Using Yubikey with Vanadium

sirfartsalot

Can someone help me use a YubiKey with GrapheneOS? I used other posts on this forum as a guide, but I can't figure it out. I tried:

Create a new profile (for a repeatable starting configuration for debugging purposes).
Settings > Multiple users > Add user > OK. Then walk through new user creation.
As the new user, download Google Play services and Google Services Framework.
Apps > Install Google Play services and Google Services Framework.
Enable storage scopes on Google Play services
Settings > All Apps > Google Play services > Permissions > Photos and videos > Configure Storage Scopes > Enable
Ensure NFC is enabled
Settings > Connected Devices > Connection Preferences > NFC > Enable
Test 2FA at demo.yubico.com/playground
Open Vanadium > Go to webpage https://demo.yubico.com/playground > Create new account > Add security key > Next.
At this point, I should interact with my YubiKey via NFC or by plugging it in. Instead, it shows the error message "Operation cancelled" and "There was an error in the registration procedure, please try again".

matchboxbananasynergy

sirfartsalot Hi there!

I noticed you didn't install Google Play Store. Even if you don't plan to use it, please install it. It's required for Sandboxed Google Play to work properly.

sirfartsalot

matchboxbananasynergy

That fixed it, thank you! A full list of correct steps is below:

Create a new profile (for a repeatable starting configuration for debugging purposes).
Settings > Multiple users > Add user > OK. Then walk through new user creation.
As the new user, download Google Play services, Google Services Framework, and Google Play Store.
Apps > Install Google Play services, Google Services Framework, and Google Play Store. All 3 are required.
Enable storage scopes on Google Play services
Settings > All Apps > Google Play services > Permissions > Photos and videos > Configure Storage Scopes > Enable
(Optional) For privacy, disable sensors and network permissions for all 3 Google apps.
Settings > All Apps > Google Play services > Permissions > Network > Don't allow. Sensors > Don't allow.
Ensure NFC is enabled
Settings > Connected Devices > Connection Preferences > NFC > Enable
Test 2FA at demo.yubico.com/playground
Open Vanadium > Go to webpage https://demo.yubico.com/playground > Create new account > Add security key > Next. Interact with my YubiKey via NFC or via USB. Both NFC and USB were tested and work properly with a YubiKey 5C NFC.

matchboxbananasynergy

sirfartsalot Glad it worked out. :)

chock-a-block

sirfartsalot

Once you set this up, does the yubikey work outside of the new profile or does all your FIDO2 yubikey-authenticated accounts have to be accessed within that profile?

matchboxbananasynergy

chock-a-block I'm pretty sure it only applies to the profile in which Sandboxed Google Play is isntalled. The Sandboxed Google Play installation doesn't persist across profiles, they can't even see apps in other profiles cause they're just regular apps.

sirfartsalot

matchboxbananasynergy
That is correct. In my instructions, the first step of "create a new profile" was only to provide a consistent baseline for testing purposes. Set it up on the profile that you want to use hardware key 2FA with.