Nightmarish Yubikey experiences

beppi However instead of just being logged in like usual, I get re-prompted with the original "No passkeys available", to which I can go through the same process as above over again....

That could mean two things. The most obvious one being that the passkey that is stored on your Yubikey is no longer attached to the account. In that case, you'll have to sign in with another method and re-register the Yubikey. But from your post I gather that this is an issue with multiple sites? Are you able to sign in to those from another device using the same Yubikey?

If it works from other devices, it could mean that there's an issue with Play Services. You can try clearing app data for Play Services. Go to App Store > Google Play services > Settings > Storage & cache > Clear storage. After that a reboot of the phone might be beneficial.

beppi This might be a bit of a leap, because it's hard to know if the issue you are describing has the same cause:

I have been able to reproduce this with passkey sign-in with Bitwarden's web vault and Github (I don't use Nextcloud) in two fresh profiles, but only when Play Services were denied the network permission at install time. If you revoked network permission for Play Services at install time, what happens if you give it the permission, reboot the phone and try again?

beppi The login works perfectly fine in another profile...

I assume because you gave Play Services the network permission during install time. You can either give it the network permission during install time, then revoke it immediately after the installation has completed (that appears to work), or you can install it without the network permission being granted, grant it for about 10 seconds, revoke it again, and reboot your device/profile. I just tested the latter in a fresh profile.

beppi That's interesting, I'm hesitant to try though: I'm unsure what kind of info gplay will ship off to the mothership if I do that though... Do you have an idea of what the downside is of giving gplay network permissions even if just for a moment?

It can gather and send off data like any other app. As to which data specifically it actually sends off, I guess someone would have to use an MITM proxy on a development device in order to investigate that. What is clear is that Play Services needs the network permission in order for other apps to outsource push notification functionality to it. And, as appears to be the case, communicate with some server for a few seconds in order to activate certain FIDO functionality.

Keep in mind that many apps use Google libraries anyway, so unless you have no apps on your device that contain Google libraries, there is still Google code on your device that probably sends off some data – although exactly what data that gets extracted I do not know.

As to how all this relates to your personal threat model, I cannot answer.

beppi Interestingly I was able to use NFC on the iPhone, which is strange because Authentik doesn't allow NFC when I try and log in from my pixel.

That is because Play Services does not have functionality for entering a PIN during NFC authentication. Google – which notably is a board level member of the Fido Alliance – has chosen not to support this.

beppi Thank you for the kind words. And glad it worked out, even though it required some more gymnastics than I anticipated.

As of Gmscompatconfig 147, Play services should no longer need the Network access for FIDO functionality. I tested this briefly in a new profile by revoking the Network access for Play services at install-time, and signing in with passkey on a security key worked fine.