How to configure NDEF to use a slot to generate an OTP

The NDEF (NFC Data Exchange Format) configuration for the OTP application is a special case. The NDEF configuration is always active. If you present the YubiKey to an NFC reader and issue an NDEF read command, the YubiKey will always emit something.

When you configure NDEF functionality, you are setting two things: some text and which OTP configuration slot to use to generate a challenge. The text can be either a URI or just static text.

Unlike other configuration operations that take a slot identifier, configuring NDEF does not alter the configuration of the OTP application slot. It only sets which slot to activate after sending the text.

In its default state, the YubiKey has NDEF configured to emit https://my.yubico.com/yk/# and then activate slot 1 ( the short press slot), which is configured for Yubico OTP. The result looks something like this: https://my.yubico.com/yk/#vvccccnnjfhbtdgbflcbfcegkkdvttldvlcvvfinvvdu.

Note

YubiKey NEOs use a different URL: https://my.yubico.com/neo/?.

The most likely use case for this is to configure the YubiKey with a specific Yubico OTP credential and a URL to a validation server.

NDEF should only be configured to work with a Yubico OTP or HOTP slot. Nothing will prevent you from configuring NDEF to use a slot with any other configuration, but it will not emit anything useful.

For example, if a slot is configured for challenge-response, presenting the YubiKey to an NFC reader and issuing a NDEF read command will result in the static text or URI with nothing after. If a slot is configured with a static password, the password will come through NDEF as the raw HID bytes, which are not recognizable as characters. (Static passwords need to be communicated through a USB port using HID messages.)

ConfigureNdef example

In this example, we will configure the long-press slot to emit an HOTP token, and we will configure NDEF to emit an identifier for an example user.

To execute the code below, the YubiKey needs to either be inserted into a USB port or be on an NFC reader when the command is run.

using (OtpSession otp = new OtpSession(yKey))
{
  otp.ConfigureHotp(Slot.LongPress)
    .UseInitialMovingFactor(4096)
    .Use8Digits()
    .UseKey(_key)
    .Execute();
  otp.ConfigureNdef(Slot.LongPress)
    .AsText("AgentSmith:")
    .Execute();
}

After configuring NDEF with the code above, if you read the YubiKey with an NFC reader, the result will look something like AgentSmith:00901250.

Next steps

After configuring a slot with NDEF, learn how to read from the NDEF tag.