Closed rkjnsn closed 1 year ago
Seconding this. The touch requirement is great for USB (I don't want the desktop app constantly regenerating codes while it's inserted!), but it's quite annoying with NFC. The current "tap key, press refresh, tap key, press copy" works, but it's a bit annoying. A plain "tap key, press copy" would be more convenient. I want a touch requirement to prove that I am physically interacting with the key, being able to nfc-tap it seems enough to me.
Interestingly, the Yubikey 5 technical manual already states:
For operations that require a touch, all touch requests within the first 20 seconds of the operation will succeed. After a period of inactivity, a YubiKey placed on a desktop NFC reader may power down to help prevent unintended access to the device.
This suggests to me that the initial "tap" should already be considered the touch, so the current tap-twice behaviour of the Android app is a bug?
Sorry for the late response. The development of the app moved to https://github.com/Yubico/yubioath-flutter and released a new version of the app which now has a “Bypass touch” option. Could you please verify if that solves the issue? Report new issues in the new repository, thanks!
It works great! Thank you!
Thanks for your feedback!
When connected via USB, "require touch" is a nice safeguard to prevent a compromised system from generating a bunch of future codes all at once.
I seem to recall reading somewhere (that I now can't seem to find) that "require touch" is implemented for NFC by requiring (at the Yubikey level) that codes be read within a certain short window of the key approaching the NFC reader. (Thus the act of physically bringing the key near the NFC reader becomes the "touch".)
This suggests that it should be possible for the Yubico Authenticator to read all of the codes on the initial tap, which would make the authenticator much easier for me to use on Android without sacrificing the protection on desktop. (As a test, I just tried pressing the refresh button on all of the codes in the app before touching my key, and the app was able to generate all of the requested codes with one tap, confirming there is no one-operation-per-tap limitation in the key.)
Since some people might prefer the current behavior to avoid the possibility for someone espying the additionally-generated codes (something I'm not personally concerned about), I suggest making it a setting in the app.