Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Yubikey: Challenge-Response (KeePassXC mode) #95

Open
markchalloner opened this issue Apr 17, 2019 · 85 comments
Open

Yubikey: Challenge-Response (KeePassXC mode) #95

markchalloner opened this issue Apr 17, 2019 · 85 comments
Assignees
Labels

Comments

@markchalloner
Copy link

@markchalloner markchalloner commented Apr 17, 2019

iOS doesn't support Yubikey Challenge-Response for 2FA on Keepass files.

A workaround to be able to open Yubikey protected databases can be found in: keepassxreboot/keepassxc#1734 which shows how to create a pre-computed key file:

CHALLENGE_RESPONSE_KEY=
DATABASE_FILE=/tmp/passwords.kdbx
KEY_FILE=/tmp/passwords.key
xxd -p -c 33 -s 0xc5 -l 32 "$DATABASE_FILE" | xxd -r -p | openssl dgst -sha1 -hmac "$(echo -n "$CHALLENGE_RESPONSE_KEY" | xxd -r -p)" | cut -c 10- | xxd -r -p > "$KEY_FILE"

Unfortunately each time the database is changed this key file needs to be regenerated and imported into iOS.

It might be useful to add an Advanced Unlock option that takes the Challenge-Response secret and password and computes the key on the fly, avoiding the need for manual steps.

@CueHD

This comment has been minimized.

Copy link

@CueHD CueHD commented Apr 17, 2019

There are different ways that KeePass implementations incorporate Yubikey Challenge-Response. The implementation used by KeepassXC and Keepass2Android for KDBX4 does not change the challenge nor response every time the database is saved.

See keepassxreboot/keepassxc#1060 for an explanation.

@mrclschstr

This comment has been minimized.

Copy link

@mrclschstr mrclschstr commented Apr 18, 2019

@mmcguill

This comment has been minimized.

Copy link
Collaborator

@mmcguill mmcguill commented Apr 18, 2019

Hi, I'd like to add Yubikey support eventually, so thanks for opening the issue. I'm not super familiar with your use case here...

Could you describe in a little more detail the steps you follow with your device and KeePassXC to Unlock your database?

I will probably need to purchase a Yubikey to get started on this process. Any recommendations for use on iOS?

@markchalloner

This comment has been minimized.

Copy link
Author

@markchalloner markchalloner commented Apr 18, 2019

Hi Mark,

Thanks for coming back to me so quick.

Could you describe in a little more detail the steps you follow with your device and KeePassXC to Unlock your database?

The steps required to login to a Yubikey Challenge-Response protected Keepass file with KeepassXC are:

The current steps required to login to a Yubikey Challenge-Response protected Keepass file with Strongbox are:

  • generate a key file from the KDBX4 database master seed and HMAC-SHA1 Challenge-Response (see script above - this needs to be done each time the database changes)
  • transfer the key to iOS,
  • open database with Strongbox Advanced Unlock option Password & Key File... and select the imported key file.

The steps I envision would be:

  • save the HMAC-SHA1 Challenge-Response secret in secure storage on iOS (simple: a local password protected only Strongbox database, complex: iOS local Keychain?)
  • retrieve the secret (simple: manually input via Strongbox Advanced Unlock option Password & Challenge-Response secret, complex: automatically via pin mechanism?)
  • Strongbox generates the master key from password and secret with the same algorithm implemented in KeepassXC
  • open database

I will probably need to purchase a Yubikey to get started on this process. Any recommendations for use on iOS?

Unfortunately iOS support for Yubikey is currently limited to read-only modes: Yubikey's proprietary OTP, Static password and OATH-HOTP.

Because apps are unable to write via NFC/USB/Lightning the Challenge-Response wouldn't work. It looks Yubico are bringing out an iOS device supporting at least U2F which implies the ability to send data to the key. Unfortunately however Challenge-Response does not seem to be mentioned either in the press release, blog or the signup for the developer preview.

With the physical hardware out of the picture, the only other option is to use the actual secret for now (either off or on-device) as in the current steps documented above.

Cheers

@mmcguill

This comment has been minimized.

Copy link
Collaborator

@mmcguill mmcguill commented Apr 19, 2019

Ok, thanks for the detailed response, very helpful.

@Mukrosz

This comment has been minimized.

