From a recent thread, the result was: FIDO/webauthn with USB keys such as Nitrokey, Solokey or Yubikey likely doesnt work at all on AOSP and relies on Play Services.
This may be supported with Sandboxed Play.
Still, where does this limitation come from, and what specifically does this require?
Plugging in a Nitrokey opens a dialog to open a supported app, currently just the maintenance-mode GPG manager "OpenKeychain".
This is pretty frustrating... uses could be
- logging into accounts
- unlocking a KeepassDX or Bitwarden vault
- storing keys
- ...
For example, you could have very strong encryption without a long password.
I already tried to use "Device login credentials" for keepassDX, where I assumed it would use the secure element? But this was finicky and lost the credentials, so I needed to switch back to biometrics or password.
Some of these could be done with the secure element, maybe even done better. The GrapheneOS account user mentioned, that the certified secure element in a Nitrokey 3 would be not comparable to a Pixel secure element.
What are those differences? Are there projects using the secure element like a FIDO key? Can FIDO be used without internet permission for the play services? Is there a plan to improve this, somewhere, in some way?
The current situation... is pretty frustrating. My keys are currently just laying around, due to lacking support 😅
Cheers!