YubiKey NEO Composite Device

December 26, 2012 2 minute read
YubiKey neo with google phone

The YubiKey NEO differs from the standard YubiKey as it can become a composite USB device – presenting both a HID (Keyboard) and CCID (SmartCard) device to the host.  This allows us to support all the great features of the standard YubiKey and add new support for SmartCard functions.  Our last NEO post described the OpenPGP NEO App that ships with the production YubiKey NEO.

In this post, we want to describe how to control how the YubiKey NEO presents itself to the host computer.

We ship the YubiKey NEO with just the HID (keyboard) USB device enabled.  We did this to maximise compatibility with the YubiKey Standard and the pre-production YubiKey NEO – neither of which support SmartCard functions.  To enable the OpenPGP SmartCard function, you need to configure the YubiKey NEO to switch on the CCID interface.  So far, we have updated the ykpersonalize command line to support the “-m” switch; this controls the composite modes the YubiKey NEO exhibits. Be careful, you can use the -m command to remove HID support; as ykpersonalize only works with the HID interface, this means you cannot use ykpersonalize anymore if you remove HID support.  We have added the tool ykneo-ccid-modeswitch which allows you to enable HID if it gets removed!

Here are the common modes:

  • -m0  HID (OTP) mode
  • -m1 CCID (OpenPGP only – no OTP) – warning – you cannot use ykpersonalize after this setting!
  • -m2 HID & CCID Only (OTP & OpenPGP)
  • -m82 HID & CCID (OTP and OpenPGP) EJECT Flag set – allows SmartCard and OTP concurrently.
  •  (Updated: 9/28/2015; You can enable CCID, OTP, and U2F with -m86 on YubiKey NEOs with 3.3 firmware or higher.)

The EJECT_FLAG (0x80) operates as follows:

  • with mode 1 with the EJECT_FLAG set, when touching the button the NEO will “eject” the smart card, making it unavailable to the host, when touching again it will be “inserted” again.
  • with mode 2 with the EJECT_FLAG set, when touching the button the NEO will “eject” the smart card, send the OTP from the HID interface and then “insert” the smart-card.
Share this article:

Recommended content

Exploring clientDataJSON in WebAuthn

Calling all developers! Today, we’re kicking off our first-ever post in our new technical blog series specifically designed for our developer community. Each month, we will be selecting a new technical topic to cover in more depth. To start our series, we dive into the clientDataJSON object as part of the Web Authentication or WebAuthn ...

Diablo Valley College students implement WebAuthn in 24 hours

What do you get when you mix six hundred developers, twenty-four hours, twelve challenges and a mass of cash and prizes? The nation’s largest challenge-driven hackathon, hosted by DeveloperWeek in San Francisco. Hackathon participants get just twenty-four hours to create a working proof of concept to solve some of the world’s most pressing problems. Yubico ...

What’s new in Yubico PIV Tool 2.0?

New open authentication standards, FIDO2 and WebAuthn, have been getting a lot of attention lately with tech giants like Apple joining industry adoption. As a core creator of these standards, we celebrate these milestones, but our mission here at Yubico is to make a safer internet for all. In addition to driving new open web ...

4 security tips: for developers, by developers

As National Cybersecurity Awareness Month comes to an end, our focus turns to what the developer community can do to stay cyber smart all year long. We’ve already talked about access management, and shared tips on how to protect your personal accounts. Today, we offer tips from the Yubico Developer Team to developers looking to ...