[deleted]
Does anyone know if android 14 will finally support pin code with a security key?
I'd like to use it with bitwarden when they support passkey, but it's complicated without pin code.
Does anyone know if android 14 will finally support pin code with a security key?
I'd like to use it with bitwarden when they support passkey, but it's complicated without pin code.
I just came across this aswell.
I'm doing some test setups with GrapheneOS where I'm simulating that the house burned down and all I got was my secure backups and fresh hardware. No pin code prompt for Yubikey 5C on Android puts a heavy dent in that, and I'm not sure if I want to have another 5C stored but without pin code.
A workaround could be to access backup codes from a PC, but that would make the Yubikey completely irrelevant for all Android uses.
Should the Yubikeys rather only be used to unlock the bottom of the security chain? And not be used for everyday, even if that's what they advertise?
And on a tangent: Should the Google Smart Lock (?) be trusted if ignoring the malicious spam notifications? Can it be installed on GOS without being part of the other Google apps? Or however it works.
I have just recently moved to Yubikey and am looking at the same issues of android functionality. I will eagerly watch how this develops but don't have enough knowledge to contribute info.
Yubico is notified.
It would be very helpful if others of more reputable kind and caliber would take a look at what Google has done with security key management in the Google Account, and report to their contacts.
Google is transitioning to managing hardware security keys with the new passkey function, and in the process bugging out the old hardware key management.
And with passkey you can log onto "your" account with email + hardware key. Nothing else. That's really bad if the hardware key has no pin code. Note: Yes, you can use pin code with web and pc, but not cellphone and Android / AOSP derivates, as mentioned in previous posts.
Should the Yubikeys rather only be used to unlock the bottom of the security chain? And not be used for everyday, even if that's what they advertise?
-> Only in 2nd factor for me, until pin code support.
For applications that always have a password, the pin code is not useful.
I can't say about google smart lock, i don't use it, but is it possible that it's a privileged application, so not able to work on GOS ?
Yubico has communicated publicly on this subject?
Binance has also made a transition recently.
It asks for the e-mail address (if you have a unique address, this limits the problem a little) and the key works passwordless. On PC with the pin code, but also on Android without pin code. It's a bit annoying.
I don't know what Yubico has said up to this point around all this. In my case they have so far just responded to my support ticket with they will look into it. I don't expect them to give me more insight than that. Someone with contacts probably would get more insight.
In any case it's an old problem that should get fixed. And looks like the problem multiplies itself with related Google auth issues over time.
Always fun adding new features, but not do the last 20% to make them really good and actual useful.
Has anyone gotten Yubikey + PIN to work recently? There was an update to Play Services in September which allegedly added support for FIDO2 + PIN:
[Phone] Adding Pin Protocol support for Fido2 on Android Platform.
I've tried with a Microsoft account where I have added Yubikeys as a passkey. I went to outlook.office.com and after entering my username I finally got the option to sign in with a security key. I then get the familiar option from Play Services where I can choose between Bluetooth and USB (interestingly there's no NFC support). But when I connect my Yubikey, grant access and hit the USB option, a new dialog appears for 0.2 secs and then closes. Microsoft's page then says that there was an error authenticating me.
No issues from a computer. Tried with a Yubikey 5 USB-A (with adapter) and a Yubikey USB-C security key. Tried in Chrome and Vanadium.
I'm currently testing Yubikey for an organisation and would be thrilled to get this working.
First time testing since june. Now I don't even get the option to use security keys on GOS. On webbrowser @ PC I can switch to security key instead of using password (after entering username). This option doesn't exist for me on GOS in Vanadium, Brave or even the Microsoft auth app. No matter if the Y5C is inserted or not. Not on live.com that does accept Y5C with pin code or google.com which struggles with pin code (at least did earlier).
Can log in with Google @ PC webbrowser just fine with Y5C. It even asks for pin code.
Does Microsoft and Google disable option to log in with security key on Android? Or is just something broken at my end?
Proton.me @ Vanadium accepts security key, although it just ignores pin code. Sigh... Removed and readded the same Y5C in browser @ PC, where it asks for pin code when registering new Y5C. But logging out and in again and using security key it simply ignores the pin code and also successfully logs in. Same in Vanadium @ GOS.
