Yubico Forum
https://forum.yubico.com/

Support for OTP+U2F mode?
https://forum.yubico.com/viewtopic.php?f=26&t=1519		 Page 1 of 6
Author:  brendanhoar [ Fri Oct 17, 2014 2:54 pm ]
Post subject:  Support for OTP+U2F mode?
The current YubiKey NEO Manager 0.2.2 enforces a rule that either U2F or OTP can be enabled, but not both. This is somewhat problematic if you have services (such as, say the Yubico tech community forum) that require you to have an OTP, but you also wish or need to use U2F functionality.

Any word yet as to why this limitation is being placed on the new NEO units with U2F functionality?

[Looking at the source code, it might be a temporary limitation, perhaps waiting on a software fixup in host-side U2F libraries...maybe? Or perhaps an issue with making sure the button generates the right kind of code for the current context? Really hoping this won't require a firmware fix on the NEO, since I just sunk a good chunk of change on the new U2F-enabled units.]

Thanks!
Brendan

PS - I noticed that CCID mode still can be enabled regardless of the other mode(s) enabled, just like before.
Author:  dain [ Fri Oct 17, 2014 3:19 pm ]
Post subject:  Re: Support for OTP+U2F mode?
This is strictly an intended limitation in the YubiKey NEO Manager, which is very likely to be removed in the near future. The reason is that current FIDO clients don't support these modes (both U2F and OTP enabled at the same time) correctly, and thus the mode becomes quite useless. Once these problems have been fixed, a new version of the NEO Manager will be released which doesn't impose this limitation.
Author:  brendanhoar [ Fri Oct 17, 2014 5:30 pm ]
Post subject:  Re: Support for OTP+U2F mode?
dain wrote:
This is strictly an intended limitation in the YubiKey NEO Manager, which is very likely to be removed in the near future. The reason is that current FIDO clients don't support these modes (both U2F and OTP enabled at the same time) correctly, and thus the mode becomes quite useless. Once these problems have been fixed, a new version of the NEO Manager will be released which doesn't impose this limitation.


Thanks for the quick reply. I was hoping the answer was along these lines. Cheers!

Brendan
Author:  returntrip [ Tue Oct 21, 2014 2:40 pm ]
Post subject:  Re: Support for OTP+U2F mode?
dain wrote:
This is strictly an intended limitation in the YubiKey NEO Manager, which is very likely to be removed in the near future. The reason is that current FIDO clients don't support these modes (both U2F and OTP enabled at the same time) correctly, and thus the mode becomes quite useless. Once these problems have been fixed, a new version of the NEO Manager will be released which doesn't impose this limitation.


What is the outlook to get U2F and OTP working at the same time?

I really want to use U2F with Google without having to swap U2F and OTP around.... that's quite lame.
Author:  kbh4 [ Tue Oct 21, 2014 3:15 pm ]
Post subject:  Re: Support for OTP+U2F mode?
returntrip wrote:
What is the outlook to get U2F and OTP working at the same time?

I really want to use U2F with Google without having to swap U2F and OTP around.... that's quite lame.


I second that! Please enable simultaneous use of U2F and OTP.

-Kent
Author:  ChrisHalos [ Tue Oct 21, 2014 4:47 pm ]
Post subject:  Re: Support for OTP+U2F mode?
Again, current FIDO clients don't support these modes (both U2F and OTP enabled at the same time) correctly - Yubico has no control over this. Once the compatibility issue is resolved, we will release a new version of the NEO Manager.
Author:  carlgottlieb [ Tue Oct 21, 2014 6:25 pm ]
Post subject:  Re: Support for OTP+U2F mode?
I (and I'm sure many others) would be grateful if Yubico could discuss this in further detail.
Author:  David [ Tue Oct 21, 2014 6:44 pm ]
Post subject:  Re: Support for OTP+U2F mode?
Hello All,

As part of Yubico's testing of the U2F devices before the launch of the first U2F Client browsers we tested across multiple configuration on the YubiKey. The YubiKey NEO and NEO-N have no issue in supporting the three modes; One-Time Passwords, Smartcard (CCID) and U2F. However, when testing the NEO against the U2F Client browser, it turned out that the combination of U2F in addition to the OTP mode was not supported by the browser client itself.

That being said, the beta version of Chrome (Chrome 39) supports all the modes of the YubiKey NEO, and we expect future browsers to support the OTP and U2F concurrent configuration as well. Once there is a public release of a U2F browser which can support OTP and U2F modes at the same time, Yubico will release a new version of the NEO Manager with the mode limitation removed. For users who don't want to wait, you can also use the yubikey-personalization (https://developers.yubico.com/yubikey-personalization/) Command line tool to enable all modes on your YubiKey NEO or NEO-N.

Download the personalization command line tool from here: https://developers.yubico.com/yubikey-personalization/Releases/

Extract the files and then run the ykpersonalize tool like so:
ykpersonalize -m6

Mode 6 is the OTP+U2F+CCID mode (and isn't listed in -help, which means if you aren't on a linux machine you don't have access to the manpage and have to go searching through source code to find the applicable mode)

You can now use your Yubico NEO (purchased starting in Oct 2014) with both LastPass in OTP mode and with Google U2F.

EDIT:
We've had reports of users with bricked YubiKey NEOs and NEO-n's after using the personalization command line tool incorrectly. Please refrain from using the command line tool if you are not familiar with the personalization tools or command line interfaces; there are no safeguards for keeping users from getting their YubiKeys in an inoperable state!
Author:  returntrip [ Tue Oct 21, 2014 7:10 pm ]
Post subject:  Re: Support for OTP+U2F mode?
David wrote:
Hello All,

As part of Yubico's testing of the U2F devices before the launch of the first U2F Client browsers we tested across multiple configuration on the YubiKey. The YubiKey NEO and NEO-N have no issue in supporting the three modes; One-Time Passwords, Smartcard (CCID) and U2F. However, when testing the NEO against the U2F Client browser, it turned out that the combination of U2F in addition to the OTP mode was not supported by the browser client itself.

That being said, the beta version of Chrome (Chrome 39) supports all the modes of the YubiKey NEO, and we expect future browsers to support the OTP and U2F concurrent configuration as well. Once there is a public release of a U2F browser which can support OTP and U2F modes at the same time, Yubico will release a new version of the NEO Manager with the mode limitation removed. For users who don't want to wait, you can also use the yubikey-personalization (https://developers.yubico.com/yubikey-personalization/) Command line tool to enable all modes on your YubiKey NEO or NEO-N.


Hello David,

Thanks.... That's a great answer! Is there any downside in enabling all modes at once using the personalisation tool? I assume U2F would not work anyway on Chrome v38....but I guess the rest would work OK?

Regards,
Stefano
Author:  brendanhoar [ Tue Oct 21, 2014 7:51 pm ]
Post subject:  Re: Support for OTP+U2F mode?
David wrote:
That being said, the beta version of Chrome (Chrome 39) supports all the modes of the YubiKey NEO, and we expect future browsers to support the OTP and U2F concurrent configuration as well. Once there is a public release of a U2F browser which can support OTP and U2F modes at the same time, Yubico will release a new version of the NEO Manager with the mode limitation removed. For users who don't want to wait, you can also use the yubikey-personalization (https://developers.yubico.com/yubikey-personalization/) Command line tool to enable all modes on your YubiKey NEO or NEO-N.


I'm already running the chrome beta release line, so that plus the command line tool solves the issue for me.

Thanks for this, David.

Brendan
Page 1 of 6 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/