Copy link

@Mukrosz Mukrosz commented May 1, 2019

This feature would be amazing.
I see Lastpass is doing a similar/if not the same approach as mentioned above.

@mmcguill mmcguill self-assigned this Jun 2, 2019
@mmcguill mmcguill changed the title Advanced Unlock: Yubikey Challenge-Response secret Yubikey Unlock: (Challenge-Response secret) Jun 2, 2019
@mmcguill

This comment has been minimized.

Copy link
Collaborator

@mmcguill mmcguill commented Jun 20, 2019

Hi @markchalloner how do you see inputting Yubikey secret? Should it be a hex byte space separated string like:

96 84 43 35 60 2b 5f 00 42 78 07 c6 26 f1 ae 25 af 10 f0 2a

Any examples would be great. I'll try to investigate this soon...

@markchalloner

This comment has been minimized.

Copy link
Author

@markchalloner markchalloner commented Jun 20, 2019

Hi @mmcguill,

Thanks! It looks like (when generating):

  • the HMAC-SHA1 output by the older Yubikey Personalization Tool is space separated as in your example: 96 84 43 35 60 2b 5f 00 42 78 07 c6 26 f1 ae 25 af 10 f0 2a, but
  • the HMAC-SHA1 output by the newer Yubikey Manager is non-separated: 96844335602b5f00427807c626f1ae25af10f02a,

It's not inconceivable that the secret be backed up in either format (weirdly I have the non-separated format even though I generated it using the Personalization Tool).

When using:

  • Keepass2Android's Challenge Response secret (recovery mode) can take the HMAC-SHA1 as both space separated and non-separated hex formats (though note this is for KeeChallenge's recovery rather than KeePassX's).
  • openssl can only take the HMAC-SHA1 as a non-separated string: openssl dgst -sha1 -mac hmac -macopt hexkey:96844335602b5f00427807c626f1ae25af10f02a.

As an aside as I understand the CCHmac method takes an ascii encoded c string so I might be wary of treating the input as anything other than a string anyway to avoid accidentally converting it to the values represented in hex (though I'm not familiar with Objective C so wildly guessing here).

Hope that helps!

@mmcguill

This comment has been minimized.

Copy link
Collaborator

@mmcguill mmcguill commented Jun 20, 2019

Alright yeah, I think it should be no issue supporting both formats... Cheers

@ssa3512

This comment has been minimized.

Copy link

@ssa3512 ssa3512 commented Jul 13, 2019

It would be great to see support for this with Yubikey 5 NFC. I've been using Keepass2Android with "Password + Challenge-Response for Keepass XC" mode for some time. Considering moving to iOS but the lack of any applications that support Keepass + Yubikey NFC challenge-response is frustrating.

@mmcguill

This comment has been minimized.

Copy link
Collaborator

@mmcguill mmcguill commented Jul 13, 2019

@ssa3512 Sure, understood. The issue is really do with hardware. There's no 2 ways comms capable Yubikey for iOS at the moment, which means challenge response is impossible right now. This issue itself is actually a way to workaround this by supplying the Yubikey secret to Strongbox and having it execute the challenge response (HMAC-SHA1) itself and use that generated response to open the database, which is no doubt a handy feature and something I hope to get done soon.

@SilverBut

This comment has been minimized.

Copy link

@SilverBut SilverBut commented Jul 15, 2019

Unfortunately iOS support for Yubikey is currently limited to read-only modes: Yubikey's proprietary OTP, Static password and OATH-HOTP.

Update: iOS 13 would allow write to empty NFC tags. Wondering if this would be helpful if we want to add NFC capabilities for Strongbox.

@mmcguill

This comment has been minimized.

Copy link
Collaborator

@mmcguill mmcguill commented Jul 15, 2019

Just an update. In theory Yubikey's new 5Ci should allow this Challenge/Response. I've been in touch and hopefully will get enrolled into their developer program. @SilverBut re the iOS 13 NFC, I don't know, but I'll ask Yubikey about this.

@mmcguill

This comment has been minimized.

Copy link
Collaborator

@mmcguill mmcguill commented Jul 15, 2019

Update: Confirmed with Yubikey that iOS 13 NFC support should work too... Just a matter of allocating dev time to this, and a stable iOS 13 build.

@mmcguill

This comment has been minimized.

