FIDO issues on Samsung devices

Yubico testing has found a pair of issues that occur during authentication with YubiKeys with select native apps on Samsung devices.

These same 2 issues do not occur when using:

• Other non-Samsung Android devices
• Web browsers on Samsung devices 
• Native apps that use embedded browsers or don't use the Android Credential Manager APIs.
  
  

Only specific native applications are impacted where the native app leverages the Android Credential Manager APIs. Applications that are known to be impacted include:

• Microsoft native apps like Office, Teams, Outlook, etc
• Amazon Shopping App

Yubico is working with Samsung to help resolve the issues, and will update this article as new information becomes available.

You can find Microsoft’s full list of considerations for native apps, including Samsung Android devices, here. 

Issue 1

The Samsung native app user experience is not intuitive in that it requires users to select Show QR Code before they can see the security key prompts. Users must select the "Show QR code" option to use a YubiKey.

Issue 2

The second issue occurs on select native apps on Samsung devices when YubiKeys have the Yubico OTP interface enabled. When users attempt to authenticate during the WebAuthn ceremony an error occurs.

 Note:  Yubico OTP codes are the 44 character codes that are emitted when you touch the YubiKey that usually start with a 'cc' or 'vv' and will resemble a code similar to the following:

  cccccckhkivlkegfcguctvlbttvgcdunvfjllviejkbb

To reproduce the error:

1. Install an app like Outlook (Microsoft native apps currently also require the install of Microsoft Authenticator to be used as an authentication broker)

2. Open Outlook and enter username

3. If not automatically prompted, select Other ways to sign-in and then select Face fingerprint, PIN or security key

4. Select Show QR Code

5. Follow the prompts

6. You can see in the background during the security key prompts that an error message shows before you can enter the PIN.

7. User is unable to sign-in

Issue 2 possible mitigations and workarounds

1. Use a web browser instead of the native app

2. Use the Yubico Security Key Series or YubiKey Bio Series that don't support Yubico OTP

3. Disable the OTP interface on the YubiKey if the Yubico OTP application is not used for other applications. See Enabling or Disabling Interfaces for instructions. Steps must be performed using Yubico Authenticator for Desktop (macOS, Windows, Linux) - not supported on Yubico Authenticator for Android.
   
   Option 1 - Disable the OTP interface using the YubiKey Manager CLI:

   ykman config usb -d OTP -f

   
   Option 2 - Disable the OTP interface using using Yubico Authenticator for Desktop:

• 1. Open Yubico Authenticator
  2. From the Home screen, click the kebab button at the top-right corner
     
     
     
  3. Click Toggle applications
     
     
  4. If enabled, select the Yubico OTP option to disable it. You only need to disable Yubico OTP on the USB interface.
     
     

 Note:  When users sign-in to any other protected applications that require the Yubico OTP application, they will not be able to provide the   OTP code over the USB interface. Microsoft accounts, Office or Entra ID accounts do not support the use of Yubico OTP and will not be impacted, however other applications like password managers or other identity providers do support the use of Yubico OTP and could be impacted if Yubico OTP is disabled.