Unlocking iOS devices with a Yubikey

8 Jul 2021 20:53 | apple | iOS

I love Yubikeys, they provide a very strong second factor for accounts and
services that you care a lot about. I use them for all kinds of things but one
thing I was quite excited to try was the Yubikey 5ci in static password mode.

Static password mode simply acts as a virtual keyboard, playing back a static
sequence of characters over the connected interface (usually USB). I wasn't
sure at first if this was supported over the lightning port but it turns out it
is which is very cool.

Using static password mode to supply the entire password for something is a bad
idea - if someone steals the key then they have the entire password and there's
no way to protect it on the key. Plug it in, press the sensor and voila you've
got the entire secret string. But using it in combination with a known
passphrase is very powerful. I was quite excited about the idea of using this on
iOS - a relatively simple password combined with a huge amount of extra entropy
from the Yubikey as a salt.

If you're going to attempt this, DON'T do what I did first and set the password
on the iPhone using the Yubikey. This is a really really bad idea - I did this
at first and although it appeared to work, the password set correctly, as soon
as I tried to unlock the phone by typing my passphrase and then activating the
Yubikey it didn't unlock. This was quite unnerving at the time but luckily I had
the secret string emitted by the key noted down and simply typing it in
carefully got me back into the phone. So learn from my mistake - type the
password into the iPhone very carefully rather than using the key to set it,
because if it just happens to fail in the same way twice in that moment you
might find yourself locked out of your device and facing the prospect of either
a lot of tedious guesswork (which and how many characters were dropped) or worse
- restoring from a backup.

At first I thought it was failing to unlock because it was sending the keys
too quickly. The Yubikey Personalisation Tool has an option to add up to 60ms
of delay between the keystrokes and this seemed to help, but it still wasn't
100% reliable. After further testing I eventually determined that the ! prefix
I was using was being converted into a 1 about 30% of the time. This did not
seem to happen on the mac so is likely something to do with iOS or the
lightning interface. I turned off the ! prefix and then found that the first
character that should be uppercase was occasionally being turned lowercase.
This glitch only seems to affect the first character of the password and it
seems to relate to the shift modifier. After disabling both the ! prefix and
uppercase characters it worked flawlessly every time without any input delay

When it works it's really cool - FaceID most of the time and then when I need
to re-authenticate FaceID I have a much stronger password than before but also
don't need to actually type all of it.

There are a couple of downsides - you have to enable USB access on the lock
screen or else the key won't be able to talk to the phone in order to send the
keys. This seems like a reasonable trade-off for most people though - if you've
got someone plugging hardware into your phone to try to break into it you've
likely got much bigger things to worry about. To enable USB access go to
Settings -> FaceID & Passcode and make sure the "USB Accessories" checkbox is
enabled. The other downside is that the Apple leather case doesn't quite have a
big enough hole around the lightning socket for the key to insert, but that's
easily solved with a bit of sandpaper.

It's a very good idea to have more than one Yubikey. Also make sure you back up
the static secret somewhere, I recommend storing it in an encrypted file and
making several backups, including at least one offline.