Copy link
Collaborator

@mmcguill mmcguill commented Jul 19, 2019

This feature is now ready for you to test, it would be great to have some feedback. There are a couple of steps to get this working

  1. You'll need your Yubikey master secret in Hex form as above (can be spaced couplets or just a long string)

  2. You'll need version 1.36.0 from the app store (you might need to uninstall and re install from the app store to get this release)

  3. You need to switch this feature on by going to Preferences > Advanced and turning on 'Show Yubikey Workaround' (Screenshot below)

image

  1. You'll see a field where you can enter this secret when you tap on your database.

  2. This should open your Yubiekey protected database, in read-only mode for the moment.

@markchalloner

This comment has been minimized.

Copy link
Author

@markchalloner markchalloner commented Jul 19, 2019

Hi Mark,

Great, thanks for the feature and the clear steps. The basic functionality works well!

I tested:

  1. Opening a copy of my normal Keepass XC file from a remote with my Yubikey Challenge Response secret with and without the Read-only toggle enabled: PASS
  • The file opened successfully, under Read-only mode in both cases
  • Note: I was unable to easily retrieve the Challenge Response from another local Strongbox database as the clipboard is wiped on database close (with and without clipboard timeout enabled).
  1. Setting and reopening the database with a convenience pin: FAIL
  • The pin appeared to be set correctly.
  • The database could not be opened with the message:
    Could not open database
    The Convenience Password or Key File were incorrect for this database.
    Convenience Unlock Disabled.
    
  1. Setting and reopening the database with Touch ID: FAIL
  • The database could not be opened with the message:
    Could not open database
    The Convenience Password or Key File were incorrect for this database.
    Convenience Unlock Disabled.
    
  1. Opening the same database via Autofill: PASS
  • The file opened successfully and the correct entries were shown.
  1. Opening the same database via Autofill with convenience pin set: FAIL
  • A convenience PIN was not requested even though it had been set, the login page was shown instead.
  • The file opened successfully and the correct entries were shown.
  1. Opening the same database via Autofill with Touch ID set: FAIL
  • Touch ID was not requested even though it had been set, the login page was shown instead.
  • The file opened successfully and the correct entries were shown.

Cheers

@mmcguill

This comment has been minimized.

Copy link
Collaborator

@mmcguill mmcguill commented Jul 19, 2019

Thanks for the feedback @markchalloner... Yes, should have mentioned Convenience Unlock not supported either.

This is basically the most minimal release possible, I want to make sure the opening/unlocking works well. The next feature could/should be

  1. Write Mode
  2. Convenience Unlock

Convenience Unlock is probably straightforward enough. Write mode will take more work.

Any extra feedback from anyone else using this method welcome!

@markchalloner

This comment has been minimized.

Copy link
Author

@markchalloner markchalloner commented Jul 20, 2019

@mmcguill

If the Challenge Response field was type password could it be autocompleted from another database?

@mmcguill

This comment has been minimized.

Copy link
Collaborator

@mmcguill mmcguill commented Jul 21, 2019

@markchalloner Yes, that would work, I'll see about adding that in the next release. I wonder if anyone else in this issue has tried this open method out yet?

@mmcguill mmcguill changed the title Yubikey Unlock: (Challenge-Response secret) Yubikey: Challenge-Response Master Secret Workaround Jul 21, 2019
@ssa3512

This comment has been minimized.

Copy link

@ssa3512 ssa3512 commented Jul 22, 2019

I started testing this today and everything seems to be working well. Great job 👍 Looking forward to convenience unlock.

@mmcguill

This comment has been minimized.

Copy link
Collaborator

@mmcguill mmcguill commented Jul 24, 2019

Thanks for the update @ssa3512 - Convenience Unlock coming soon...

@mmcguill

This comment has been minimized.

Copy link
Collaborator

@mmcguill mmcguill commented Jul 25, 2019

Convenience Unlock should work for you with 1.37.0 - Let me know if it works ok!

@ssa3512

This comment has been minimized.

Copy link

@ssa3512 ssa3512 commented Jul 25, 2019

Validated convenience unlock with 1.37.0.

PIN unlock works, Face ID works and the two together works.
Just to confirm, is the expected behavior when Face ID and a PIN are enabled is that BOTH are required? Based on the setting of "Allow Face ID" I was expecting it to be either/or but it is requiring both.