This shouldn't even be allowed. At least I thought it wouldn't be.
I don't see any change regarding pin code @ Android since june. If anything it has gotten worse, with no option to use security key with Microsoft and Google. And Google is the one developing AOSP.
Would be great if more tested this. To see where the problem lies. And then push for changes.
It sounds to me like Play Services still lacks support for CTAP2.
I was prepared to reset my device back to stock PixelOS just to test whether or not I could get FIDO2 working in web browsers there. However, I now heard that my company's FIDO2 project has concluded that FIDO2/CTAP2 is simply not supported in Android. They will have to either wait for official support (I suppose only Google knows when/if this is going to happen) or use a third-party API to get proper FIDO2 working as SSO. Probably the latter.
dgzeij Proton.me @ Vanadium accepts security key, although it just ignores pin code.
This might help in understanding why certain sites do not enforce PIN: https://support.yubico.com/hc/en-us/articles/4402836718866-Understanding-YubiKey-PINs
PIN prompts are a result of a WebAuthn setting known as User Verification. This setting is controlled by each service provider.
If a service provider does not specify a setting for User Verification, most modern browsers will default setting it to Preferred (as per the WebAuthn spec), which may result in a PIN prompt.
Microsoft enforces FIDO2, and if the browser or device does not support it... I'm looking at you, Google.
dgzeij Does Microsoft and Google disable option to log in with security key on Android? Or is just something broken at my end?
I'm enrolled in Google's advanced protection program, and I do get the option to sign in with Yubikey in both Vanadium and Play Store. However, it still enforces a password in addition to Yubikey. Which is much better than phishable MFA, but still. I find it hilarious that Google supports FIDO2 with Yubikey as passkey on desktop, but their own OS does not.
Microsoft enforces FIDO2, which is why they don't even give you the option for security keys in web browsers on Android – there's really no point in displaying the option, as it just doesn't work.
If you enable desktop mode, you do get the option for security key with either USB or Bluetooth. But the dialog closes just after authenticating, and Microsoft tells you that something went wrong.
Organizations can utilize Microsoft's own FIDO2 implementation in Microsoft apps (Microsoft Entra certificate-based authentication), as long as they follow the steps outlined here and the security key supports certificates. However, this is beyond the scope of most GrapheneOS users. Although I can confirm that Microsoft Authenticator detects the Yubikey correctly on GOS, I have yet to be able to test this properly as my organization has not rolled out Certificate-based auth.
Thanks for giving more filling info. Explains the status quo.
Relaks This might help in understanding why certain sites do not enforce PIN: https://support.yubico.com/hc/en-us/articles/4402836718866-Understanding-YubiKey-PINs
It's really weird that the Y5C itself doesn't enforce the PIN code. This shouldn't be up to any software other than changing it with the Yubikey Manager. The PIN should be treated as 2FA or priv+pub cert, where the physical key is impossible to be used without them.
Relaks I find it hilarious that Google supports FIDO2 with Yubikey as passkey on desktop, but their own OS does not.
Ye, I'm not impressed with Google the past years.
As it stands now the physical security keys are no better than Aegis. In many cases it's a worse security tool, since anyone can physically steal a physical key.
Can't believe people have these casually in their desk drawer at work, or lanyard/keyring.
I'm now guessing (just a guess, mind) that the Play Services release notes from September, mentioning support for FIDO2 + PIN on security keys, were about adding support for Google's new Titan keys:
https://blog.google/technology/safety-security/titan-security-key-google-store/
Update: I can now confirm that sign-in with Yubikey FIDO2+PIN works on Pixel OS. I have tested this on Microsoft, Nvidia and Adobe accounts in Chrome and Brave.
Although it currently works only with USB, I didn't have any other issues on Pixel OS. No custom browser settings needed, and upon sign-in you are not nagged to use a passkey from your Google account. You are simply asked to input your security key, then enter the PIN, then select which passkey to use if there are multiple account passkeys stored on the Yubikey.
For Microsoft accounts, you must load the sign-in page in the browser's desktop mode for the security key option to be displayed.
Small update: there's an open bug report for this here: https://github.com/GrapheneOS/os-issue-tracker/issues/2903
Still unclear as to the cause of this.