I’m trying to add a new yubikey to my II
I would like to use usb on desktop and NFC on my mobile(android)
It works perfectly fine on desktop via USB-C, however via NFC after I give it the key(by holding close to the phone) it gives a popup “you’re all set, you can remove the key” and when I close it “connect your key” doesn’t disappear… if I close it too it redirects me to a page saying “operation cancelled”
I tried leaving either only FIDO2 or only FIDO U2F as available interfaces in NFC mode - didn’t help. If I enable everything(like it is by default) it also tries to redirect me via a browser to some demo page on yubico
How do I make yubikey NFC work with Internet Identity?.. I cannot use usb-c on my phone
This definitely is supposed to work. What make and model of YubyKey and Android phone do you have?
I have a YubiKey 5C NFC (firmware version 5.4.3) and I can confirm that it didn’t work with my Android OnePlus 8T with Android 14.
The error I got was “not supported application for this nfc tag”. Note that II works flawlessly if I insert the YubiKey into the USB-C port and chose USB during the authentication prompt.
I cannot use usb-c on my phone
Can you explain why? Does the phone not have such a port?
I’ll look into this further and see whether we can improve the situation somehow. But it might very well be an incompatibility caused by the different pieces of hardware involved. There is a lot of growing pain in the Passkey space right now, especially for the NFC and hybrid transports (scanning QR code) and a lot of that is outside of our hands.
Is it possible for you to use II with the built-in biometrics of the phone itself?
I do have YubiKey 5C NFC as well(firmware 5.4.3, fresh out of the shop), Redmi Note 10 Pro(android 12)
I’ve tried everything I can - no luck with NFC, usb-c port is damaged on this device(so NFC is the only way for now)
I was looking for a more secure solution and this is why I got the Yubikey, but judging from what I see it turns out to be a less secure solution(shocker) - the biggest hurdle and scare is that there’s NO PIN required to access my nns.ic0.app or identity.ic0.app - it just let’s me in(from whatever device as long as I have valid Yubikey and Internet Identity number)
Basically if I lose my Yubikey I potentially lose all my funds on the NNS wallet(even locked neurons can be lost nowdays because IDGeek exists)
This is absolutely unacceptable from security perspective. PIN should be mandatory
Internet Identity number cannot act as a pin, because it’s too deterministic and is correlated with II creation date.
I experience exactly the same issue on the demo website(with 100% identical behavior)
Very sad indeed…
So as I said, this is a hardware incompatibility issue then which we unfortunately cannot fix in Internet Identity. I agree that this is a sad state of things.
If you want the best security available today, then I would suggest going for a Ledger hardware wallet: https://www.ledger.com/
The NNS dapp gives you the option to attach such a wallet and manage your funds there. You can also attach the ledger HW wallet to Internet Identity if you install the FIDO app.
Unfortunately this won’t allow me to move my locked neurons and I’m not sure If I can hold my SNS neurons/liquid tokens in ledger via NNS wallet(probably I cannot because the option sits directly under ICP section)
What is the reason we do not ask for a PIN when using Yubikey, can this be changed? Seems like a major flaw in security