Additionally, when using Face ID, there doesn't seem to be any sort of fallback to using the master key/password to unlock whereas PIN unlock has the "Manual" button that allows you to use those. Is this by design?

@ssa3512

This comment has been minimized.

Copy link

@ssa3512 ssa3512 commented Jan 30, 2020

Are you set up to do betas with TestFlight? I would be happy to install a beta version to test this out.

@mmcguill

This comment has been minimized.

Copy link
Collaborator

@mmcguill mmcguill commented Jan 31, 2020

Thanks @ssa3512 - Haven't used Testflight before but this might be a good time to start... will be in touch if I do go this way...

@rammellzee

This comment has been minimized.

Copy link

@rammellzee rammellzee commented Feb 6, 2020

If you do incorporate the Yubikey challenge, could you still keep the read-only secret feature? It would be quite handy to still view the database even if you lost the Yubikey.

@mmcguill

This comment has been minimized.

Copy link
Collaborator

@mmcguill mmcguill commented Feb 6, 2020

For sure, that'll stay available. :)

@mmcguill

This comment has been minimized.

Copy link
Collaborator

@mmcguill mmcguill commented Feb 14, 2020

Just an update. I've got this working now (NFC only initially) but unfortunately there's a whole process to getting it approved by Yubico/Apple which is now underway.

Hopefully it won't take too long :)

@mmcguill

This comment has been minimized.

Copy link
Collaborator

@mmcguill mmcguill commented Feb 21, 2020

Just another update.

Unfortunately at the mercy of Apple now, and then it will be over to Yubico... Apple have been very slow with their review process, and also managed to lose/reset Export Compliance docs which meant the whole compliance process had to be gone through again. Currently waiting on the app review team to review the build:

image

I've requested a status update from Apple as it's been nearly a week without movement...

@Slummi

This comment has been minimized.

Copy link

@Slummi Slummi commented Feb 27, 2020

Hey,

version 1.46.0 with YubiKey support has just been released. :)
Can anyone tell me, how I can configure the YubiKey to work with Strongbox / KeePass?

@mmcguill

This comment has been minimized.

Copy link
Collaborator

@mmcguill mmcguill commented Feb 27, 2020

Hi @Slummi - Well spotted!

Yubikey NFC is now supported on iOS! 😀

To get started you'll need an NFC YubiKey with one of the slots programmed for HMACSHA1 Challenge Response. You can program it by using the YubiKey Personalization Tool from Yubico. Go to Challenge Response tab, select HMAC-SHA1, select slot 1 or slot 2, generate a secret key and choose 'Write Configuration'. Store the secret key somewhere very safe (this can be used in an emergency by Strongbox to recover access to your database without the hardware key).

Once you have a YubiKey with HMACSHA1 available on one of it's slots you can create a YubiKey protected database in Strongbox by:

  1. Tap the '+' button in the top right
  2. Choose 'New Database (Advanced)'
  3. Choose Storage Location (e.g. Local Device)
  4. The 'Set Credentials' screen will popup.
  5. Enter a Password (optional)
  6. Under the YubiKey section choose whichever slot you programmed for HMACSHA1
  7. Tap 'Create'
  8. You will be prompted to scan your NFC YubiKey now. Scan it.

That's it you've created your database. Now whenever you go to open that database you'll be requested to scan your YubiKey, and similarly when you Save it.

PS. The Workaround Secret is still in place and can now also be used in Full Read-Write mode (so make sure you store your secret somewhere very safe so you can recover if you ever lose the hardware key).

PPS. YubiKey is also now supported fully on the Mac app (Tested with a 5Ci and an NFC Yubikey)

@chrenderle

This comment has been minimized.

Copy link

@chrenderle chrenderle commented Feb 27, 2020

When will the 5Ci work with the iPhone App? I've got an Yubikey 5 NFC but only as a backup and since my iPad doesn't have NFC this is no solution.

@mmcguill

This comment has been minimized.

Copy link
Collaborator

@mmcguill mmcguill commented Feb 27, 2020

@chrenderle Hopefully pretty shortly if development goes well. It's a very painful process and requires Yubico and Apple whitelisting.

@Slummi

This comment has been minimized.

