🔐 KeyTap

First-time setup. Scan the QR code with Yubico Authenticator, then verify.

TOTP QR Code

Setup Instructions

Requirements: YubiKey (NFC or USB) + Yubico Authenticator

  1. Insert your YubiKey or keep it ready for NFC tap
  2. Open Yubico Authenticator
  3. Tap "Add Account" and scan the QR code above
  4. If prompted, tap your YubiKey to complete storage
Other authenticator apps store secrets on your phone.
For hardware-backed storage, use Yubico Authenticator.

Enter your TOTP code to access KeyTap.

🔑 KeyTap

TOTP Provisioning Demo

Your TOTP enrollment is complete. This tab shows the enrollment flow for demonstration.

Enrolled and authenticated via TOTP

File Hash Signing

Upload a file, compute its SHA-256, and sign it with your YubiKey via WebAuthn.

Drop file here or click to browse

Hardware Attestation

Prove which security key you are using. WebAuthn attestation reveals the authenticator model via AAGUID.

Touch your security key when prompted.

Authenticator Capability Scan

Enumerate what your security key and browser combination can do.

Enterprise Attestation

Prove that a security key belongs to a trusted fleet. Enterprise attestation may reveal device identity and manufacturer metadata.

Enterprise attestation may reveal device identity information.
This demo does not store any credential data.

Insert or tap your YubiKey. Some browsers may ask for permission.

Credential Explorer

Discover credentials stored on your security key or platform authenticator using resident keys / discoverable credentials.

This tool inspects credentials stored on your authenticator. No credentials are saved by this demo.

Tap your YubiKey when prompted.

Signature Verifier

Verify signatures created with hardware security keys. Upload the original file and signature.json.

All verification occurs locally in your browser. No data is transmitted.
Drop file here or click to browse
Drop signature.json here or click to browse

WebAuthn Packet Inspector

Paste or upload WebAuthn payloads for decoding. Supports attestationObject, authenticatorData, clientDataJSON, and COSE public keys.

All decoding occurs locally in your browser. No data is transmitted.