
YubiKey comes to the iPhone with Mobile SDK for iOS and LastPass support - throwwwafgk
https://www.yubico.com/2018/05/yubikey-comes-to-iphone-with-mobile-sdk-for-ios-and-lastpass-support/
======
zaroth
If I’m authenticating with “something I have” then why not use the iPhone
itself which also happens to add a layer of “something I am” (FaceID) as well
as easily supporting entry of something I know (PIN or password).

Using a hardware token to authenticate to an app on an iPhone makes about as
much sense as.... sorry, it makes absolutely no sense at all.

I trust the secure element on the iPhone a lot more than I trust the hardware
on the Yubikey.

The days are numbered for this whole idea of a separate piece of hardware
USB/NFC to do authentication. If I’m adding a “something I have” factor to my
authentication flow (or even making it the only factor) it’s going to be the
phone hardware itself, not an extra dongle thing I have to carry around.

FIDO’s upcoming CTAP unfortunately is going about it the wrong way, IMO. I
don’t want to have to establish NFC or Bluetooth from my iPhone to my desktop
to enable me to use my iPhone to authenticate on my desktop. It’s entirely
unnecessary since both devices are already online. They are designing for a
corner case which makes the primary case too complicated.

~~~
jpdb
Do iPhones allow access to the underlying TPM devices?

I personally don't believe things like Google Authenticator are a good
"something you have" second factor as the "something you have" is just a
string stored in a sqlite database. Much easier to covertly copy that than a
hardware key where the string is burned into the key.

~~~
jakobegger
Yes, iPhones allow storing data that can’t leave the device. Otherwise OTP
apps would be pointless.

I don’t know the details, but some apps use it to store OTP secrets. Eg. if
you use the DUO app, your secrets will be backed up, but they can only be
restored on your phone. (was quite a hassle to reset 2FA on all the websites
after my phone was replaced in warranty repair)

Not sure what Google authenticator does.

~~~
rightos
Are iOS Authenticator apps actually calculating OTPs on the Secure Element? Is
there a way to execute arbitrary code on it? If not, they have to pull the
keys off to the main CPU where they're open to attack like anything else.
Still secured as private app data, still mostly protected, but an attacker
with a jailbreak could still dump them.

I know for a fact I can dump Google Authenticator keys from my Android device
with root as I'm able to back it up and move it to another device.
Theoretically on most Android devices even there's a secure enclave available
that could do it, yet I haven't seen any apps use it.

Most of the benefit of OTPs really comes from approving on a secondary device
rather than protecting the keys to an absolute degree though, so this is
probably of little concern to most users. In fact it may provide a convenience
benefit, I like being able to backup and move my keys, without that I probably
wouldn't use 2FA at all.

~~~
moduspwnens14
Using the secure enclave, you (as a developer) can have it generate a private
key you'll never be able to get and then ask it to sign / encrypt
(symmetrically) arbitrary things for you.

[https://developer.apple.com/documentation/security/certifica...](https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave)

AFAIK that means it'll take more than a jailbreak to get to them, although I
don't know if OTP apps are using that capability or not.

~~~
michaelt
Sadly, the Secure Enclave doesn't support HMAC-SHA-1 or importing keys [1] so
it's not compatible with the industry standard TOTP 2fa mechanism.

[1]
[https://developer.apple.com/documentation/security/certifica...](https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave)

~~~
monocasa
I think we can do a lot better than the industry standard TOTP 2fa system
anyway. TOTP involves sending plaintext private keys around during setup.

------
amluto
Yubikey OTP is much weaker than a good challenge-response protocol like U2F. I
assume that Yubico is supporting OTP because iOS only exposes NDEF data, and
NDEF is effectively a one-way protocol.

~~~
kevin_b_er
Allowing two way communication would permit innovation in connecting devices
that are not subject to Apple's direct control.

~~~
Spivak
Yeah, it's so annoying having to buy Apple brand Wi-Fi routers and Apple brand
Bluetooth headphones.

~~~
m-p-3
Wait, your non-Apple bluetooth speakerphone allow you to speak, not only
listen?!

------
m-p-3
I kinda hope they'll make a newer version of the Yubikey that supports NFC and
PGP keys bigger than 2048 bits.

~~~
acdha
Agreed on NFC but they support 4096 bit RSA in the current generation
hardware:

[https://www.yubico.com/product/yubikey-4-series/#tab-
specs](https://www.yubico.com/product/yubikey-4-series/#tab-specs)

It suffers the usual PGP-world usability problems so I ended up not using it
very much but it was definitely working and takes noticeably longer to
generate the key than a 2048-bit key does.

------
cwkoss
I wonder if there is a method to detect NFC at a greater distance than you can
read it - could be used to 'find any yubikeys hidden in office desks'

------
azinman2
I’d like to see Safari support... does anyone know if it’ll have it (perhaps
thru a sharing extension?)

------
crankylinuxuser
Ok, this is dumb. Real dumb. I would trust (the leaked) secure enclave OS than
Yubico's offerings. And the Secure Enclave is already built in, versus this
3rd party hardware.

Also, using something like andOTP is perfectly fine to run, which is also a
U2F TOTP solution. It integrates perfectly with LinOTP, Google Authenticatior,
or other 2fa solutions.

In essence, if you're using Linux anywhere, 2fa is free to implement, free to
manage serverside, and just works. There's no reason for Yubi-anything.

Also, within the next few weeks/months, NIST will be stating that phone calls,
Texts, and emails are no longer an acceptable 2fa for secure stuff.

~~~
acdha
> Also, using something like andOTP is perfectly fine to run, which is also a
> U2F TOTP solution. It integrates perfectly with LinOTP, Google
> Authenticatior, or other 2fa solutions.

It also has a massive attack surface since you need to secure an Android
device. The big win for a dedicated hardware token is that there's so little
to attack, along with lesser things like not running out of battery at
inconvenient moments.

