How to use FIDO2 security keys?

Ssirfartsalot · Oct 13, 2022

I recently purchased some YubiKey 5C NFC security keys and I'd like to start using hardware 2FA with my accounts. Are there any guides or documentation on how to set up such keys? For example, is there a recommended setup?, do I need google play services?, which browser(s) are compatible?, do I need the YubiKey app? etc. I'm fine with using NFC or direct connection via USB. None of my accounts are set up yet. Also, is it possible to use the built-in hardware security key present in the phone (Pixel 6a)?

I noticed the usage instructions list FIDO as a limitation, but this post seems to indicate it works fine.

Kryptos · Oct 13, 2022

sirfartsalot I've always set up keys on my laptop. And you set them up for each service such as Google, banks, etc.

On GOS it works seamlessly w/o GSF. Also works in Vanadium. Haven't tried others.

There's no need to use the Yubi app.

Bbayesian · Oct 13, 2022

I plug my YubiKey 5 USB-C into Google Pixel 6 with GOS and it doesn't detect it in Vanadium login screens. So I don't think this is working...

EDIT: It reads like an external keyboard.

Cc57 · Oct 14, 2022

bayesian Google Play Services with storage scopes enabled is required to use FIDO2 with Vanadium. See this (resolved) GitHub issue for an explanation as to why https://github.com/GrapheneOS/Vanadium/issues/192. There are also a couple existing trouble shooting threads if you search this forum.

Cc57 · Oct 14, 2022

sirfartsalot

Are there any guides or documentation on how to set up such keys? For example, is there a recommended setup?

Maybe try the official yubico docs? https://www.yubico.com/setup/yubikey-5-series/. The most important thing is to always have a backup key.

do I need google play services?

Yes, with storage scopes enabled.

which browser(s) are compatible?

I don't have an exhaustive list but most chromium based browsers are. The recommended browser here would be Vanadium.

do I need the YubiKey app?

No, the app is not necessary for a pure FIDO2 use case. If you want to use other protocols with your key, like TOTP, then it is.

Also, is it possible to use the built-in hardware security key present in the phone (Pixel 6a)?

I'm not sure on this one, someone else will have to weigh in.

I know there is an existing issue to support FIDO without play services that mentions that the future GrapheneOS solution will use on-device keys: https://github.com/GrapheneOS/Vanadium/issues/61. I'm not sure outside of that.