Authentication fails when using discoverable credentials created on external NFC authenticators that do not support ClientPIN.
65 views
Skip to first unread message
jy
May 9, 2026, 3:26:42 PMMay 9
to FIDO Dev (fido-dev)
Steps to Reproduce
- Use an external NFC authenticator that does not support ClientPIN.
- Visit Webauthn.io on an Android device.
- Register a discoverable credential using the NFC authenticator.
- Attempt to authenticate with the newly created credential.
- Android displays: "Something went wrong" and hangs there.
Expected Behavior
Authentication should succeed, similar to behavior observed on iOS.
If ClientPIN is not supported on the authenticator, the NFC interaction should be sufficient to establish User Presence (UP), allowing assertion or registration to proceed.
- Use an external NFC authenticator that does not support ClientPIN.
- Visit Webauthn.io on an Android device.
- Register a discoverable credential using the NFC authenticator.
- Attempt to authenticate with the newly created credential.
- Android displays: "Something went wrong" and hangs there.
Expected Behavior
Authentication should succeed, similar to behavior observed on iOS.
If ClientPIN is not supported on the authenticator, the NFC interaction should be sufficient to establish User Presence (UP), allowing assertion or registration to proceed.
John Bradley
May 9, 2026, 6:25:39 PMMay 9
to jy, Dev FIDO
Fido2/Ctap2 is not supported at all over NFC on Android yet.
What you are seeing is U2F support, and that is non resident only.
Support is coming soon. There was a release but it was withdrawn do to issues it caused with existing U2F deployments.
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/2998b1be-d13c-4b22-8f9b-00e0da7b8d44n%40fidoalliance.org.
My1
May 9, 2026, 8:28:01 PMMay 9
to John Bradley, jy, Dev FIDO
at least as of a few days ago, I had it working, partially.
from what I grasped specifically needed support for extended length encoding on the applet selection APDU which causes several FIDO devices to crap out including ones clearly marked as certified (e.g. from Cryptnox or older Token2 devices)
not sure where applet selection using extended length is required for CTAP2 because I heavily hope non-compliant devices wouldn't get certified, and as far as I read the CTAP2 standard, it only asked for extended length in CTAP2 commands, not the applet selection.
To view this discussion visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/900BBC63-019E-4902-B16C-9FB6848D43A3%40ve7jtb.com.
Reply all
Reply to author
Forward
0 new messages