🔒

KeyTap is locked

Administrator action required.

🔐 KeyTap — Vault Ceremony

First-time initialization. Bind your YubiKey to this vault.
This key will be the only way to unlock the system after a restart.

Step 1: Register YubiKey

Plug your YubiKey into a USB port on this computer, then click the button below.

📋 When the Windows Security dialog appears:
  1. Look for "Security key" — click it
  2. If you see "Passkey" or "This device" first, click "More choices" or "Use another device"
  3. Select "Security key"
  4. Touch your YubiKey when it blinks
⚠️ Do NOT select "Phone/tablet" or scan any QR codes — that flow routes through Google, not your YubiKey.

Step 2: Derive Encryption Key

Touch your YubiKey again when it blinks. This derives the encryption key that protects your TOTP secret.

Step 3: TOTP Enrollment

Vault active. Now set up your daily TOTP code.

🔒 KeyTap — Vault Locked

The TOTP secret is encrypted on disk.
Plug in your YubiKey and unlock.
📋 Windows dialog: Select "Security key" → touch YubiKey

⛔ KeyTap — Suspended

broken record

System suspended due to excessive failed unlock attempts.
Manual intervention required on server.

🔐 KeyTap

First-time setup. Scan the QR code with Yubico Authenticator, then verify.

TOTP QR Code
📱 Tap to open in authenticator app

Setup Instructions

Requirements: YubiKey (NFC or USB) + Yubico Authenticator

  1. Insert your YubiKey or keep it ready for NFC tap
  2. Open Yubico Authenticator
  3. Tap "Add Account" and scan the QR code above
  4. If prompted, tap your YubiKey to complete storage
Other authenticator apps store secrets on your phone.
For hardware-backed storage, use Yubico Authenticator.

Enter your TOTP code to access KeyTap.

🔑 KeyTap

TOTP Provisioning Demo

Your TOTP enrollment is complete. This tab shows the enrollment flow for demonstration.

Enrolled and authenticated via TOTP

🔐 Vault Settings

The TOTP secret is encrypted with your YubiKey-derived key. Rotate to bind to a different key.

File Hash Signing

Upload a file, compute its SHA-256, and sign it with your YubiKey via WebAuthn.

Drop file here or click to browse

Hardware Attestation

Prove which security key you are using. WebAuthn attestation reveals the authenticator model via AAGUID.

Touch your security key when prompted.

Authenticator Capability Scan

Enumerate what your security key and browser combination can do.

Enterprise Attestation

Prove that a security key belongs to a trusted fleet. Enterprise attestation may reveal device identity and manufacturer metadata.

Enterprise attestation may reveal device identity information.
This demo does not store any credential data.

Insert or tap your YubiKey. Some browsers may ask for permission.

Credential Explorer

Discover credentials stored on your security key or platform authenticator using resident keys / discoverable credentials.

This tool inspects credentials stored on your authenticator. No credentials are saved by this demo.

Tap your YubiKey when prompted.

Signature Verifier

Verify signatures created with hardware security keys. Upload the original file and signature.json.

All verification occurs locally in your browser. No data is transmitted.
Drop file here or click to browse
Drop signature.json here or click to browse

WebAuthn Packet Inspector

Paste or upload WebAuthn payloads for decoding. Supports attestationObject, authenticatorData, clientDataJSON, and COSE public keys.

All decoding occurs locally in your browser. No data is transmitted.

📨 Create Invite

Generate a one-time link so someone can test their YubiKey. Expires in 24 hours.

Invite created!

Your Invites

Loading...