Android current known issues with FIDO2


On Android, with any browser using the built-in Passkey support, such as Chrome and Firefox browsers, there is a known issue when attempting to register or authenticate with FIDO2 credentials using YubiKeys with 5.5 or newer firmware. 

  When using FIDO / WebAuthn on a YubiKey to log in to a web site or
identity provider, there are three distinct flows:

The first, which is most similar to the original U2F standard, is
WebAuthn as a second factor. This relies on traditional username
and password authentication, and then using a YubiKey or similar
FIDO device as an MFA factor.

The second, passwordless, was introduced with FIDO2. It relies on
getting the username either by prompting the user or using persistent
cookies, and then prompting the user to use their YubiKey with a PIN.

The third, usernameless, was also introduced with FIDO2, and has been
popularized as “passkey” logon, where the user only needs to activate
their FIDO device using a PIN or biometric, and they can be securely
logged into a service

When registering a YubiKey using FIDO2 or authenticating with FIDO2-supported accounts (e.g., Amazon.com Account, Microsoft Account, Apple ID, Google accounts, Okta accounts, among others.) on Android devices over USB, the browser prompts for the PIN twice and results in an error.

  • This issue is specific to Android devices with certain versions of Google Play Services.
    • Known impacted versions - Google Play Services versions 24.47.38 and 24.49.33 
  • This issue may not occur while registering the first FIDO2 device to an account depending on the specific WebAuthn options used by the service, but will likely occur for subsequent devices.
  • This issue does not occur with YubiKeys with firmware 5.4.3 and below.

Prerequisites to reproduce:

The majority of the prerequisites for this issue to occur are based on the configuration of the site where the YubiKey is registering or authenticating a FIDO2 credential. For developers building FIDO2 authentication into their environment, the following conditions are required to expose this issue.

  • This issue may be triggered by an authentication request that includes an AllowCredentials list, or a registration request that includes an ExcludeCredentials list.  
    • The AllowCredentials list is used to determine which credentials are usable to satisfy a non-discoverable credential request.  See this page to learn more about AllowCredentials
    • The ExcludeCredentials list is used to prevent unintentionally overwriting existing credentials.  See this page for more information about ExcludeCredentials
  • In addition to the AllowCredentials or ExcludeCredentials lists, the request must contain some other option or extension that would trigger the use of FIDO2 instead of the legacy U2F communication protocol, like User Verification.
  • The FIDO2 device must be attached over USB, not NFC.

Workarounds

  • If possible, use an unaffected device for registering new accounts.
  • If a YubiKey Bio or YubiKey C Bio is being used for authentication, ensure fingerprints are enrolled and used instead of a PIN.
    • To ensure that the fingerprint is used, use an enrolled fingerprint when this prompt is presented, instead of tapping on More options

  • If a “usernameless” authentication flow is supported on Android for the service you’re authenticating to, that may be a viable workaround:
    For example Entra ID allows a usernameless login option.

    When prompted for username at the Sign in screen, instead of typing username select Sign-in options

    Select Face, fingerprint, PIN or security key

    Then follow the prompts to sign-in with a security key.