Nitrokey 3A NFC and on Android => Failed

I just received my Nitrokey 3A NFC and I am doing some tests.
On an Android smartphone, when I go to to test Webauthn/FIDO2 registration and authentication, it doesn’t work.

I have tested this on 3 different phones : OnePlus 5T, OnePlus 10TPro and Samsung Galaxy S10E.
On a PC, it works flawlessly with the same key.

How to reproduce :

  • Open Firefox
  • Go to
  • Enter a username and click on “Register”
  • Choose NFC key or USB Key (the issue will the same)
  • Put your NFC key under your phone or plug the key into the phone
  • Wait for the registration process to finish

It will fail with the following error:
Registration failed: 1 validation error for RegistrationCredential response -> transports -> 1 value is not a valid enumeration member; permitted: 'usb', 'nfc', 'ble', 'internal', 'cable', 'hybrid' (type=type_error.enum; enum_values=[<AuthenticatorTransport.USB: 'usb'>, <AuthenticatorTransport.NFC: 'nfc'>, <AuthenticatorTransport.BLE: 'ble'>, <AuthenticatorTransport.INTERNAL: 'internal'>, <AuthenticatorTransport.CABLE: 'cable'>, <AuthenticatorTransport.HYBRID: 'hybrid'>])

Nitrokey 3A NFC status:

$ nitropy nk3 status
Command line tool to interact with Nitrokey devices 0.4.40
UUID:               <edited>
Firmware version:   v1.5.0
Init status:        ok
Free blocks (int):  37
Free blocks (ext):  468
Variant:            LPC55

Any suggestion on how to fix this ?

Thanks in advance for your help.

Are you using stock Android or Nitrophone with GOS?

I know what is going on with GOS. Development is needed. Maybe Nitrokey could help them develop what is needed for webauth.

I’m using stock Android on all phones (not GOS).

Hey @FredL,

yes, this is a known issue with Android. It’s quite sad that there is no complete FIDO2 support within Android as of today, please see our blog post about this issue: FIDO2, WebAuthn, Passkeys in 2022 and 2023 | Nitrokey (especially the “Browser und Smartphones” section mentions the missing parts within Android).

Overall as of today uses FIDO2 resident keys by default, there it’s named: “discoverable credentials”.
If you set (inside “advanced options”) “discoverable credentials” to “discouraged” and “user verification” to “discouraged” this will work. Technically setting any of those two to “prefered” will need full ctap2/fido2 support, which is not (yet) available for Android.

I think there is some movement happening there (find the bugtracker link in the blog post) - but I have not heard any success stories yet.