Copy link

@Slummi Slummi commented Feb 27, 2020

Hi @mmcguill - Thanks for the very detailled description!
So it's a purely hash based procedure without any counter that is increased with every access and I can always access the database with the stored hash, even if the YubiKey is broken, right?

@mmcguill

This comment has been minimized.

Copy link
Collaborator

@mmcguill mmcguill commented Feb 27, 2020

Hrmmm... let me answer it this way, to be precise... The YubiKey component of the Composite Key (Password, Key File, YubiKey CR) is changed on every save (because the challenge is changed on every save), which means the Composite Key changes on every save.

The challenge gets run through HMACSHA1 (which is a keyed hash function, the key is your Yubico on device secret (which you can set programmatically via the Yubico Personalization Tool))...

That's as precisely as I can word it. I'm not sure if it answers your question though?

As long as you know your Yubico secret key you will always be able to unlock it via the Strongbox "Workaround" field whether or not you have the device. The secret key is the key. It can be provided by a YubiKey or via Strongbox workaround.

@JGAntunes

This comment has been minimized.

Copy link

@JGAntunes JGAntunes commented Feb 28, 2020

Hey @mmcguill, just wanted to thank you for your work on this! 👍 Recently moved to iOS and I've been on the lookout for something that would work with KeepassXC and my YubiKeys (and truly work cross-platform). I've installed Strongbox today and it worked flawlessly 🙌

@mmcguill

This comment has been minimized.

Copy link
Collaborator

@mmcguill mmcguill commented Feb 29, 2020

Thanks a million @JGAntunes - Great to hear reports like this!

@okradioman

This comment has been minimized.

Copy link

@okradioman okradioman commented Mar 1, 2020

Finally NFC Yubikey support for Strongbox :-)
Unfortuanetly I can not get it working. I tried 2 different keyfiles - both created with KeePassXC using a keyfile and my Yubikey 5 Challenge Response Slot 2 Active. Both work fine in KeePassXC.
I tried the old workaround and the new NFC Function - I always get (translated from German) "Wrong Access Data" "The access data for this database was wrong". So just tried KeePassium - and it works there without problems. I am not sure what I am doing wrong......Any idea?

@mmcguill

This comment has been minimized.

Copy link
Collaborator

@mmcguill mmcguill commented Mar 1, 2020

Hi @okradioman - That's really strange! Couple of questions:

  1. What message do you get in German (it's easier for me to find) this way.
  2. What happens if you create the database in Strongbox?
  3. What happens if you use Password & YubiKey instead of a Key File & YubiKey?
  4. Could you post an image of the Unlock Screen (send by email if you prefer to support@strongboxsafe.com)?
  5. When you say you tried the "old workaround", does this mean the workaround was working before but is not now?
@okradioman

This comment has been minimized.

Copy link

@okradioman okradioman commented Mar 1, 2020

Hi @mmcguill,

actually I am using Password, Keyfile and Yubikey - all of them.
1: I get "Falsche Zugangsdaten Die Zugangsdaten für diese Datenbank waren falsch" (which is not the case...)
2. If I create it in Strongbox with Password, keyfile and Yubikey it works fine!
3. doesnt work either - same as under 1: - I also tried just password on my keyfile (just to make sure this might work - and it works)
4. will do
5. actually I have not tried before the release. Workaround I mean typing the Yubikey Geheimnis manually.
Tried to remove keyfile and Yubikey and add again - but no change.
Also tried to create an new kdbx in KeepassXC, a new Keyfile and use Slot2 from my Yubikey. Works fine on KeepassXC but also not in Strongbox.

@mmcguill

This comment has been minimized.

Copy link
Collaborator

@mmcguill mmcguill commented Mar 1, 2020

Just an update, I managed to find what I believe the issue is here. This is down to the YubiKey being programmed with "Fixed 64 byte input" vs "Variable input" for HMACSHA1.

Strongbox doesn't pad the challenge correctly in this case. A fix is on the way for this now.

@abalakov

This comment has been minimized.

Copy link

@abalakov abalakov commented Mar 2, 2020

Hey @mmcguill, just wanted to thank you for your work on this!... it worked flawlessly

Same here! I can confirm it its working with Keyfile and Yubikey 5 NFC with 64bit fixed HMAC-SHA1 Challenge Response.

Thanks a lot!

@chrenderle

This comment has been minimized.

