Chrome on Android support of security keys

752 views
Skip to first unread message

Xavier CHAPRON

unread,
Sep 14, 2023, 4:54:02 AM9/14/23
to FIDO Dev (fido-dev)
Hello,

I made a few tests on multiples Android devices with version 11 / 12 / 13 and I was not able to register on webauthn.io using Google Chrome on any of them using something else than a Google Passkey when the "Discoverable Credential" is set to anything else than "Discouraged".
To me it appears that Google Chrome on Android suddenly drop the support of other authenticators, including hardware security keys.

I saw here that the support of "External Authenticator" is "planned": https://passkeys.dev/docs/reference/android/ but technically this was already working before...

Am I missing something here? Is Google Chrome really enforcing the usage of Google Passkey?

Thanks,

Xavier Chapron

My1

unread,
Sep 14, 2023, 4:58:11 AM9/14/23
to Xavier CHAPRON, FIDO Dev (fido-dev)
discovered credentials (also known as resident keys), is something that android cannot do with fido devices yet as it only speaks CTAP1 (aka U2F) with external devices so far.
so basically if you want resident credentials, google sees that and asks you for their passkey implementation.

Regards
My1


Les informations contenues dans ce message électronique ainsi que celles contenues dans les documents attachés sont strictement confidentielles et sont destinées à l'usage exclusif du (des) destinataire(s) nommé(s).
Toute divulgation, distribution ou reproduction, même partielle, en est strictement interdite sauf autorisation écrite et expresse de l’émetteur.
Si vous recevez ce message par erreur, veuillez le notifier immédiatement à son émetteur par retour, et le détruire ainsi que tous les documents qui y sont attachés.

The information contained in this email and in any document enclosed is strictly confidential and is intended solely for the use of the individual or entity to which it is addressed.
Partial or total disclosure, distribution or reproduction of its contents is strictly prohibited unless expressly approved in writing by the sender.
If you have received this communication in error, please notify us immediately by responding to this email, and then delete the message and its attached files from your system.

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/1a84e693-4014-43bf-b3cf-2192feb1a5d3n%40fidoalliance.org.

Xavier CHAPRON

unread,
Sep 14, 2023, 5:22:03 AM9/14/23
to My1, FIDO Dev (fido-dev)
Hello My1,

Thanks for your answer.
 
discovered credentials (also known as resident keys), is something that android cannot do with fido devices yet as it only speaks CTAP1 (aka U2F) with external devices so far.
This is not technically true. When choosing "Discoverable credentials" to "Discouraged" value and using my security key, I can clearly see a CTAP2 request (authenticatorGetInfo) being sent from the Android device to my device.

I saw this already being discussed on this mailing list but in my opinion, having the "Discoverable credentials" setting value "Preferred" being converted to "required" when transmitted to the authenticator doesn't sound the right thing to do.
Regards,
Xavier Chapron
 

Tim Cappalli

unread,
Sep 14, 2023, 5:35:02 AM9/14/23
to Xavier CHAPRON, FIDO Dev (fido-dev)
I saw here that the support of "External Authenticator" is "planned": https://passkeys.dev/docs/reference/android/ but technically this was already working before...

Passkeys.dev is exclusively about passkeys, which are WebAuthn discoverable credentials. Android did not support discoverable credentials on security keys. Android supported second factor / server-side / U2F-style credentials with security keys.

Support for passkeys on security keys is rumored to be coming soon. Passkeys.dev will be updated when that happens.

Also, just a nit, "Google Passkey" isn't a thing. I think you meant creating a passkey in Google Password Manager (which is the default passkey provider on most Android devices).

My1

unread,
Sep 14, 2023, 6:10:32 AM9/14/23
to Tim Cappalli, Xavier CHAPRON, FIDO Dev (fido-dev)
it's not just discoverable/resident credentials that werent supported tho, UV was dead too, which is kinda important for passwordless even if you dont go usernameless.

Joost van Dijk

unread,
Sep 15, 2023, 6:20:15 AM9/15/23
to My1, Tim Cappalli, Xavier CHAPRON, FIDO Dev (fido-dev)
I haven’t tried myself, but for UV support on Android you may want to try to upgrade to the latest version of Google Play Services.

See
Which states:

“Adding Pin Protocol support for Fido2 on Android Platform.“

—Joost van Dijk

On 14 Sep 2023, at 12:10, My1 <teamhyd...@gmail.com> wrote:



John Bradley

unread,
Sep 15, 2023, 8:19:46 AM9/15/23
to Joost van Dijk, My1, Tim Cappalli, Xavier CHAPRON, FIDO Dev (fido-dev)
There is some support in the latest version of play services for biometric or pin over USB.  NFC support is still coming as I understand it.  

So you will get diffrent results on Android depending on the interface.  

That is not confusing at all, so just wanted to point it out before people try it and get confused. 

John B. 

