Unlocking iOS devices with a Yubikey
8 Jul 2021 20:53 | apple | iOS
I love Yubikeys, they provide a very strong second factor for accounts and services that you care a lot about. I use them for all kinds of things but one thing I was quite excited to try was the Yubikey 5ci in static password mode.
Static password mode simply acts as a virtual keyboard, playing back a static sequence of characters over the connected interface (usually USB). I wasn’t sure at first if this was supported over the lightning port but it turns out it is which is very cool.
Using static password mode to supply the entire password for something is a bad idea - if someone steals the key then they have the entire password and there’s no way to protect it on the key. Plug it in, press the sensor and voila you’ve got the entire secret string. But using it in combination with a known passphrase is very powerful. I was quite excited about the idea of using this on iOS - a relatively simple password combined with a huge amount of extra entropy from the Yubikey as a salt.
If you’re going to attempt this, DON’T do what I did first and set the password on the iPhone using the Yubikey. This is a really really bad idea - I did this at first and although it appeared to work, the password set correctly, as soon as I tried to unlock the phone by typing my passphrase and then activating the Yubikey it didn’t unlock. This was quite unnerving at the time but luckily I had the secret string emitted by the key noted down and simply typing it in carefully got me back into the phone. So learn from my mistake - type the password into the iPhone very carefully rather than using the key to set it, because if it just happens to fail in the same way twice in that moment you might find yourself locked out of your device and facing the prospect of either a lot of tedious guesswork (which and how many characters were dropped) or worse - restoring from a backup.
At first I thought it was failing to unlock because it was sending the keys too quickly. The Yubikey Personalisation Tool has an option to add up to 60ms of delay between the keystrokes and this seemed to help, but it still wasn’t 100% reliable. After further testing I eventually determined that the ! prefix I was using was being converted into a 1 about 30% of the time. This did not seem to happen on the mac so is likely something to do with iOS or the lightning interface. I turned off the ! prefix and then found that the first character that should be uppercase was occasionally being turned lowercase. This glitch only seems to affect the first character of the password and it seems to relate to the shift modifier. After disabling both the ! prefix and uppercase characters it worked flawlessly every time without any input delay necessary.
When it works it’s really cool - FaceID most of the time and then when I need to re-authenticate FaceID I have a much stronger password than before but also don’t need to actually type all of it.
There are a couple of downsides - you have to enable USB access on the lock screen or else the key won’t be able to talk to the phone in order to send the keys. This seems like a reasonable trade-off for most people though - if you’ve got someone plugging hardware into your phone to try to break into it you’ve likely got much bigger things to worry about. To enable USB access go to Settings -> FaceID & Passcode and make sure the “USB Accessories” checkbox is enabled. The other downside is that the Apple leather case doesn’t quite have a big enough hole around the lightning socket for the key to insert, but that’s easily solved with a bit of sandpaper.
It’s a very good idea to have more than one Yubikey. Also make sure you back up the static secret somewhere, I recommend storing it in an encrypted file and making several backups, including at least one offline.