone anytime I tried to use HMAC-SHA1 Challenge-Response when user input was required. In Password Safe when I attempted to add YubiKey 2FA to my safe combination this would cause the YubiKey LED to begin flashing endlessly while giving me the error 'No response from YubiKey'. Whenever I attempted to test HMAC-SHA1 Challenge-Response within Personalization Tool it would give me a response but the following would occur:

1) The YubiKey LED began blinking endlessly.
2) It changed the firmware version to something like 14.244.194 within the Personalization Tool each time I attempt to get a response and 'Unknown firmware' would display where it usually states 'YubiKey is inserted'.
3) It alternated between saying 'Slot 1 configured' and 'Slot 2 configured' under 'Programming status' each time I attempted to get a response.

Yubico Support were very helpful. They RMA's the device immediately, which I returned to them for testing, and provided me with a code for a free replacement. I subsequently received a follow up email from Alvin at Yubico Support stating:

Quote:
We can confirm the endless blinking - it seems this might be related to a fault in our firmware. Our engineers are taking a closer look at it now...As for the codes you see, they are manifested as part of the Yubico OTP credential which is preprogrammed into the first slot of your YubiKey.

Two weeks later I received a second NEO only to discover that it too suffered from the exact same behavior. After contacting Yubico Support again to report this issue I received the following reply:

Quote:
Thank you for contacting Yubico Support. We apologize for the inconvenience. After some additional testing, our QA team has determined that the 3.3 firmware NEOs aren't working with Password Safe. The HMAC-SHA1 Challenge Response works on instances where user input is not required (Windows Login Tool), but not when user input is required. All previous versions of the firmware supported user input, and we'll get this fixed for the next firmware release. I've initiated a refund with our Orders department. They will contact you shortly. Please feel free to keep the device due to the inconvenience this has caused you.

Since YubiKey firmware upgrades are not offered for security reasons this issue will permanently effect all NEOs with 3.3 firmware, as confirmed in an further email I received from Yubico Support:

Quote:
HMAC-SHA1 Challenge Response that is configured to require user input will not work on Firmware 3.3 NEO devices.

I am very happy with the support I've received from Yubico. I've received a free YubiKey NEO that works in every circumstance but the above mentioned one. I'm lucky that the NEO is such a great piece of hardware with plenty of uses, so it's definitely going to still see a lot of use. I'm currently using it for 2FA on my Android device with Yubico Authenticator and I will likely purchase a NANO for use with Password Safe on my desktop with another NEO for my phone once new firmware has been released.

I was surprised that I couldn't find this issue reported anywhere. Is there a 'Known Issues' thread that I've missed?


Edited to add [BUG] to subject line as per forum guidelines.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Nov 03, 2014 4:04 am 
Offline

Joined: Sat Oct 18, 2014 3:41 am
Posts: 6
thanks for posting-

I have an older neo that works with password safe fine.

I just but two new ones for U2F and they just dont play nice with password safe. I mentioned it in another thread here but there was no response. I guess i need to contact support to see what they say...


Top
 Profile  
Reply with quote  
PostPosted: Wed Nov 26, 2014 10:34 pm 
Offline

Joined: Wed Nov 26, 2014 8:40 pm
Posts: 4
Thanks! I was having the same problem and wondered why the firmware was showing up like that. I changed mine from button press to no button press and it fixed that issue.

Though, the Logon Administrator is still not seeing the key as being configured. Not sure if it is another 3.3 bug.


Top
 Profile  
Reply with quote  
PostPosted: Thu Nov 27, 2014 2:28 pm 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
contact password safe, they should have an updated release of their software

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Tue Feb 10, 2015 8:37 pm 
Offline

Joined: Fri Feb 06, 2015 4:45 pm
Posts: 8
Hmm, I didn't get it yet :)

Is there a bug in Fw 3.3 of the Neo that affects usage with PasswordSafe or not?

From the initial post it sounds like a bug in the firmware but later it sounds like an issue in PasswordSafe. Or did the PasswordSafe-guys integrate a workaround for a bug. I'm somewhat confused :)


Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 13, 2015 2:44 pm 
Offline
Site Admin
Site Admin

Joined: Mon Dec 08, 2014 2:52 pm
Posts: 314
Both of them.

If you have one of the few Yubikeys with the firmware bug, please submit a warranty replacement at yubi.co/support.

If you have the old version of password safe please get the new one.


Top
 Profile  
Reply with quote  
PostPosted: Sun Feb 15, 2015 11:56 pm 
Offline

Joined: Fri Feb 06, 2015 4:45 pm
Posts: 8
I don't have one yet, but does this mean it's better to wait for 3.4 firmware or is it already fixed in 3.3 and how could I be sure not to buy a 3.3-neo that is affected when the firmware version is the same?


Top
 Profile  
Reply with quote  
PostPosted: Tue Feb 17, 2015 10:39 am 
Offline
Site Admin
Site Admin

Joined: Mon Dec 08, 2014 2:52 pm
Posts: 314
Yubikeys sold now, are not affected by that bug anymore.

3.3.4 2014-11-21

* fixes challenge-response with button


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group