Nightmarish Yubikey experiences

beppi

Hey guys,

Recently got a new phone (from 7 Pro to 9 Pro Fold), and I'm suddenly having annoying issues with logging in to stuff with my Yubikey

When logging into my Nextcloud for example in Vanadium, I am redirected to my Authentik login page. I use the passwordless flow that I have setup which has always worked fine, and I get the usual Google pop up saying "No passkeys available". Tap "Use a different device" > "USB security key" > Connect the key > "Allow Google Play services to access YubiKey OTP+FIDO+CCID?" > "OK" > type my key's pin > tap the gold disk > "Choose a passkey" > tap my user (I have my admin account and my user account on the same key). However instead of just being logged in like usual, I get re-prompted with the original "No passkeys available", to which I can go through the same process as above over again....

I'm using the Beta channel.

Thanks for any help!

fid02

beppi However instead of just being logged in like usual, I get re-prompted with the original "No passkeys available", to which I can go through the same process as above over again....

That could mean two things. The most obvious one being that the passkey that is stored on your Yubikey is no longer attached to the account. In that case, you'll have to sign in with another method and re-register the Yubikey. But from your post I gather that this is an issue with multiple sites? Are you able to sign in to those from another device using the same Yubikey?

If it works from other devices, it could mean that there's an issue with Play Services. You can try clearing app data for Play Services. Go to App Store > Google Play services > Settings > Storage & cache > Clear storage. After that a reboot of the phone might be beneficial.

fid02

beppi This might be a bit of a leap, because it's hard to know if the issue you are describing has the same cause:

I have been able to reproduce this with passkey sign-in with Bitwarden's web vault and Github (I don't use Nextcloud) in two fresh profiles, but only when Play Services were denied the network permission at install time. If you revoked network permission for Play Services at install time, what happens if you give it the permission, reboot the phone and try again?

beppi

fid02
Thanks for your reply, I'm able to sign in to Authentik using the same key on my partner's iPhone. Interestingly I was able to use NFC on the iPhone, which is strange because Authentik doesn't allow NFC when I try and log in from my pixel.

I've tried clearing cache/storage of the google services suite, as well as uninstalling and reinstalling it, rebooting in between each stage and still getting the same behaviour...

fid02

beppi Interestingly I was able to use NFC on the iPhone, which is strange because Authentik doesn't allow NFC when I try and log in from my pixel.

That is because Play Services does not have functionality for entering a PIN during NFC authentication. Google – which notably is a board level member of the Fido Alliance – has chosen not to support this.

beppi

fid02 That's interesting, I'm hesitant to try though: I'm unsure what kind of info gplay will ship off to the mothership if I do that though... Do you have an idea of what the downside is of giving gplay network permissions even if just for a moment?

It's so strange that this is only just now happening, I don't remember any updates to the g services recently or anything...

As soon as I posted this I remembered I can try it in another user. The login works perfectly fine in another profile... I guess I'll have to allow network permissions during install, but I'd still like to understand the risk

fid02

beppi The login works perfectly fine in another profile...

I assume because you gave Play Services the network permission during install time. You can either give it the network permission during install time, then revoke it immediately after the installation has completed (that appears to work), or you can install it without the network permission being granted, grant it for about 10 seconds, revoke it again, and reboot your device/profile. I just tested the latter in a fresh profile.

beppi That's interesting, I'm hesitant to try though: I'm unsure what kind of info gplay will ship off to the mothership if I do that though... Do you have an idea of what the downside is of giving gplay network permissions even if just for a moment?

It can gather and send off data like any other app. As to which data specifically it actually sends off, I guess someone would have to use an MITM proxy on a development device in order to investigate that. What is clear is that Play Services needs the network permission in order for other apps to outsource push notification functionality to it. And, as appears to be the case, communicate with some server for a few seconds in order to activate certain FIDO functionality.

Keep in mind that many apps use Google libraries anyway, so unless you have no apps on your device that contain Google libraries, there is still Google code on your device that probably sends off some data – although exactly what data that gets extracted I do not know.

As to how all this relates to your personal threat model, I cannot answer.

beppi

fid02 I couldn't get it to work simply by allowing network access, I had to uninstall gplay on my other profile, then uninstall on owner, restart, reinstall with network and restart again to get it to work. But it does work now all thanks to you!

fid02 Ahhh interesting, wonder why they're not doing that...

Thank you so much for the time and effort you put into helping me out, I really appreciate it! You're a legend!

fid02

beppi Thank you for the kind words. And glad it worked out, even though it required some more gymnastics than I anticipated.

fid02

As of Gmscompatconfig 147, Play services should no longer need the Network access for FIDO functionality. I tested this briefly in a new profile by revoking the Network access for Play services at install-time, and signing in with passkey on a security key worked fine.