Hallo,
Wie kann ich die NFC Funktion nutzen.
NitroKey 3A NFC 1.2.2 Relase
Wenn ich den Nitrokey mit der App „NFC Tools“ iOS App auslesen will passiert nichts.
Wenn ich dagegen eine Yubikey 5 NFC oder SoloKey2 hinhalte, bekomme ich immer eine Rückmeldung.
Ich habe ein iPhone12 Pro
Update 15.12.22
Wenn der Stick Strom hat. Also per usb Kabel(pc) oder per Powerbank, dann geht NFC.
Danke für die Hilfe
Das Problem betrifft scheinbar nicht nur iOS, sondern auch Android.
Mit folgenden Geräten kann ich NFC vom Nitrokey 3A NFC mit der Firmware-Version 1.2.2 nur verwenden, wenn der Nitrokey 3A NFC per USB verbunden ist:
The problem seems to affect not only iOS, but also Android.
I can only use NFC from the Nitrokey 3A NFC with firmware version 1.2.2 with the following devices if the Nitrokey 3A NFC is connected via USB:
Ich habe auch das Problem, dass ich mit meinem iPhone12 mini den / die Schlüssel nicht hinzufügen kann… Mit den NFC Tools bekomme ich bei 2 von 10 Versuchen mal eine Rückmeldung… aber nie wenn der Schüssel hinzugefügt werden soll…
Firmwareupdate von 1.2.0 auf 1.2.2 hat auch nix gebracht 
iOS 16.3 - iPhone 12 mini
hat den iPhone eine hülle?
Ich habe ohne hülle mehr erfolg gehabt.
Es scheint so das der Key sehr direkt am iPhone (nähe Kamera) gehalten werden muss
hier noch eine Antwort vom Support zu dem Thema:
ja das Problem ist die Empfindlichkeit des NFC Sensors, bzw der Sender beim Iphone.
NFC Funktioniert normallerweise indem der Nitrokey genug Strom über Induktion bekommt um einen Microprocessor zu betreiben für die FIDO2 Funktion. Iphones bieten häufig nicht genug Leistung. Wenn der Key direkt mit Strom versorgt wird, fällt dieser Effekt raus.
Das Problem ist also eine Kombination aus Iphone Hardware und unseren Keys.
René
Es klappt mit und ohne Hülle nicht mit NFC…
mit USB Adapter aber schon… muss ich jetzt den Adapter immer mit rumschleppen?
dann wollen wir mal hoffen das das Problem mit einem FW-Update gefixt werden kann.
ironie an
@daringer das ist mal nen geiler Workaround zum Thema NK3 NFC.
kann es sein das bei Nitrokey das NFC ein sicherheitsfeature ist und dieses Drahtlos nicht funktioniert
ironie aus
Hallo,
gibt es zu dem Thema ein update?
Ich habe dasselbe Problem (NFC nur mit USB Power) mit einem brandneuen, heute erhaltenen Nitrokey 3A NFC und meinem Huawei P30 Lite (ohne Hülle), und wundere mich ob ich das Firmwareupdate wagen soll.
Grundsätzlich frage ich mich ob so ein Problem (nicht genug power über NFC) überhaupt mit Firmware zu fixen ist - hat Nitrokey hierzu tatsächlich eine Roadmap ?
Vielen Dank für ein Update!
Hi, versuche es mal bitte mit dem Brave Browser, damit funktioniert es bei mir, mit Safari aber nicht.
The solution is the right method of presenting/ swiping the iphone over the nitrokey.
On my iphone SE 2020 it works consistently even with a thick rubber case and Safari browser.
You must place the iphone top edge onto the NK3 NFC backside lying parallel on the desk, i.e. align the edges top edge of the backside of he phone, near the center, next to the camera with the long edge of the backside of the NK3 and then slide slowly the iphone over the NK3 perpendicular to the long edge.
Try with https://webauth.io.
@Nitrokey-Support-Personal: Please, make a video and post it in the documentation.
P.S: It’s a joke that nitrokey forum does not offer registration and logon with webauth / FIDO2.
If even the company that produces the stick does offer its benefits to its customers, how should webauth / FIDO2 ever been adopted by a wide puplic.
The current scope and maturity of the available documentation is very disappointing. Just get an cheap intern and let write some decent documentation.
addition: the USB-C is poiting to the left, while the NK3 is lying on the desk
adendum2: you need to swipe parallel to the desk, i.e. swipe / pull down phone on parallel surface to desk and NK3.
adendum3: on my Oneplus3 running LIneageOS 18.1 (androi11) with bitgapps as google apps implementation NFC is working on firefox app with https://webauth.io.