Sent from my iPhone

On Sep 15, 2023, at 12:20 PM, Joost van Dijk <vandij...@gmail.com> wrote:


I haven’t tried myself, but for UV support on Android you may want to try to upgrade to the latest version of Google Play Services.

See

Md mamun

unread,
Sep 15, 2023, 7:16:02 PM9/15/23
to Xavier CHAPRON, FIDO Dev (fido-dev)

FIDO Dev (fido-dev)

unread,
Sep 19, 2023, 6:13:42 AM9/19/23
to FIDO Dev (fido-dev), John Bradley, My1, Tim Cappalli, Xavier CHAPRON, FIDO Dev (fido-dev), Joost van Dijk
Just tested it using the 23.35.54 version of the play services, it doesn't seem to bring UV to security keys. Registering a security key on webauthn.io fails when UV is Required.

مصطفى سعيد مصطفى سعيد

unread,
Sep 19, 2023, 7:32:41 AM9/19/23
to FIDO Dev (fido-dev), FIDO Dev (fido-dev), John Bradley, My1, Tim Cappalli, Xavier CHAPRON, Joost van Dijk
الدعم
من: ‏‏fido...@fidoalliance.org <fido...@fidoalliance.org> بالنيابة عن FIDO Dev (fido-dev) <marko....@gmail.com>
‏‏تم الإرسال: 19 سبتمبر, 2023 01:13 م
إلى: FIDO Dev (fido-dev) <fido...@fidoalliance.org>
نسخة: John Bradley <ve7...@ve7jtb.com>; My1 <teamhyd...@gmail.com>; Tim Cappalli <Tim.Ca...@microsoft.com>; Xavier CHAPRON <xavier....@ledger.fr>; FIDO Dev (fido-dev) <fido...@fidoalliance.org>; Joost van Dijk <vandij...@gmail.com>
‏‏الموضوع: Re: [FIDO-DEV] Chrome on Android support of security keys
 

John Bradley

unread,
Sep 19, 2023, 9:35:35 AM9/19/23
to FIDO Dev (fido-dev), FIDO Dev (fido-dev), My1, Tim Cappalli, Xavier CHAPRON, Joost van Dijk
My phone with beta play services has 23.35.56.  USB keys with built in biometrics work, however pin support over usb seems not to be in that external beta yet.  

It will happen eventually but after 5 years of real soon now, all I can say is real soon now:)

Yes lack of CTAP2 pin support on Android is significantly holding back adoption in a number of areas. 

John B. 

Sent from my iPhone

On Sep 19, 2023, at 5:13 AM, FIDO Dev (fido-dev) <marko....@gmail.com> wrote:



Xavier CHAPRON

unread,
Oct 19, 2023, 9:48:58 AM10/19/23
to John Bradley, FIDO Dev (fido-dev), FIDO Dev (fido-dev), My1, Tim Cappalli, Joost van Dijk
Hello,

I just tested it on a Pixel 5 with Android version 14, Google Play Service version 23.40.14 and Google Chrome version 118.0.
It appears that when using "Discoverable Credential" setting to "Discouraged" it is possible to use an USB security key and it's even using CTAP2 protocol.

However I'm not sure, what is the reason to not allowing external security keys when "Discoverable Credential" setting is not set to "Discouraged", and this even though the authenticator supports internal user verification and discoverable credentials?
Does anyone know if this is temporary or if this is going to stay as it is currently?

Thanks,

Xavier

Xavier CHAPRON

unread,
Mar 15, 2024, 5:52:05 AMMar 15
to John Bradley, FIDO Dev (fido-dev), FIDO Dev (fido-dev), My1, Tim Cappalli, Joost van Dijk
Hello,

A few months later it appears that on up to date Android and Chrome, there is still no way to use an external security key when "Discoverable Credential" setting is not set to "Discouraged".
This is in my opinion a great blocker for Security Key adoption as most website used the classical "Preferred" setting value for
Does anyone knows if this is temporary or if this is going to stay as it is currently?

I also did a few tests on NFC support, and it appears that Chrome on Android is still using U2F, is FIDO2 support in the pipes?

Thanks,

Xavier

John Bradley

unread,
Mar 15, 2024, 7:04:36 AMMar 15
to Xavier CHAPRON, FIDO Dev (fido-dev), FIDO Dev (fido-dev), My1, Tim Cappalli, Joost van Dijk
To my understanding support is coming for NFC but USB will be first.   The full support for USB is supposed to be soon.  

Sent from my iPhone

Xavier CHAPRON

unread,
Mar 15, 2024, 9:20:44 AMMar 15
to John Bradley, FIDO Dev (fido-dev), FIDO Dev (fido-dev)
Hello,

That are great news, thanks!

I take the opportunity to also ask if there is somewhere good material for implementing NFC support on an authenticator.
As of now I know there are:
But I'm looking for a more extensive specification, and maybe some tooling, like a debug application or something?

Thanks again,

Xavier
Reply all
Reply to author
Forward
0 new messages