I was prepared to reset my device back to stock PixelOS just to test whether or not I could get FIDO2 working in web browsers there. However, I now heard that my company's FIDO2 project has concluded that FIDO2/CTAP2 is simply not supported in Android. They will have to either wait for official support (I suppose only Google knows when/if this is going to happen) or use a third-party API to get proper FIDO2 working as SSO. Probably the latter.
dgzeij Proton.me @ Vanadium accepts security key, although it just ignores pin code.
This might help in understanding why certain sites do not enforce PIN: https://support.yubico.com/hc/en-us/articles/4402836718866-Understanding-YubiKey-PINs
PIN prompts are a result of a WebAuthn setting known as User Verification. This setting is controlled by each service provider.
If a service provider does not specify a setting for User Verification, most modern browsers will default setting it to Preferred (as per the WebAuthn spec), which may result in a PIN prompt.
Microsoft enforces FIDO2, and if the browser or device does not support it... I'm looking at you, Google.
dgzeij Does Microsoft and Google disable option to log in with security key on Android? Or is just something broken at my end?
I'm enrolled in Google's advanced protection program, and I do get the option to sign in with Yubikey in both Vanadium and Play Store. However, it still enforces a password in addition to Yubikey. Which is much better than phishable MFA, but still. I find it hilarious that Google supports FIDO2 with Yubikey as passkey on desktop, but their own OS does not.
Microsoft enforces FIDO2, which is why they don't even give you the option for security keys in web browsers on Android – there's really no point in displaying the option, as it just doesn't work.
If you enable desktop mode, you do get the option for security key with either USB or Bluetooth. But the dialog closes just after authenticating, and Microsoft tells you that something went wrong.
Organizations can utilize Microsoft's own FIDO2 implementation in Microsoft apps (Microsoft Entra certificate-based authentication), as long as they follow the steps outlined here and the security key supports certificates. However, this is beyond the scope of most GrapheneOS users. Although I can confirm that Microsoft Authenticator detects the Yubikey correctly on GOS, I have yet to be able to test this properly as my organization has not rolled out Certificate-based auth.