Here the NFC spot is further down at the location of the camera lens or close under it.
Very slow swiping/ pulling down and holding it in position to allow the authentication process that seems to take 1 to 3 seconds on the phone.
the description is all well and good, but for me this is not the intuitive function of an NFC key. In comparison, have you tried a YubiKey NFC or a SoloKey2. There I hold the iPhone in my hand and with the other I hold the stick at the level of the camera and it works. that works with 10/10 attempts.
The browser does not matter, because the stick simply does not connect to the device.
Mit dem Update auf die Firmware-Version 1.4.0 funktioniert NFC nun bei mir unter Android mit dem Nitrokey 3 
With the update to firmware version 1.4.0, NFC now works for me on Android with the Nitrokey 3
I’ve been banging my head against this issue as well. The tl;dr is that I believe the NFC interface on the Nitrokey 3A NFC is unusable, and every other FIDO2 NFC key I have performs better.
Nitrokey 3A NFC seems functional over USB HID, enough that I was able to run a firmware upgrade from v1.2.0 to v1.4.0 – but I have been unable to get it working reliably (ie: >90% success rate) over NFC (before or after the update) with anything but a Proxmark3.
Side note: there’s a bug in Proxmark’s CTAP2 implementation, where they don’t send
Lebytes for CTAP2 GetInfo, and then it gets stuck in an infinite loop. Nitrokey correctly follows the ISO7816-4 spec by treating that as Ne=0, whereas other keys follow the U2F spec’s incorrect description of ISO7816-4, and treat missingLebytes as Ne=256. Once PM3 sends Le=00(Ne=256), Nitrokey works fine.
Other than the Proxmark, I’ve tried it with an ACR122T, ACR122T, ACR123U, iPhone SE 2022 and Pixel 3A. No amount of orientation changes or delicate movements makes things better.
The Nitrokey 3A NFC seems to have an extremely marginal NFC interface; on the occasion (less than 1% of the time) the ACR122T/U manages to get to SELECT the CTAP2 applet (00a4040008a0000006472f000100), further commands like CTAP2 GetInfo (80100000010400) get no response or report “Removed Card”.
Plugging the Nitrokey into a USB powerbank (as suggested earlier in the thread) seems to make it more reliable (~10% success rate with ACR122T/U); but needs a hard power cycle after a transaction failure. I’m also measuring increased current draw from USB during operation (0.025W idle → 0.040W in use), which suggests that the processor is unable to harvest enough energy from the NFC field.
By comparison, all of the other NFC+USB FIDO2 tokens I have won’t even work over NFC if powered by USB. The fact that you’d even need a USB powerbank to run an NFC token is absurd… and makes me think that this is a fundamental design flaw.
The device won’t even work at all with an ACR123U (it detects the device, then the buzzer screams loudly as the device drops in and out), or the iPhone or Pixel.
For comparison, I have multiple NFC FIDO2 tokens from other vendors (Feitian, Hideez, Token2, Yubikey) and contactless smartcards which work just fine with all of those readers – they are not affected by orientation or even thick mobile phone cases – the difference is like night and day.
As a result, I believe it is reasonable to expect the Nitrokey 3A NFC to achieve similar performance, especially as the most expensive of those keys.
Here’s an example ISO14443A trace of a Nitrokey 3A NFC failure:
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 2368 | Tag |44 00 | |
11052 | 13516 | Rdr |93 20 | | ?
14720 | 20608 | Tag |88 1d 00 91 04 | |
41772 | 52300 | Rdr |93 70 88 1d 00 91 04 66 07 | | ?
53504 | 57024 | Tag |04 da 17 | |
66204 | 68668 | Rdr |95 20 | | ?
69872 | 75696 | Tag |49 67 00 00 2e | |
97052 | 107516 | Rdr |95 70 49 67 00 00 2e ae 17 | | ?
108784 | 112368 | Tag |20 fc 70 | |
120604 | 125308 | Rdr |e0 50 bc a5 | | ?
