iPhone support for YubiKey OTP via NFC

Will my YubiKey NEO work on iPhones now that iOS 11 added some NFC support? It’s a fair question – one that we’ve been getting a lot of. This blog explains some of the details about iPhone support for YubiKey OTP to help bring some clarity to YubiKey users.

First, it’s important to understand the limited scope of Apple’s NFC support. Apple’s NFC APIs for iOS (Core NFC) allow iPhone apps to read the NFC Data Exchange Format (NDEF) records from certain NDEF tags (only supported on iPhone 7, 7 Plus, and up). However, there are a few limitations. Besides the fact that the NFC Reader interface can only be fired up from an app, Core NFC does not allow for write operations that are required for authentication protocols like FIDO U2F. That said, NFC on the iOS platform does not support Google’s recently announced Advanced Protection Program.

However, because NFC tag reading is supported, it allows developers to build apps, including consumer facing or purpose-built enterprise applications, with one-time passcode (OTP) support. Given that the YubiKey NEO can generate an OTP and send it to the requesting app via NFC, we finally have some good news for iPhone lovers: the YubiKey NEO will support OTP over NFC for applications that run on iOS11 and iPhone versions 7+. While Yubico acknowledges this progress, ubiquitous Apple support for strong authentication, namely FIDO protocols, remains out of reach at the moment.

For YubiKey users, this improves OTP two-factor authentication on the iPhone. Now they can authenticate with just a tap of their YubiKey NEO against the phone. Additionally, developers have a better authentication option to integrate with their mobile applications. One caveat remains: developers will have to build NFC support into each individual application to retrieve the OTP from the NDEF tag. Edit (28 May, 2018): See our new Mobile SDK for iOS.

In contrast, Android supports NFC natively in the platform. For example, Android developers can open the NDEF record for a URL with the default browser instead of opening up the specific app to read the NDEF tag. Furthermore, Android developers can also add FIDO U2F support using the Android FIDO U2F APIs.

While this is encouraging news, we realize it is not yet the complete desired solution. With Apple finally opening up parts of its NFC technology (just like with Touch ID a few years ago), we are hopeful that this standards-based approach will evolve. We know security is only as strong as its weakest link; it is high on our bucket list of things to solve for the ecosystem!

What can you do? As Yubico continues to advocate for ubiquitous, strong authentication for all, we invite you to join us in voicing or tweeting your concerns and desires to Apple to expand their NFC on iOS. As a customer-centric company, Apple will greatly value your input. To send developer feedback to Apple, visit their contact page or send a tweet to @AppleSupport.

Talk to our teamTalk to our team

Share this article:


  • Introducing new features for Yubico Authenticator for iOSWe’re excited to share the new features now available for Yubico Authenticator for iOS in the latest app update on the App Store. Many of these improvements aim to address frequently requested features from our customers, while providing additional new functionalities for a seamless authentication experience on iOS.  With increased interest in going passwordless and […]Read moreiOSYubico Authenticator
  • Platform independent digital identity for all Many are understandably concerned that the great invention called the Internet, initially created by researchers for sharing information, has become a major threat to democracy, security and trust. The majority of these challenges are caused by stolen, misused or fake identities. To mitigate these risks, some claim that we have to choose between security, usability […]Read moreDigital IdentityEUDIFounderStina Ehrensvard
  • Q&A with Yubico’s CEO: Our move to the main Nasdaq market in StockholmAs 2024 draws to a close, it’s the perfect time to reflect on the incredible journey we’ve had this year and how it has shaped where we stand today as a company. To mark this moment, I sat down with our CEO, Mattias Danielsson, to look back on the milestones and achievements of 2024—culminating in […]Read moreCEOMattias Danielsson
  • Exploring DORA: A look at the next major EU mandateFinancial institutions have historically managed operational risk using capital allocation, but under EU Regulation 2022/2554 – also known as the Digital Operational Resilience Act (DORA) – the financial sector and associated entities in the European Economic Area (EEA) must also soon follow new rules. These new rules focus on the protection, detection, containment, and the […]Read moreDORAEU