Yubikey NFC support for U2F

[khers]

AFAICT, it is impossible to open an Keepass database I created on a desktop to use my yubikey OATH-HOTP configuration. It would be really nice if Keepassdroid would allow reading of a Yubikey NEO over NFC

[filippouni]

Hi, just two pointers: https://www.yubico.com/2015/07/a-milestone-for-wireless-u2f/ https://www.yubico.com/faq/does-my-yubikey-neo-support-u2f-over-nfc/

[spikebike]

The requested "Yubikey NFC support for U2F" is incompatible with the request "yubikey OATH-HOTP configuration."

U2F is available from various cheap tokens in the $5-$20 range (Yubi's is $18 with a github account I believe). However the U2F tokens can not do OATH-HTOP.

The Yubikey Neo can go OATH-HTOP, but costs $50.

I'm interested in getting this working, but am not sure if keepassdroid should handle the complexity and require NFC permissions, or if it should be handled by another application by sending an intent. YubiChallenge is an app that can handle this by sending an intent to com.yubichallenge.NFCActivity.CHALLENGE.

[denibertovic]

This would be a really great feature! Was there any progress on it?

[rmenessec]

It would be easier and better to add support for the YubiKey HMAC mode. U2F is an authentication mode for web apps that relies on the Yubico keyservers (or self-hosted keyservers), so far as I can tell.

KeePassXC already has support for using YubiKeys in HMAC challenge-response mode as part of a multi-part key. The code is hosted here, on GitHub.

I'm using it. It works fine. Unlike HOTP, you can store the same secret on multiple YubiKeys, providing a backup method in case one of your keys is lost/stolen. It is impossible to provide a backup for HOTP.

[ghost]

U2F does not have to rely on webservers, it just requires some kind of service that can store an initial U2F registration, then it's a simple challenge/response using the registered-device's private key.