126576 | 134704 | Tag |05 78 91 78 00 3e 74 | |
3014220 | 3036268 | Rdr |02 00 a4 04 00 0b a0 00 00 03 08 00 00 10 00 01 00 11 | |
| | |bf | | SELECT FILE
3088544 | 3094432 | Tag |02 6a 82 93 2f | |
(intentional delay due to macOS PIV issue)
9817308 | 9836988 | Rdr |03 00 a4 04 00 08 a0 00 00 06 47 2f 00 01 00 f4 44 | | SELECT FILE
9859376 | 9872112 | Tag |03 55 32 46 5f 56 32 90 00 e0 b1 | |
10097628 | 10109308 | Rdr |02 80 10 00 00 01 04 00 44 a7 | | CTAP2 GetInfo request
10471984 | 10474352 | Tag |63 63 | |
10488924 | 10492476 | Rdr |c2 e0 b4 | | S-block ABORT req
10493744 | 10497264 | Tag |c2 e0 b4 | |
10554076 | 10557692 | Rdr |b2 67 c7 | | S-block
11302380 | 11305996 | Rdr |b3 ee d6 | | S-block
25906076 | 25907132 | Rdr |26 | | ?
25982108 | 25983164 | Rdr |26 | | ?
26480940 | 26481996 | Rdr |26 | | ?
26556588 | 26557644 | Rdr |26 | | ?
(PC/SC reports no response data)
And another vendor’s key, working fine:
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 2368 | Tag |42 00 | |
10908 | 13372 | Rdr |93 20 | | ?
14576 | 20464 | Tag |88 04 22 21 8f | |
41756 | 52220 | Rdr |93 70 88 04 22 21 8f 92 8b | | ?
53488 | 57008 | Tag |04 da 17 | |
69856 | 75744 | Tag |4a a4 5a 80 34 | |
97036 | 107500 | Rdr |95 70 4a a4 5a 80 34 f8 d7 | | SELECT FILE
108768 | 112352 | Tag |38 35 ec | |
124476 | 124892 | Rdr |01 | | ?
126800 | 145296 | Tag |0e 78 f7 b1 02 4a 43 4f 50 32 34 32 52 33 1b eb | |
3059772 | 3081820 | Rdr |02 00 a4 04 00 0b a0 00 00 03 08 00 00 10 00 01 00 11 | |
| | |bf | | SELECT FILE
3246608 | 3252496 | Tag |02 6a 82 93 2f | |
(intentional delay due to macOS PIV issue)
9861436 | 9881116 | Rdr |03 00 a4 04 00 08 a0 00 00 06 47 2f 00 01 00 f4 44 | | SELECT FILE
9950480 | 9963216 | Tag |03 55 32 46 5f 56 32 90 00 e0 b1 | |
10153660 | 10165340 | Rdr |02 80 10 00 00 01 04 00 44 a7 | | CTAP2 GetInfo request
10207760 | 10214928 | Tag |12 00 aa 01 83 66 55 32 46 5f 56 32 68 46 49 44 4f 5f | | GetInfo response
| | |32 5f 30 6c 46 49 44 4f 5f 32 5f 31 5f 50 52 45 02 82 | |
| | |6b 63 72 65 64 50 72 6f 74 65 63 74 6b 68 6d 61 63 2d | |
| | |73 65 63 72 65 74 03 27 fb | |
10481084 | 10484636 | Rdr |a3 6f c6 | | S-block WTX resp
10488976 | 10496144 | Tag |13 50 ee 04 1b ce 25 e5 4c db 8f 86 89 7f d6 41 84 64 | |
| | |04 a5 62 72 6b f5 62 75 70 f5 64 70 6c 61 74 f4 69 63 | |
| | |6c 69 65 6e 74 50 69 6e f5 75 63 72 65 64 65 6e 74 69 | |
| | |61 6c 4d 67 6d 74 50 fb 64 | |
10762172 | 10765724 | Rdr |a2 e6 d7 | | S-block ABORT resp
10770320 | 10771728 | Tag |02 72 65 76 69 65 77 f5 05 19 04 00 06 81 01 07 06 08 | |
| | |18 60 09 82 63 6e 66 63 63 75 73 62 0a 81 a2 63 61 6c | |
| | |67 26 64 74 79 70 65 6a 70 75 62 6c 69 63 2d 6b 65 79 | |
| | |90 00 4d 4f | |
22382892 | 22386508 | Rdr |b2 67 c7 | | S-block
22390784 | 22392192 | Tag |02 72 65 76 69 65 77 f5 05 19 04 00 06 81 01 07 06 08 | |
| | |18 60 09 82 63 6e 66 63 63 75 73 62 0a 81 a2 63 61 6c | |
| | |67 26 64 74 79 70 65 6a 70 75 62 6c 69 63 2d 6b 65 79 | |
| | |90 00 4d 4f | |
25442268 | 25445884 | Rdr |b2 67 c7 | | S-block
25450160 | 25451568 | Tag |02 72 65 76 69 65 77 f5 05 19 04 00 06 81 01 07 06 08 | |
| | |18 60 09 82 63 6e 66 63 63 75 73 62 0a 81 a2 63 61 6c | |
| | |67 26 64 74 79 70 65 6a 70 75 62 6c 69 63 2d 6b 65 79 | |
| | |90 00 4d 4f | |
28501660 | 28505276 | Rdr |b2 67 c7 | | S-block
28509552 | 28510960 | Tag |02 72 65 76 69 65 77 f5 05 19 04 00 06 81 01 07 06 08 | |
| | |18 60 09 82 63 6e 66 63 63 75 73 62 0a 81 a2 63 61 6c | |
| | |67 26 64 74 79 70 65 6a 70 75 62 6c 69 63 2d 6b 65 79 | |
