Yes, the iOS version of pwSafe supports NFC YubiKeys from version 10.4.
Prerequisites
To unlock a safe with a YubiKey you need
- pwSafe version 10.4 or higher
- An iPhone or iPad with NFC or Lightning capability
- A YubiKey with NFC or Lightning interface. This feature has been tested with a YubiKey 5C NFC, YubiKey Neo and YubiKey 5Ci. Please leave a comment below if you have successfully used another YubiKey type.
Introduction
A YubiKey is a security token which serves as a second authentication factor.
pwSafe uses YubiKey's HMAC-SHA1 challenge response mode. When the key is initialized, a random secret is stored in it. The password you enter is used as the challenge and the resulting response is used as the safe password.
pwSafe's usage of the YubiKey is fully compatible with Password Safe's. This means safes created with Password Safe can be accessed with pwSafe normally and vice versa.
How to connect your YubiKey
pwSafe supports both NFC and Lightning connected YubiKeys. To use NFC, simply scan your YubiKey with your device when the app prompts you to.
If you want to use a Lightning connected YubiKey like the YubiKey 5Ci, make sure to connect it before pwSafe needs to access the key. If no key is detected on the Lightning interface, pwSafe will automatically fallback to using NFC.
If your device has USB-C only (like recent iPad models), please read the section on USB-C below.
Enabling YubiKey support
To use your YubiKey to unlock a safe, you need to enable YubiKey support. Open the Settings of the app (using the gear icon at the top left) and toggle the "Enable YubiKey" option to on.
If this option is not available, then your device has no NFC support.
Create a safe with YubiKey protection
To create a new safe with YubiKey protection, just create a new safe as you would normally do, by tapping the '+' icon at the bottom-right. When asked for the password you will now have the option to add YubiKey protection:
The "Create new YubiKey secret" option will initialize the YubiKey for pwSafe usage. Use this option only once per YubiKey, as it will overwrite any existing secret. You will be asked to confirm this operation. If you previously created a safe with this YubiKey, overwriting the secret will lock you out of that safe.
Unlock a safe with YubiKey protection
After enabling YubiKey support, the dialog to unlock your safe will show a new toggle
Just flip it on, and the app will ask for your YubiKey when you tap Open (you need to enter your password first of course). Next time you unlock this safe, the option will be enabled by default.
This works both in the pwSafe app and when using Autofill in other apps.
Important: As of iOS 18.2, Apple has disabled NFC access for app extensions. Within the pwSafe app NFC continues to work without any problems, so you can unlock your safes with NFC within the pwSafe app. When using the pwSafe Autofill extension (within another app like Safari), NFC communication with a YubiKey is no longer possible.
The YubiKey 5Ci is not affected as it does not use NFC. Note that you need a Lightning to USB-C adapter to connect this YubiKey to recent iPhone models equipped with a USB-C interface. The USB-C interface of the YubiKey 5Ci itself is not compatible (more details in the USB-C section below).
Add YubiKey protection to an existing safe
If you have an existing safe without YubiKey protection (protected with password only), you can easily add YubiKey protection using these steps:
- Unlock your safe
- Open the Safe Settings using the gear icon at the bottom
- Select "Change Safe Password"
- Enter the safe password (twice), you are allowed to re-use the existing password or use the opportunity to set a new password
- Enable the "Use YubiKey" option
The "Create new YubiKey secret" option will initialize the YubiKey for pwSafe usage. Use this option only once per YubiKey, as it will overwrite any existing secret. You will be asked to confirm this operation. If you previously created a safe with this YubiKey, overwriting the secret will lock you out of that safe.
Removing YubiKey protection from an existing safe
This works similar to adding YubiKey protection to an existing safe, so simply follow the steps for adding YubiKey protection listed above and disable the "Use YubiKey" option instead of enabling it.
Prepare Backup YubiKey
When using a YubiKey to protect your safe, it is strongly recommended to prepare a backup YubiKey in case your YubiKey is lost, stolen or broken. Needless to say, you need a second YubiKey for this purpose. To prepare this backup YubiKey, follow these steps:
- Unlock the first safe created with your YubiKey. This is the safe created when you initialized your YubiKey for pwSafe usage.
- Open the settings of the safe (using the gear icon at the bottom)
- Tap the "Prepare Backup YubiKey" button and follow the prompts
USB-C
Recent iPad and iPhone models are equipped with a USB-C interface. At this moment this interface does not support the challenge-response protocol used by Password Safe. More details on this restriction are available here and here.
Note that this is not a restriction in the pwSafe app, this needs to be fixed by Yubico and/or Apple.
A workaround is to use the YubiKey 5Ci (which has a lightning interface) combined with the adapter from lightning to USB-C.
This combination has been tested successfully and is supported. For recent iPad models this is currently the best available option since these devices are not equipped with an NFC interface.
For iPhones simply use NFC which is more convenient too.
Limitation
Note: This limitation will be addressed in updates after the 10.4 version release, if this limitation is important to you to be lifted then please leave a comment below. We use that feedback to set priorities.
- No support for Touch/Face ID in combination with YubiKey
Comments
9 comments
Yubikey option is Enabled, but I don’t know, how I can use it in File.
I have added a section “Using your YubiKey” to the article that explains how to use the new YubiKey support. Let me know if more details are needed.
It works on iPhone 13 mini with IOS18
Great, thanks for testing!
How much will the YubiKey option cost?
This option will be available for free 😎
that's great, you are the best man
FYI, version 10.4 has been released which includes the initial support. Work will now start to lift the remaining limitations.
Please sign in to leave a comment.