1. Yubico
  2. Troubleshooting
  3. FIDO / Passkeys

Android OEM devices FIDO known issues

Avatar
Joe Bell
Created - Updated 

info-circle-line-icon.svg May 2025 updates
 A previous version of this article stated that non-Samsung devices were unaffected, we have since received reports that devices from other Android OEMs are affected.

 

info-circle-line-icon.svg April 2025 updates
 Chrome for Android and other browsers based on some versions of Chromium before 135.0.7049.111 have a known incompatibility with FIDO2 on Samsung and potentially other Android devices. There are no known workarounds, but a new version of Chrome that fixes the issue is available on most devices as of 2025-04-25. If you are using a version of Chrome or a browser based on Chromium version 135.0.7049.111 and above, and you are still having issues, see the workaround below that involves disabling Yubico OTP.
 The existing issue that previously only impacted specific native apps now seems to have expanded to additional native apps and also web browsers on Samsung. This issue impacts many (but not all) FIDO2 relying parties for common registration and authentication flows.
        ○ Use the Yubico demo website to see how some authentication
          flows are impacted.
        ○ Use the default registration options on webauthn.io to see how
          some registration flows are impacted.

Yubico testing has found an issue that occurs during specific WebAuthn registration and authentication ceremonies using YubiKeys with many native apps and browser-based web applications on Android devices from some manufacturers, including Samsung devices.

This issue may occur when using Android devices from the following manufacturers:

  • Samsung
  • Zebra (Handheld scanners)

This issue has not yet been observed on Google Pixel branded devices or Android handsets produced by other manufacturers.

Yubico is working with Samsung to resolve this issue, and this article will be updated as new information becomes available.

 

Issue

The issue occurs on certain Android devices when YubiKeys have the OTP application enabled over the USB interface. When users attempt to register a FIDO credential or authenticate during the WebAuthn ceremony, an error occurs.

bulb-light-icon.svg Tip: For more information about the YubiKey's OTP application, refer to this documentation. When users sign-in to any other protected applications that require the OTP application on the YubiKey, disabling the OTP application over the USB interface will cause this authentication method to fail. Microsoft accounts, Office or Entra ID accounts do not support the use of the OTP application, however other applications like password managers or other identity providers may support the use of the OTP application and could be impacted if the OTP application is disabled (this includes Yubico Login for Windows). If another application is impacted, the OTP application can be re-enabled at any time using Yubico Authenticator, or with the following YubiKey Manager CLI command:

ykman config usb -e OTP -f

To reproduce the error:

  1. Open Outlook (either with the native app or using outlook.com in a browser)

    manual-icon.svg Note: Currently, most Microsoft native applications also require the use of an authentication broker like Microsoft Authenticator or the Intune Company Portal app. See this Microsoft resource to understand Microsoft Entra ID FIDO2 native application support.

  2. At the login page, enter your username, and then select Next.

  3. If not automatically prompted, select Other ways to sign-in, and then select Face, fingerprint, PIN or security key.
  4. Select Use a different device.
  5. Insert the YubiKey when prompted.

  6. Type the PIN when prompted, and select Confirm. Microsoft will return an error indicating We couldn't sign you in.

 

Possible mitigations and workarounds

    1. Use a device that does not support the OTP application, such as the Security Key Series or the YubiKey Bio - FIDO Edition.

    2. Disable the OTP application over the USB interface if the OTP application is not being used for other applications/services.
      bulb-light-icon.svg Tip: Disabling the OTP application over the USB interface does not delete any credentials stored in either of the OTP slots, so if you are only attempting to troubleshoot, the OTP application can be enabled/disabled without any changes to the OTP slot configurations.

Steps to disable the OTP application over the USB interface

Option 1 - Disable the OTP application over the USB interface using Yubico Authenticator for Desktop:

 

Refer to this guide for steps on how to disable the OTP application over the USB interface.

 

Option 2 - Disable the OTP interface using the YubiKey Manager CLI:

 

ykman config usb -d OTP -f