| | |90 00 4d 4f | |
31561036 | 31564652 | Rdr |b2 67 c7 | | S-block
31568928 | 31570336 | Tag |02 72 65 76 69 65 77 f5 05 19 04 00 06 81 01 07 06 08 | |
| | |18 60 09 82 63 6e 66 63 63 75 73 62 0a 81 a2 63 61 6c | |
| | |67 26 64 74 79 70 65 6a 70 75 62 6c 69 63 2d 6b 65 79 | |
| | |90 00 4d 4f | |
34620428 | 34624044 | Rdr |b2 67 c7 | | S-block
34628320 | 34629728 | Tag |02 72 65 76 69 65 77 f5 05 19 04 00 06 81 01 07 06 08 | |
| | |18 60 09 82 63 6e 66 63 63 75 73 62 0a 81 a2 63 61 6c | |
| | |67 26 64 74 79 70 65 6a 70 75 62 6c 69 63 2d 6b 65 79 | |
| | |90 00 4d 4f | |
37680572 | 37684188 | Rdr |b2 67 c7 | | S-block
38428876 | 38432492 | Rdr |b3 ee d6 | | S-block
42075420 | 42076476 | Rdr |26 | | ?
Side note: macOS PIV issue: macOS will try to
SELECTthe PIV applet (a000000308000010000100) on smart card “insertion”, even when another application has an “exclusive” connection using the PC/SC API. Nitrokey (like other keys) correctly returnssw=6a82(file not found), but if that command arrives after theSELECTfor the CTAP2 applet, Nitrokey will also deselect the FIDO2 applet (whereas other vendors keys do not). So if that arrives between a FIDO2 SELECT and further FIDO2 commands, Nitrokey will respond to CTAP2 GetInfo after PIV (80100000010400) withsw=6a82.Annoyingly, the only way you can detect that issue is by running an RFID sniffer (like a Proxmark3), but the aforementioned marginal NFC antenna makes that harder to detect on Nitrokey.
Heads up for others testing: Unlike many other keys, the Nitrokey 3A NFC’s antenna is stuck to the case via a very thin ribbon cable (rather than being part of the main PCB).
I learned this trying to pull apart the Nitrokey to try to get the antenna closer to the reader, presuming it was printed on the PCB. While it was very easy to open the case, I damaged the ribbon cable on one unit by excessive force.
That may be repairable, but I don’t have the parts on me right now. But, it may be an opportunity to fashion a better antenna.
Browser: Vivaldi, Chrome
Mobile: Xiaomi - Redmi Note 9 Pro (MIUI 13)
NFC Funktioniert mit FW 1.5.0
Hinweis: Der Stick muss bei mir unter das Kameraobjektiv gehalten werden, nach ca. 1 Sek. wird der Inhalt ausgelesen. Getestet mit webauthn.io und nfc-tools.
Browser: Vivaldi, Chrome
Mobile: Xiaomi - Redmi Note 9 Pro (MIUI 13)
NFC works with FW 1.5.0
Note: I have to hold the stick under the camera lens, after approx. 1 sec. the content is read out. Tested with webauthn.io and nfc-tools.
Thanks for the contribution.
I registered especially for this. Because I was actually planning to buy Nitrokey 3A NFC.
But it seems that Nitrokey 3A NFC is an unfinished product and the buyers are being misused as testers.
I was particularly alarmed by the fact that, according to your post, the NFC antenna is attached to the case.
This means that Nitrokey 3A NFC is conditionally protected against drops. One fall and the NFC antenna could detach or tear from/ within the case.
And a replacement protective cover for the USB port is also not offered in shop. There are much better ways to protect the USB port without the risk of losing the protective cover. If you consider that you might always carry the stick with you in your pocket, then the manufacturer has apparently not really thought things through to the end.
And like someone else in the forum, I’m also shocked that a manufacturer/provider of such hardware can’t manage to offer registration and login via Webauth or FIDO2 in their own forum. This is really pathetic.