Yubico Forum

Question 1: Is it possible for me to select the NDEF app and query it for its value from the USB interface?

Question 2: Can the NDEF feature on the NEO be disabled?

Well, it seems I answered my first question:


It also fails to read the OTP when using the private yubico API (which is what I would expect):


So, unless I am interpreting these results incorrectly, it seems that you cannot read the OTP value from a slot without performing some sort of user action, either by pressing the button or by NFC NDEF. This is a good thing.

I'm curious if it is possible to read the NDEF multiple times over NFC (without removing and replacing the ykneo), but the security impact of that would be considerably less significant.

As you've discovered, if the NDEF is read over a contact interface it requires the button to be touched.

If you read it several times over NFC you'll get the same behaviour as if you touch the button several times in one session, the session counter is incremented for each OTP read.

And to answer #2, no way to completely disable NDEF.

/klas

Too bad about not being able to disable NDEF support. That would be a desirable feature for a future version, by the way.

I notice that multiple requests to read 0xE104 yield the same OTP. After which specific command is the OTP generated? Is it when I select 0xE104, or when I read it first?

I also noticed that if I query the OTP directly from the YubicoOTP app (using APDU 00 02 00 00 00) that I can query for many new OTPs successfully for as long as my ykneo is laying on top of the NFC reader. Not really a problem as a reset will probably get similar behavior from the NDEF app... Just pointing it out to anyone who is reading and interested.

Yes, you're entirely correct, the NDEF applet will always respond with the same OTP (until it's re-selected).
The main reason that the NDEF applet returns the same OTP is that it supports chunking by specifying an offset in p1 and p2.

/klas