Copy link

@chrenderle chrenderle commented Mar 3, 2020

Right now the Yubikey does not work with Autofill. Will this be implemented in the future or is this not possible due to the restrictions from Apple?

@mmcguill

This comment has been minimized.

Copy link
Collaborator

@mmcguill mmcguill commented Mar 3, 2020

At the moment it's just not possible to access NFC in an Auto-Fill (technically App Extension) context by Apple explicitly don't allow it. I believe the same is true of MFI (e.g. Lightning 5Ci)...

The only solution I can think of, which may not be acceptable is to use the Workaround field, negating the use of the hardware token. :(

@Frederick888

This comment has been minimized.

Copy link

@Frederick888 Frederick888 commented Mar 3, 2020

At the moment it's just not possible to access NFC in an Auto-Fill (technically App Extension) context by Apple explicitly don't allow it

Seems to be documented here: https://developer.apple.com/documentation/corenfc

This is unfortunate. I've been looking forward to migrating from Kypass to Strongbox for NFC challenge-response support and now this is tbh a huge bummer to me :(

@antnythr

This comment has been minimized.

Copy link

@antnythr antnythr commented Mar 5, 2020

At the moment it's just not possible to access NFC in an Auto-Fill (technically App Extension) context by Apple explicitly don't allow it

Seems to be documented here: https://developer.apple.com/documentation/corenfc

This is unfortunate. I've been looking forward to migrating from Kypass to Strongbox for NFC challenge-response support and now this is tbh a huge bummer to me :(

Hopefully it’s something they’re planning to implement and that it’s available for iOS 14.

Time to submit some feedback I guess...
https://www.apple.com/feedback/

@Frederick888

This comment has been minimized.

Copy link

@Frederick888 Frederick888 commented Mar 6, 2020

Time to submit some feedback I guess...

By the way since I'm using the memory-hard Argon2 function, the memory usage restriction on App Extensions causes random crashes in Auto-Fill and it seem that Strongbox is also affected by this issue (#99). Hence I'd appreciate it if you guys can include this problem in your feedback as well.

PS: Sorry this is a little off-topic.

@seonwoolee

This comment has been minimized.

Copy link

@seonwoolee seonwoolee commented Mar 10, 2020

Ever since the latest update, I cannot open my KeePass database on my iPhone 6. I had previously been unlocking my database using the Yubikey secret.

I believe the problem may be related to the fact that because the iPhone 6 cannot be updated to iOS version 13 or later, apps including Strongbox can't use the NFC. When I try to choose one of the NFC slots, I get an error saying device does not support NFC Scanning...
When I don't specify a Yubikey NFC slot and put in the Yubikey secret, it says incorrect credentials.

Is there any chance you're accidentally ignoring the Yubikey secret field?

@mmcguill

This comment has been minimized.

Copy link
Collaborator

@mmcguill mmcguill commented Mar 10, 2020

Hi, I don't think that it'll be ignoring the secret. Couple of questions

Does your database open with your Yubikey elsewhere?
Is your Yubikey programmed with Fixed Length or Variable input do you know?

@seonwoolee

This comment has been minimized.

Copy link

@seonwoolee seonwoolee commented Mar 10, 2020

Yes, it opens with KeePassXC on Windows 10 and Linux, and Keepass2Android on Android.

I don't know how my Yubikey is programmed but I'm not sure why that matters; I'm trying to unlock my database using the Yubikey secret (the way I was unlocking it before the app was updated) and NOT my Yubikey.

@mmcguill

This comment has been minimized.

Copy link
Collaborator

@mmcguill mmcguill commented Mar 11, 2020

Thanks @seonwoolee - That does sound strange. Can you mail support@strongboxsafe.com and I can try to investigate this further in the coming days...

@mmcguill

This comment has been minimized.

Copy link
Collaborator

@mmcguill mmcguill commented Mar 20, 2020

@seonwoolee - I haven't heard from you but in case you're still available, there is a new parameter you can now specify in the workaround field. You can prefix the secret with a capital 'P' - this tells Strongbox to simulate a YubiKey programmed in 'variable' mode.

Note: It does matter how you programmed your yubikey even when you are using the workaround field. The YubiKey will calculate different responses for the same secret depending on this parameter. Long story but if you'd like to read more you can do so here:

Yubico/yubikey-personalization-gui#86

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
You can’t perform that action at this time.