YubiKey NEO locked down "Backend error"

This is a quick blog post for those who hit the same issue as I did, and want to know what happened.


  • You have a YubiKey NEO
  • You enabled CCID mode on it (ykpersonalize -m 2)
  • You get an message saying "error: ykneomgr_authenticate (-4): Backend error" when trying to use ykneomgr

    ... you have hit the exact same bug I just did.
    After a long time of debugging, I found that the basic problem is that the key ykneomgr is using (which is hardcoded) does no longer work.

TL;DR: You have a locked down YubiKey NEO, and will not be able to use ykneomgr to manage applications on this YubiKey NEO, period.

So, what happened?

In short, Yubico has closed down YubiKey NEOs shipped after July 1st, 2014.

Those are no longer using the default, empty, Global Platform keys, or any other well-known key, and instead feature a random key for each YubiKey.

In short, this means you are no longer able to use ykneomgr and modify applications on the card (list them, install new ones, update current ones, remove existing ones, etc).

So I decided to ask Yubico support whether it is possible to get the keys for my personal YubiKey, possible using a receipt some other proof to show it is rightfully mine.

Their answer?
"Our production system doesn't store the transport keys after they have been written to each individual NEO".

So there is no way at all to get the transport keys required to install/edit applications on a YubiKey NEO shipped after July 1st... which is just horrible.

What now?

In the same answer, Yubico support told me that to be able to hack on it, I would need a "Developer NEO", for which you will need to sign an NDA with their chip vendor, NXP.

I will to try to get my hands on one of these, and report back on my success/failure.

Ipsilon 0.3.0 released

Ipsilon and FedOAuth merge complete, FedOAuth deprecation