Google Play Services not handling FIDO key

MoonlitOrca

Hello! I've dug around the GitHub and forum and found a half dozen posts that are similar, but none of them seem to be quite the same problem that I'm having. I am running GOS on Pixel 8 pro and my nitrokeys are working fine through vanadium or brave, as those are being handled correctly by Google Play Services In those contexts, but outside of that in the Android operating system itself, this is not so.

In short, I enabled the advanced protection program for my Google account I use to download apps on the Play store because it seemed like a good security practice if I plan to use it for that purpose, and of course it forced me to sign out of all of the instances of my account. This is all good, except now I must sign back in on my pixel phone, and whenever it asks me for my security key (which is the only option allowed under that advanced security protocol), plugging it in or using the NFC both result in Google Play services not even trying to handle the key. It simply doesn't even realize a key is inserted. Again, using web view or a browser handles it just fine, but Google Play services just doesn't seem to get triggered for FIDO when I'm trying to generally log into my account on Android.

I would normally feel like it's a permission issue, but I've given it every permission I possibly can to try this. Any ideas would be greatly appreciated!

treequell

I empathize with you, as I also had similar issues after enrolling in the advanced protection program (APP).

It does seem to be possible to sign in with your security keys on Google Play Services whilst using APP, but also quite fiddly.

Please see this issue on GitHub to read how a few users managed to do it: https://github.com/GrapheneOS/os-issue-tracker/issues/2089

DeletedUser24

Google says on issuetracker they won't fix the problem.
However, if you sign up for the advanced protection program with the option of using only security keys, there's no need. Google has apparently removed this option recently, and you'll still get notifications to validate a new account login.
Normally, security keys work fine in normal mode.

MoonlitOrca

Thank you both very much for the replies. I read through the GitHub link @treequell mentioned, and I saw some people were able to wait until it failed and use a separate device on the same IP address to verify the key and get a code. That method got me signed in.

Thanks!

treequell

Thanks for reporting back! Glad you finally managed to sign in even if in only a roundabout way.

[deleted]

Hello, if you don't mind my asking, what is the purpose of Google's advanced protection program on grapheneos? You can always sideload

GrapheneOS

[deleted] The purpose of it is securing the account and disabling installing apps through the package installer dialog is a very minor side feature they added to it. You can still sideload with the Advanced Protection Program on the stock OS using ADB anyway.

[deleted]

GrapheneOS ok thanks

[deleted]

GrapheneOS You might as well not activate the Advanced Protection Program but just add keys, so that when you connect to your account you benefit from Google prompt and you don't have to carry your physical keys with you.