Need Help Getting FIDO2 (Specifically a USB-C YubiKey) Working

kopolee11

I'm having trouble getting FIDO2 two-factor authentication working on GrapheneOS. Specifically I'm using a YubiKey 5Ci, with the USB-C connection. When I insert my key, the login screen just hangs. It shouldn't be a broken hardware, because this same key works on a Chromebook and Windows PC.

It's particularly annoying because I was able to log in with this YubiKey a while ago. I have Google Play and Google Play Services installed. They both have Network and Nearby Devices permissions enabled. Is there anything I'm missing? Appreciate any help.

fid02

kopolee11 When I insert my key, the login screen just hangs

Is it possible to explain this a bit further? It would help others understand the issue more. Which login screen are you referring to? Which services/websites are you signing in to? Do you get an error message?

phone-company

I use my ubikey with my pixel 8a and gos. It works great with NFC and usb c. So you need to check out your usb port is blocked?

kopolee11

Thanks for the reply. I forgot to mention that I turned the USB-C port setting to "Charging-only when locked", so I don't think the USB port is blocked by software.

And as for a potential hardware blockage, maybe but I can charge the phone alright, use USB-C hard drives, and this is an issue both for my Pixel 7 and Pixel Tablet.

DeletedUser87

kopolee11 oh, so you're having issues on two separate devices? That eliminates hardware almost completely as the root cause. Can you confirm that you didn't enable any passwords to access the key? IIRC there is an option somewhere in the YubiKey Manager, which might not be supported on mobile. Apart from that, my YubiKey 5C NFC is working fine on my Pixel 9 Pro XL. And one more thing you can check as well while we're at it: is the key properly recognized by the Yubico Authenticator on any of your Pixel devices?

kopolee11

DeletedUser87

I'll be honest, I never installed the Yubico Authenticator app, since I haven't used my YubiKey to generate HOTP or TOTP, and like I mentioned in the past I was able to use FIDO2 without it. However, once I installed the app I was able to get the YubiKey to be recognized. I was then able to login to services. So that appears to be the solution. Thank you very much!

kopolee11

fid02

For the sake of completeness, when I was trying to sign into a service, specifically my Google and Github accounts, the login process would stop right at the process when it asked me to insert my security key. It was as if the key was not recognized.

As mentioned above, the culprit appeared to be me not having the Yubico Authenticator app installed. Or at least that's what appears to have helped me in this case.

DeletedUser87

kopolee11 I'm very glad it works!

fid02

kopolee11 As mentioned above, the culprit appeared to be me not having the Yubico Authenticator app installed

That's interesting. I've never heard of Yubico Authenticator being required for FIDO compatibility on Android, but then again I don't have experience with using the 5Ci.

DeletedUser87

fid02 I just checked and there is a section for passkeys in the Yubico Authenticator app. Not saying it's relevant, but it wouldn't be far fetched to assume that some combined functionality exists for this and FIDO (at least when using USB).

Edit: another theory I have, is hidden in the settings. There's an option to "Launch when the YubiKey is connected". If the toggle is turned on, it prevents other apps from using the YubiKey. So just maybe, the default behaviour on the YubiKey is to try and launch the app, but it's not there and gets stuck. Just throwing out random theories here. At least we know that it's wise to install Yubico for FIDO functionality.

kopolee11

fid02 Yea, I hadn't either. Not sure if that was really the solution, or if the YubiKey being recognized after installing the app was an unrelated coincidence.

fid02

DeletedUser87 I just checked and there is a section for passkeys in the Yubico Authenticator app.

That section is for getting an overview of the passkeys stored on the key, as well as giving the choice of deleting select ones. I haven't heard of it being generally required for using passkeys on Yubikeys. It's actually a really simple but nice feature of the app which can be used with other security keys as well (as long as the keys support CTAP2.1, I think).

DeletedUser87 So just maybe, the default behaviour on the YubiKey is to try and launch the app, but it's not there and gets stuck.

Something along those lines doesn't seem far-fetched.

kopolee11 Not sure if that was really the solution, or if the YubiKey being recognized

Did installing Yubico Authenticator solve the problem on both your Pixel devices? If so, I think that's a good indication that the app had something to do with the issue getting solved.

kopolee11

fid02

Did installing Yubico Authenticator solve the problem on both your Pixel devices? If so, I think that's a good indication that the app had something to do with the issue getting solved.

Yes it solved the issue for both my Pixel devices. Good point, probably not a coincidence then.

I don't know for certain, but I think splattergames theory that the YubiKey's default behavior is to launch the app is most likely correct.