Yubico Forum
https://forum.yubico.com/

NFC functionality - only single mode supported at a time?
https://forum.yubico.com/viewtopic.php?f=26&t=2221		 Page 1 of 1
Author:  Makkura [ Mon Feb 15, 2016 10:08 pm ]
Post subject:  NFC functionality - only single mode supported at a time?
Hey guys

So I just got my Yubikey NEO and configured some basic stuff.
Got the random key thing on slot1 and a static passcode on the second.

I use these to get on GitHub and the static for all other applications that don't support the Yubikey directly.
Also, I tried the NFC feature together with the Yubiclip app.

On my smartphone I can log into github by using the google authenticator app when I tap it on the key.
I suspect this uses the functionality on slot 1. (since I always got a random key in Yubiclip too)

I there any possible way I can also use the static passcode at the same time?
Otherwise I couldn't login into facebook and other application where I would use a static key.

I'm sorry if this is a chaotic post but I'm looking into this for a while now.
Author:  ChrisHalos [ Wed Feb 17, 2016 2:00 am ]
Post subject:  Re: NFC functionality - only single mode supported at a time
viewtopic.php?f=26&t=2093&p=8004&hilit=NDEF#p8004

The behavior changes depending on what application is open at the time on your phone. If Yubico Authenticator is open, tapping the NEO will use Yubico Authenticator. By default, tapping the NEO when you are outside of Yubico Authenticator should open a browser window and authenticate your Yubico OTP (because the default NDEF settings are to send Slot 1, not Slot 2, which is blank by default). You can change the NDEF settings to slot 2 by using the Personalization Tool (Tools > NDEF Programming). You can also install the YubiClip app, available on the Google Play Store. This will capture the incoming NDEF string to the clipboard and allow you to paste it into any text field on your phone.
Author:  Makkura [ Wed Feb 17, 2016 5:58 pm ]
Post subject:  Re: NFC functionality - only single mode supported at a time
ChrisHalos wrote:
http://forum.yubico.com/viewtopic.php?f=26&t=2093&p=8004&hilit=NDEF#p8004

The behavior changes depending on what application is open at the time on your phone. If Yubico Authenticator is open, tapping the NEO will use Yubico Authenticator. By default, tapping the NEO when you are outside of Yubico Authenticator should open a browser window and authenticate your Yubico OTP (because the default NDEF settings are to send Slot 1, not Slot 2, which is blank by default). You can change the NDEF settings to slot 2 by using the Personalization Tool (Tools > NDEF Programming). You can also install the YubiClip app, available on the Google Play Store. This will capture the incoming NDEF string to the clipboard and allow you to paste it into any text field on your phone.


Alright but long story short, I can only make the the NFC emmit 1 of the 2 configurations.
So there isn't any way I can emmit both without altering the NDEF Programming each time.

If this is the case then I guess my question is solved. (even though I'm a bit disappointed :( )
Author:  ChrisHalos [ Wed Feb 17, 2016 6:16 pm ]
Post subject:  Re: NFC functionality - only single mode supported at a time
No, there is no internal battery in the YubiKey NEO (any of our devices, for that matter, at the time of this post). We obviously differentiate between Slot 1 and Slot 2 over USB by short press and long press. The YubiKey doesn't receive power from the phone so the button cannot be used; hence, only one of the configuration slots can be used without reprogramming using the Personalization Tool.

Over NFC:

* You can use only 1 of the 2 configuration slots

* You can use Yubico Authenticator with the YubiOATH applet

* You can use the PIV applet for smart card login to a computer, using an USB/NFC reader (obviously requires domain environment, PKI environment set up)

* You can use the OpenPGP applet with OpenKeychain

* You can use U2F with Google Authenticator

Basically, the 1 of 2 configuration slots is the only real limitation over NFC.
Author:  Uriel [ Mon Feb 22, 2016 11:15 pm ]
Post subject:  Re: NFC functionality - only single mode supported at a time
Quote:
You can use the PIV applet for smart card login to a computer, using an USB/NFC reader (obviously requires domain environment, PKI environment set up)


A naive question: since Yubikey is a USB device, why would I use a USB/NFC reader rather than just plugging the Yubikey itself into the available USB slot?

The main advantage of NFC seems to be its ability to communicate with devices (such as Android phones) that do not offer (easy access to) USB ports. But there is no Android application that can reach PIV applet via NFC. :-(

For OpenPGP indeed OpenKeychain works very nicely.
Author:  ChrisHalos [ Tue Feb 23, 2016 1:30 am ]
Post subject:  Re: NFC functionality - only single mode supported at a time
@ Uri - Of course if you have access to a USB port, it doesn't make sense to use it over NFC. We had a customer ask if it was possible to use an NFC reader to log into a Windows PC with PIV. I confirmed it worked (domain joined, Windows 10). I'm not sure what their use case was, but I imagine it had to do with limited USB port access for employees.
Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/