Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 7:53 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 51 posts ]  Go to page 1, 2, 3, 4, 5, 6  Next
Author Message
PostPosted: Fri Oct 17, 2014 2:54 pm 
Offline

Joined: Thu Oct 16, 2014 11:51 pm
Posts: 82
The current YubiKey NEO Manager 0.2.2 enforces a rule that either U2F or OTP can be enabled, but not both. This is somewhat problematic if you have services (such as, say the Yubico tech community forum) that require you to have an OTP, but you also wish or need to use U2F functionality.

Any word yet as to why this limitation is being placed on the new NEO units with U2F functionality?

[Looking at the source code, it might be a temporary limitation, perhaps waiting on a software fixup in host-side U2F libraries...maybe? Or perhaps an issue with making sure the button generates the right kind of code for the current context? Really hoping this won't require a firmware fix on the NEO, since I just sunk a good chunk of change on the new U2F-enabled units.]

Thanks!
Brendan

PS - I noticed that CCID mode still can be enabled regardless of the other mode(s) enabled, just like before.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Fri Oct 17, 2014 3:19 pm 
Offline
Site Admin
Site Admin

Joined: Mon Mar 02, 2009 9:51 pm
Posts: 83
This is strictly an intended limitation in the YubiKey NEO Manager, which is very likely to be removed in the near future. The reason is that current FIDO clients don't support these modes (both U2F and OTP enabled at the same time) correctly, and thus the mode becomes quite useless. Once these problems have been fixed, a new version of the NEO Manager will be released which doesn't impose this limitation.


Top
 Profile  
Reply with quote  
PostPosted: Fri Oct 17, 2014 5:30 pm 
Offline

Joined: Thu Oct 16, 2014 11:51 pm
Posts: 82
dain wrote:
This is strictly an intended limitation in the YubiKey NEO Manager, which is very likely to be removed in the near future. The reason is that current FIDO clients don't support these modes (both U2F and OTP enabled at the same time) correctly, and thus the mode becomes quite useless. Once these problems have been fixed, a new version of the NEO Manager will be released which doesn't impose this limitation.


Thanks for the quick reply. I was hoping the answer was along these lines. Cheers!

Brendan


Top
 Profile  
Reply with quote  
PostPosted: Tue Oct 21, 2014 2:40 pm 
Offline

Joined: Sat Feb 09, 2013 3:37 pm
Posts: 2
dain wrote:
This is strictly an intended limitation in the YubiKey NEO Manager, which is very likely to be removed in the near future. The reason is that current FIDO clients don't support these modes (both U2F and OTP enabled at the same time) correctly, and thus the mode becomes quite useless. Once these problems have been fixed, a new version of the NEO Manager will be released which doesn't impose this limitation.


What is the outlook to get U2F and OTP working at the same time?

I really want to use U2F with Google without having to swap U2F and OTP around.... that's quite lame.


Top
 Profile  
Reply with quote  
PostPosted: Tue Oct 21, 2014 3:15 pm 
Offline

Joined: Fri Oct 17, 2014 1:50 pm
Posts: 3
returntrip wrote:
What is the outlook to get U2F and OTP working at the same time?

I really want to use U2F with Google without having to swap U2F and OTP around.... that's quite lame.


I second that! Please enable simultaneous use of U2F and OTP.

-Kent


Top
 Profile  
Reply with quote  
PostPosted: Tue Oct 21, 2014 4:47 pm 
Offline
Yubico Team
Yubico Team

Joined: Thu Oct 16, 2014 3:44 pm
Posts: 349
Again, current FIDO clients don't support these modes (both U2F and OTP enabled at the same time) correctly - Yubico has no control over this. Once the compatibility issue is resolved, we will release a new version of the NEO Manager.


Top
 Profile  
Reply with quote  
PostPosted: Tue Oct 21, 2014 6:25 pm 
Offline

Joined: Tue Oct 21, 2014 5:58 pm
Posts: 3
I (and I'm sure many others) would be grateful if Yubico could discuss this in further detail.


Last edited by carlgottlieb on Wed Oct 22, 2014 11:34 am, edited 1 time in total.

