I recently purchased a YubiKey NEO to add hardware 2FA when logging in to Password Safe on my PC and Android phone. This NEO was error prone anytime I tried to use HMAC-SHA1 Challenge-Response when user input was required. In Password Safe when I attempted to add YubiKey 2FA to my safe combination this would cause the YubiKey LED to begin flashing endlessly while giving me the error 'No response from YubiKey'. Whenever I attempted to test HMAC-SHA1 Challenge-Response within Personalization Tool it would give me a response but the following would occur:
1) The YubiKey LED began blinking endlessly.
2) It changed the firmware version to something like 14.244.194 within the Personalization Tool each time I attempt to get a response and 'Unknown firmware' would display where it usually states 'YubiKey is inserted'.
3) It alternated between saying 'Slot 1 configured' and 'Slot 2 configured' under 'Programming status' each time I attempted to get a response.
Yubico Support were very helpful. They RMA's the device immediately, which I returned to them for testing, and provided me with a code for a free replacement. I subsequently received a follow up email from Alvin at Yubico Support stating:
Quote:
We can confirm the endless blinking - it seems this might be related to a fault in our firmware. Our engineers are taking a closer look at it now...As for the codes you see, they are manifested as part of the Yubico OTP credential which is preprogrammed into the first slot of your YubiKey.
Two weeks later I received a second NEO only to discover that it too suffered from the exact same behavior. After contacting Yubico Support again to report this issue I received the following reply:
Quote:
Thank you for contacting Yubico Support. We apologize for the inconvenience. After some additional testing, our QA team has determined that the 3.3 firmware NEOs aren't working with Password Safe. The HMAC-SHA1 Challenge Response works on instances where user input is not required (Windows Login Tool), but not when user input is required. All previous versions of the firmware supported user input, and we'll get this fixed for the next firmware release. I've initiated a refund with our Orders department. They will contact you shortly. Please feel free to keep the device due to the inconvenience this has caused you.
Since YubiKey firmware upgrades are not offered for security reasons this issue will permanently effect all NEOs with 3.3 firmware, as confirmed in an further email I received from Yubico Support:
Quote:
HMAC-SHA1 Challenge Response that is configured to require user input will not work on Firmware 3.3 NEO devices.
I am very happy with the support I've received from Yubico. I've received a free YubiKey NEO that works in every circumstance but the above mentioned one. I'm lucky that the NEO is such a great piece of hardware with plenty of uses, so it's definitely going to still see a lot of use. I'm currently using it for 2FA on my Android device with Yubico Authenticator and I will likely purchase a NANO for use with Password Safe on my desktop with another NEO for my phone once new firmware has been released.
I was surprised that I couldn't find this issue reported anywhere. Is there a 'Known Issues' thread that I've missed?
Edited to add [BUG] to subject line as per forum guidelines.
Login
FAQ
Search
