Yes, the iOS version of pwSafe supports NFC YubiKeys from version 10.4.
The current support has a few limitations (see section Limitations below) which will be addressed in upcoming updates. If you are interested in helping to test these updates, then please join the test group.
Prerequisites
To unlock a safe with a YubiKey you need
- pwSafe version 10.4 or higher
- An iPhone or iPad with NFC capability
- A YubiKey with NFC support. This feature has been tested with a YubiKey 5C NFC and YubiKey Neo, please leave a comment below if you have successfully used another YubiKey type.
Introduction
A YubiKey is a security token which serves as a second authentication factor.
pwSafe uses YubiKey's HMAC-SHA1 challenge response mode. When the key is initialized, a random secret is stored in it. The password you enter is used as the challenge and the resulting response is used as the safe password.
pwSafe's usage of the YubiKey is fully compatible with Password Safe's. This means safes created with Password Safe can be accessed with pwSafe normally and vice versa.
Enabling YubiKey support
To use your YubiKey to unlock a safe, you need to enable YubiKey support. Open the Settings of the app (using the gear icon at the top left) and toggle the "Enable YubiKey" option to on.
If this option is not available, then your device has no NFC support.
Create a safe with YubiKey protection
To create a new safe with YubiKey protection, just create a new safe as you would normally do, by tapping the '+' icon at the bottom-right. When asked for the password you will now have the option to add YubiKey protection:
The "Create new YubiKey secret" option will initialize the YubiKey for pwSafe usage. Use this option only once per YubiKey, as it will overwrite any existing secret. You will be asked to confirm this operation. If you previously created a safe with this YubiKey, overwriting the secret will lock you out of that safe.
Unlock a safe with YubiKey protection
After enabling YubiKey support, the dialog to unlock your safe will show a new toggle
Just flip it on, and the app will ask for your YubiKey when you tap Open (you need to enter your password first of course). Next time you unlock this safe, the option will be enabled by default.
This works both in the pwSafe app and when using Autofill in other apps.
Add YubiKey protection to an existing safe
If you have an existing safe without YubiKey protection (protected with password only), you can easily add YubiKey protection using these steps:
- Unlock your safe
- Open the Safe Settings using the gear icon at the bottom
- Select "Change Safe Password"
- Enter the safe password (twice), you are allowed to re-use the existing password or use the opportunity to set a new password
- Enable the "Use YubiKey" option
The "Create new YubiKey secret" option will initialize the YubiKey for pwSafe usage. Use this option only once per YubiKey, as it will overwrite any existing secret. You will be asked to confirm this operation. If you previously created a safe with this YubiKey, overwriting the secret will lock you out of that safe.
Removing YubiKey protection from an existing safe
This works similar to adding YubiKey protection to an existing safe, so simply follow the steps for adding YubiKey protection listed above and disable the "Use YubiKey" option instead of enabling it.
Prepare Backup YubiKey
When using a YubiKey to protect your safe, it is strongly recommended to prepare a backup YubiKey in case your YubiKey is lost, stolen or broken. Needless to say, you need a second YubiKey for this purpose. To prepare this backup YubiKey, follow these steps:
- Unlock the first safe created with your YubiKey. This is the safe created when you initialized your YubiKey for pwSafe usage.
- Open the settings of the safe (using the gear icon at the bottom)
- Tap the "Prepare Backup YubiKey" button and follow the prompts
Limitations
Note: These limitations will be addressed in updates after the 10.4 version release, if any of these limitations are important to you to be lifted then please leave a comment below. We use that feedback to set priorities.
- No support for Touch/Face ID in combination with YubiKey
- No support for USB-C connected YubiKeys
The 10.4.3 update will fix these limitations:
- No support for Lightning connected YubiKeys
iPad support
Recent iPad and iPhone models are equipped with an USB-C interface. At this moment this interface does not support the challenge-response protocol used by Password Safe. More details on this restriction are available here and here.
There is a suggested workaround to use the YubiKey 5Ci (which has a lightning interface) combined with the adapter from lightning to USB-C.
This combination has been tested successfully. It will be supported by pwSafe once Lightning support has been added, that will come as an update.
Comments
9 comments
Yubikey option is Enabled, but I don’t know, how I can use it in File.
I have added a section “Using your YubiKey” to the article that explains how to use the new YubiKey support. Let me know if more details are needed.
It works on iPhone 13 mini with IOS18
Great, thanks for testing!
How much will the YubiKey option cost?
This option will be available for free 😎
that's great, you are the best man
FYI, version 10.4 has been released which includes the initial support. Work will now start to lift the remaining limitations.
Please sign in to leave a comment.