yubikey_flutter #

Flutter plugin for YubiKey authentication, built on top of the official Yubico YubiKit Android SDK.

Supports:

• OTP — read Yubico OTP via NFC tap
• OATH TOTP/HOTP — list credentials and calculate codes
• FIDO2 / WebAuthn — hardware-backed passkey registration and authentication
• HMAC-SHA1 Challenge-Response — hardware-bound key derivation (e.g. for encrypting local data with a YubiKey-backed secret)

Unlike other community packages, this plugin wraps the official yubikit-android SDK directly, ensuring full protocol support and long-term compatibility.

Platform support #

Installation #

dependencies:
  yubikey_flutter: ^0.1.0

Android permissions #

Add to your AndroidManifest.xml:

<uses-permission android:name="android.permission.NFC" />
<uses-feature android:name="android.hardware.nfc" android:required="false" />

Usage #

Check NFC availability #

final yubikey = YubikeyPlugin();

final supported = await yubikey.isNfcSupported();
final enabled   = await yubikey.isNfcEnabled();

Listen for YubiKey connection events #

yubikey.onYubikeyConnected.listen((info) {
  print('Connected: ${info.deviceName} (${info.connectionType})');
  print('Serial: ${info.serialNumber}');
  print('Firmware: ${info.firmwareVersion}');
});

Read OTP #

try {
  final result = await yubikey.readOtp(timeout: 30);
  print('OTP: ${result.otp}');
} on YubikeyTimeoutException {
  print('No YubiKey detected within timeout');
} on YubikeyException catch (e) {
  print('Error ${e.code}: ${e.message}');
}

OATH — list credentials and calculate codes #

// List all credentials stored on the YubiKey
final credentials = await yubikey.listOathCredentials();
for (final cred in credentials) {
  print('${cred.displayName} (${cred.oathType.name})');
}

// Calculate all codes in a single NFC tap
final codes = await yubikey.calculateAllOathCodes();
for (final code in codes) {
  print('${code.credentialId}: ${code.code} (expires in ${code.remainingSeconds}s)');
}

// Calculate code for a specific credential
final code = await yubikey.calculateOathCode(credentials.first.id);
print('Code: ${code.code}');

Challenge-Response (HMAC-SHA1) #

import 'dart:typed_data';

// Send a challenge to the YubiKey and get the HMAC-SHA1 response.
// Useful for key derivation (e.g., encrypting local data with a hardware-bound key).
final challenge = Uint8List.fromList(List.generate(32, (i) => i)); // your challenge bytes
final responseHex = await yubikey.challengeResponse(
  challenge: challenge,
  slot: 2, // default: Slot 2
);
print('HMAC response: $responseHex'); // 40-char hex string

FIDO2 — registration #

// Challenge must come from your server
final reg = await yubikey.fido2Register(
  rpId:      'example.com',
  rpName:    'My App',
  userId:    'user-unique-id',
  userName:  'user@example.com',
  challenge: serverChallenge, // base64url encoded
);

// Send to your server for verification:
print('Credential ID: ${reg.credentialId}');
print('Attestation:   ${reg.attestationObject}');

FIDO2 — authentication #

final assertion = await yubikey.fido2Authenticate(
  rpId:               'example.com',
  challenge:          serverChallenge, // base64url encoded
  allowCredentialIds: [registeredCredentialId],
);

// Send to your server for verification:
print('Signature: ${assertion.signature}');

Error handling #

All methods throw typed subclasses of YubikeyException:

How it works #

This plugin uses Flutter platform channels to bridge the Dart layer with the native Android Kotlin layer, where yubikit-android handles all YubiKey communication over NFC.

Flutter (Dart) ──► MethodChannel ──► Kotlin ──► yubikit-android ──► YubiKey

Contributing #

Pull requests welcome. This plugin is maintained by Luckysistemi.

License #

MIT — see LICENSE