Will my YubiKey NEO work on iPhones now that iOS 11 added some NFC support? It’s a fair question – one that we’ve been getting a lot of. This blog explains some of the details about iPhone support for YubiKey OTP to help bring some clarity to YubiKey users.
First, it’s important to understand the limited scope of Apple’s NFC support. Apple’s NFC APIs for iOS (Core NFC) allow iPhone apps to read the NFC Data Exchange Format (NDEF) records from certain NDEF tags (only supported on iPhone 7, 7 Plus, and up). However, there are a few limitations. Besides the fact that the NFC Reader interface can only be fired up from an app, Core NFC does not allow for write operations that are required for authentication protocols like FIDO U2F. That said, NFC on the iOS platform does not support Google’s recently announced Advanced Protection Program.
However, because NFC tag reading is supported, it allows developers to build apps, including consumer facing or purpose-built enterprise applications, with one-time passcode (OTP) support. Given that the YubiKey NEO can generate an OTP and send it to the requesting app via NFC, we finally have some good news for iPhone lovers: the YubiKey NEO will support OTP over NFC for applications that run on iOS11 and iPhone versions 7+. While Yubico acknowledges this progress, ubiquitous Apple support for strong authentication, namely FIDO protocols, remains out of reach at the moment.
For YubiKey users, this improves OTP two-factor authentication on the iPhone. Now they can authenticate with just a tap of their YubiKey NEO against the phone. Additionally, developers have a better authentication option to integrate with their mobile applications. One caveat remains: developers will have to build NFC support into each individual application to retrieve the OTP from the NDEF tag. Edit (28 May, 2018): See our new Mobile SDK for iOS.
In contrast, Android supports NFC natively in the platform. For example, Android developers can open the NDEF record for a URL with the default browser instead of opening up the specific app to read the NDEF tag. Furthermore, Android developers can also add FIDO U2F support using the Android FIDO U2F APIs.
While this is encouraging news, we realize it is not yet the complete desired solution. With Apple finally opening up parts of its NFC technology (just like with Touch ID a few years ago), we are hopeful that this standards-based approach will evolve. We know security is only as strong as its weakest link; it is high on our bucket list of things to solve for the ecosystem!
What can you do? As Yubico continues to advocate for ubiquitous, strong authentication for all, we invite you to join us in voicing or tweeting your concerns and desires to Apple to expand their NFC on iOS. As a customer-centric company, Apple will greatly value your input. To send developer feedback to Apple, visit their contact page or send a tweet to @AppleSupport.
