Fido2 key and their issues using them on Android

First, do Android support using Fido2 keys on Android?

Yes, it does support both using bluetooth, NFC and USB authentication.

For reference: https://developers.google.com/identity/fido/android/native-apps

But does it mean that it is straight forward to use it in a enterprise environment without hiccups?

No, the support lacks many features that both Windows and iOS has supported for long time.

If I buy a modern Fido2 with OTP support, will it work straight out of the box for using the USB?

No, you need to disable the OTP support first. Here is how you can do that from yubikey manager, this works for Yubikey.

Other vendors might have something similar. But for Fido2 keys without OTP support, it should work out of the box for USB-C, like Google titan. Why this happens, dont know.

Can we use NFC for Entra ID authentication like we can on Windows and iOS?

No. Android does not currently support CTAP2 for NFC, only for USB-C input. CTAP1 (FIDO U2F) supports certificate based authentication, but CTAP supports user verification with PIN and biometrics. Entra ID requires UV (user verification) before accepting login.

As far as I know, there is also support for bluetooth. But I dont have any fido2 keys that support bluetooth yet.

So why does this matter?

With Android you can have shared devices with secure login for multiple users with a single log in for all supported apps, auto log off and many other possibilities.

https://learn.microsoft.com/en-us/entra/identity-platform/msal-shared-devices

Other sources/discussions:

https://www.reddit.com/r/yubikey/comments/1oncuh2/whats_the_point_of_nfc_on_android/
https://www.reddit.com/r/yubikey/comments/13tlzoc/fido2_inconsistent_across_windowsandroid/

https://fidoalliance.org/specifications/

12 Replies

Emilie_B
Google Community Manager
2 months ago
Hi Rakib, how are you?

Thank you for contributing this post to the community - that was a very interesting read!

Are you using Fido2 keys for work?
- Rakib
  Level 2.3: Gingerbread
  2 months ago
  Hi Emilie_B,
  
  Our goal is to make use of fido2 keys as the authentication method for shared Android devices, as it is considered as a phising-resistant MFA. With NFC support for CTAP2 on Android this could be achieved.
  
  We do use it already for our shared Windows computers, and there is also support on the iOS devices.
  - Emilie_B
    Google Community Manager
    2 months ago
    Thanks for your reply Rakib - it's always interesting to understand where you're coming from!
    
    The NFC support for CTAP2 is something I can share with the team as this is an interesting comment - I think USB-C is something that is becoming default (in Europe at least).
    
    Also, a phishing-resistant MFA sounds appealing; have you tested multiple MFAs before setting up on fido2 keys?
Michel
Level 4.0: Ice Cream Sandwich
2 months ago
Very interesting read, thanks for sharing. I've been wanting to investigate the options with Android and a fido2 key. I have a Yubico still sealed in a box 😅.

I like your use case regarding shared devices. Do I understand correctly that you use this as a alternative for the Microsoft authenticator app for example? Because that app is the main issue for shared Android devices. You always need a second, maybe even personal, phone.
- Rakib
  Level 2.3: Gingerbread
  2 months ago
  Yes, you are not allowed to bring a personal phone for an example on a hospital but we want to require MFA login on dedicated phones to.
Lizzie
Google Community Manager
2 months ago
Hello Rakib, Michel,

I hope you are doing well.

Thanks for your taking the time to walk us through your current experience and questions around FIDO2 and authentication. This is a really interesting area and I'm glad you've kicked off a discussion around this.

I've dug into this a little bit to provide you with more context. We have generally focused on USB-C support for security keys due to its reliability, ease of use and being more 'future-proof'. As we look forward to a world where post-quantum cryptography becomes standard, NFC simply won't be able to transfer enough data via a "tap" because of increased packet sizes, resulting in users having to hold their security key for longer to authenticate the device. This issue is then compounded by inconsistencies in NFC placement across devices.

As it currently stands, we are due to make progress with NFC support next year. I can see this being an interesting topic for you and other community members here, so we will keep you posted as we progress in this area.

In the meantime, do you have any specific questions that you are keen to know more on this relating to your use case? Or any additional context that would be useful here?

It would be fantastic to learn more from you and others here, so please do continue this discussion and I hope this is a useful starting point.

Thanks so much,

Lizzie
- Michel
  Level 4.0: Ice Cream Sandwich
  2 months ago
  Thanks for clarifying this a bit more, really interesting and helpfull. I'm currently not using (and seeing) this in actual environments so i'm just following this to learn from.
  - Lizzie
    Google Community Manager
    2 months ago
    Yeah I agree, it's a really interesting area Michel. I spoke with a member of the Android team who works on this specific area to learn more to provide the additional context above.
    
    As a side note, I'm hoping we can get more information back on this subject into the community next year and have more discussions on where we are headed - so watch this space. 😀