YubiKey NEO OATH Applet

David

September 25, 2013  |  David Maples  |  4 Comments

YubiKey NEO + mobile + hands - blog

Yubico is Proud to announce the release of our Free YubiKey NEO applet to help with storing OATH secrets and generating OATH one time pass codes.

With the increasing deployment of two step verification (e.g. GitHub this week, DropBox, Google, Microsoft, Evernote) relying on the OATH protocol, many users are concerned about using their mobile phones to store the secrets used to generate the 6 or 8 digit numbers, and the difficulty of changing devices.  The applet we’re releasing today allows you to store those secrets in the secure element on your YubiKey NEO – and simply tapping your NEO against any  NFC enabled Android device with the YubiOATH app running shows you your current codes.  See the video below to see it in operation.

Existing YubiKey NEO owners comfortable with using command line tools can add the new applet to their NEO – see our forum post here.  We have developed the applet as an Open Source reference implementation of a YubiKey NEO applet.  We have also open sourced the Android app.  See opensource.yubico.com

-Yubico’s engineering team.

4 Responses to “YubiKey NEO OATH Applet”

  1. Pyry says:

    This is great!

    Does this app work with a regular Yubikey and an usb adapter? Paranoid or not I’m not so sure about the security of NFC in general.

    • David says:

      This mobile app only works with the NEO, unfortunately. You can use the Standard YubiKey with a helper app on your desktop to generate OATH-TOTP codes – instructions are here.

      We understand your concern about the NFC technology, and have rigorously tested it. Even using a high-power NFC testing unit, we were not able to activate or read the NFC portion of the YubiKey NEO at distances greater then 2 inches. Commercial NFC readers are much less powerful, often requiring the NFC tag to be right next to the reader. We feel it is very unlikely that someone would be able to activate your YubiKey NEO without having physical access to it.

      • Pyry says:

        Thank you David for your quick reply!

        This is really great news. With contactless credit cards there has been some issues so I’m a bit cautious. However, I think you have really raised the usability of a NEO to a next level and I need to order one, too.

  2. Tijs says:

    This looks very interesting. Are the secrets for TOTP shared with the ordinary HMAC-SHA1 yubikey functionality?

    (So I could generate the TOTP codes with my phone, as well as with the desktop app)
    Is there a limit to the number of TOTP secrets supported by the yubikey neo icw the desktop app?

Leave a Reply

You must be logged in to post a comment.