FP3 and NFC-enabled security keys (Yubikey, Nitrokey, Solokey, …)

,

Hello everyone,

I’m pondering buying a nfc-enabled Yubikey or similar for Second-Factor Authentication purposes (2FA). The manufacturers have very limited information on what devices are tested or reported to work with the keys and warnnof possible limitations.

(Thanks, I’m well aware that the keys are available with USB-C and that is not my question.)

Has anyone tried out such keys with a Fairphone 3/4? What were your experiences? Are any differences in functionality or compatibility to be expected when using #LineageOS 19 instead of FairphoneOS?

I’d love to hear from you.

Regards

I’ve just tested my two Nitrokeys 3A NFC (sadly the USB-C version hasn’t been delivered yet) with my FP4 running CalyxOS (Android 13 with microG, should be similar enough to LineageOS).

In theory, they work, they get recognized by a FIDO2 / Webauthn test app over both NFC and with a USB-A to C adapter, but actual usage with e.g. Firefox sadly isn’t possible. Apparently FIDO2 is implemented in the Google Play Services, there’s an open feature request on the microG bugtracker, which has been gaining some steam recently it seems.
We might be close to a solution :crossed_fingers:

I can try them with a FP4 running stock FPOS tomorrow, if you’d like more information :slightly_smiling_face:

3 Likes

Thanks a lot for your answer, @hirnsushi, that’s very helpful!
Will keep an eye on that github issue.
In addition, there seem to be some F-Droid Apps. Are they of any help on ungoogled devices?
Have a nice weekend!

Those apps are meant to be used with a Yubikey and TOTPs, I’ve tried it, but couldn’t get any of them to work.
The Nitrokey 3 only supports FIDO2 so far, which I’m mostly interested in, you would have to buy a Yubikey or similar device with OTP support if you need one of those apps to work.
In that case, the missing FIDO2 support in microG shouldn’t be an issue for you.

I just tried my YubiKey 5 (firmware 5.2.7, so fairly recent) with my Fairphone 4 (using NFC). YubiClip captures OTPs, Yubico Authenticator does… something. WebAuthn auth, at least from Firefox, at least for me, appears to consistently fail.

1 Like

Just for the record:

#microG just released v0.2.25.223616

New features

Fido

The newly added Fido API allows using U2F and Fido devices via USB or NFC with supported Browsers (Chromium and Firefox) and to sign into your Google Account in microG. Additionally, on supported hardware and when a PIN/password is configured, the secure key storage can be used as a virtual Fido device. Note that some devices are still not fully supported.

Due to lack of open-source client library, open-source variants of browsers (Bromite, Fennec, etc) currently do not support this API. This release also provides an open-source play-services-fido library, which open-source browsers can use instead of the proprietary Google version to add support for microG’s Fido API.

2 Likes