Top
 Profile  
Reply with quote  
PostPosted: Tue Oct 21, 2014 6:44 pm 
Offline
Yubico Team
Yubico Team

Joined: Mon Jul 23, 2012 9:59 pm
Posts: 27
Hello All,

As part of Yubico's testing of the U2F devices before the launch of the first U2F Client browsers we tested across multiple configuration on the YubiKey. The YubiKey NEO and NEO-N have no issue in supporting the three modes; One-Time Passwords, Smartcard (CCID) and U2F. However, when testing the NEO against the U2F Client browser, it turned out that the combination of U2F in addition to the OTP mode was not supported by the browser client itself.

That being said, the beta version of Chrome (Chrome 39) supports all the modes of the YubiKey NEO, and we expect future browsers to support the OTP and U2F concurrent configuration as well. Once there is a public release of a U2F browser which can support OTP and U2F modes at the same time, Yubico will release a new version of the NEO Manager with the mode limitation removed. For users who don't want to wait, you can also use the yubikey-personalization (https://developers.yubico.com/yubikey-personalization/) Command line tool to enable all modes on your YubiKey NEO or NEO-N.

Download the personalization command line tool from here: https://developers.yubico.com/yubikey-personalization/Releases/

Extract the files and then run the ykpersonalize tool like so:
ykpersonalize -m6

Mode 6 is the OTP+U2F+CCID mode (and isn't listed in -help, which means if you aren't on a linux machine you don't have access to the manpage and have to go searching through source code to find the applicable mode)

You can now use your Yubico NEO (purchased starting in Oct 2014) with both LastPass in OTP mode and with Google U2F.

EDIT:
We've had reports of users with bricked YubiKey NEOs and NEO-n's after using the personalization command line tool incorrectly. Please refrain from using the command line tool if you are not familiar with the personalization tools or command line interfaces; there are no safeguards for keeping users from getting their YubiKeys in an inoperable state!

_________________
-David Maples
Yubico Senior Solutions Engineer
http://www.Yubico.com


Top
 Profile  
Reply with quote  
PostPosted: Tue Oct 21, 2014 7:10 pm 
Offline

Joined: Sat Feb 09, 2013 3:37 pm
Posts: 2
David wrote:
Hello All,

As part of Yubico's testing of the U2F devices before the launch of the first U2F Client browsers we tested across multiple configuration on the YubiKey. The YubiKey NEO and NEO-N have no issue in supporting the three modes; One-Time Passwords, Smartcard (CCID) and U2F. However, when testing the NEO against the U2F Client browser, it turned out that the combination of U2F in addition to the OTP mode was not supported by the browser client itself.

That being said, the beta version of Chrome (Chrome 39) supports all the modes of the YubiKey NEO, and we expect future browsers to support the OTP and U2F concurrent configuration as well. Once there is a public release of a U2F browser which can support OTP and U2F modes at the same time, Yubico will release a new version of the NEO Manager with the mode limitation removed. For users who don't want to wait, you can also use the yubikey-personalization (https://developers.yubico.com/yubikey-personalization/) Command line tool to enable all modes on your YubiKey NEO or NEO-N.


Hello David,

Thanks.... That's a great answer! Is there any downside in enabling all modes at once using the personalisation tool? I assume U2F would not work anyway on Chrome v38....but I guess the rest would work OK?

Regards,
Stefano


Top
 Profile  
Reply with quote  
PostPosted: Tue Oct 21, 2014 7:51 pm 
Offline

Joined: Thu Oct 16, 2014 11:51 pm
Posts: 82
David wrote:
That being said, the beta version of Chrome (Chrome 39) supports all the modes of the YubiKey NEO, and we expect future browsers to support the OTP and U2F concurrent configuration as well. Once there is a public release of a U2F browser which can support OTP and U2F modes at the same time, Yubico will release a new version of the NEO Manager with the mode limitation removed. For users who don't want to wait, you can also use the yubikey-personalization (https://developers.yubico.com/yubikey-personalization/) Command line tool to enable all modes on your YubiKey NEO or NEO-N.


I'm already running the chrome beta release line, so that plus the command line tool solves the issue for me.

Thanks for this, David.

Brendan


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 51 posts ]  Go to page 1, 2, 3, 4, 5, 6  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 8 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group