FIDO implementation incompatible to Apple ID

[freswa]

Apple launched 2FA via FIDO tokens lately. Adding an NK3 via NFC has some hurdles:

• NFC doesn't work without additional power
• If powered externally via USB, the NFC chip keeps sending a link to the Nitrokey homepage endlessly which triggers a notification for each transmission
• The process of adding the token to the Apple ID returns an "incompatible" token message and refers to the support homepage with a list of supported devices

[robin-nitrokey]

I’ve previously experienced some issues with NFC when the device is powered externally. Does this setup work for you with other services? Does Apple ID work over USB?

[freswa]

Does this setup work for you with other services?

For other services I don't even get an error, the keys are just not being recognized.

Does Apple ID work over USB?

I'm currently not able to attach a USB device to any of my iOS devices.

[robin-nitrokey]

Does NFC without external power work with any service? What kind of device is this?

[freswa]

Does NFC without external power work with any service?

I can't get NFC without external power to work at all, the most I got with 2x 3A and 1x 3C is a operation error, I got once with about 50 tries.

What kind of device is this?

It's an iPhone 14

[robin-nitrokey]

Interesting. Have you already used the Nitrokeys with a different NFC device or only this one?

[freswa]

Unfortunately that's the only NFC device available. I've used all NKs over USB though.

[robin-nitrokey]

Okay, thanks for the information. To summarize: I’m not surprised that NFC does not work while the device is powered over USB. I don’t think this is an issue specific to Apple ID, it probably just shows a different error message than other services.

Regular NFC should work though. Theoretically, the NFC chip on all three Nitrokey could be broken but that would be very unlikely. There could also be an issue with your iPhone. I would consider this unlikely too, but just to rule this out: Do other NFC devices work with our iPhone? Finally, there could be a compatibility issue between the iPhone 14 and the Nitrokey 3. I’m not aware of such an issue, but I’ll ask my colleagues for more information.

[freswa]

I've used two Yubikeys for the Apple ID and some browser services. They work flawlessly with that phone.

[jornfranke]

I can confirm this problem on iOS 16.5. Unfortunately, the 3C NFC bricked itself afterwards (not sure if this is related to NFC/FIDO2 with IOS or if it simply was its time - it was from the first batch). I used it before mostly via Linux / USB-C. I contacted support already, but they have not come back to me yet.

[freswa]

NK3 Firmware 1.5.0 works for me. @jornfranke can you confirm?

[ludiofines]

For me it does not work. I have updated the firmware to 1.5.0. I am running iOS 16.5. When using the OS options to setup key i only get to a screen where i see a message of the sort "bring your nfc key near the top of the iphone". I does not react. Do I have to setup something on my NK3 first? Is there any debug instructions?

update: updated firmware to v1.5.0-test.20230605 and nk3 is still not detected on my device. i have tried with a yubikey for (1.5.0 and 1.5.0-test.20230605) correlation purposes and seems to work prompting for a device pin.

[davegomez]

Same issue here with NK3 and firmware 1.5.0

The NFC with my iPhone 14 doesn't work at all while my YubiKey does work flawlessly.

Other services in the NK3 work fine.