Nitrokey 3A NFC and webauthn.io on Android => Failed

I just received my Nitrokey 3A NFC and I am doing some tests.
On an Android smartphone, when I go to https://webauthn.io/ to test Webauthn/FIDO2 registration and authentication, it doesn’t work.

I have tested this on 3 different phones : OnePlus 5T, OnePlus 10TPro and Samsung Galaxy S10E.
On a PC, it works flawlessly with the same key.

How to reproduce :

• Open Firefox
• Go to https://webauthn.io/
• Enter a username and click on “Register”
• Choose NFC key or USB Key (the issue will the same)
• Put your NFC key under your phone or plug the key into the phone
• Wait for the registration process to finish

It will fail with the following error:
Registration failed: 1 validation error for RegistrationCredential response -> transports -> 1 value is not a valid enumeration member; permitted: 'usb', 'nfc', 'ble', 'internal', 'cable', 'hybrid' (type=type_error.enum; enum_values=[<AuthenticatorTransport.USB: 'usb'>, <AuthenticatorTransport.NFC: 'nfc'>, <AuthenticatorTransport.BLE: 'ble'>, <AuthenticatorTransport.INTERNAL: 'internal'>, <AuthenticatorTransport.CABLE: 'cable'>, <AuthenticatorTransport.HYBRID: 'hybrid'>])

Nitrokey 3A NFC status:

$ nitropy nk3 status
Command line tool to interact with Nitrokey devices 0.4.40
UUID:               <edited>
Firmware version:   v1.5.0
Init status:        ok
Free blocks (int):  37
Free blocks (ext):  468
Variant:            LPC55

Any suggestion on how to fix this ?

Thanks in advance for your help.

Are you using stock Android or Nitrophone with GOS?

I know what is going on with GOS. Development is needed. Maybe Nitrokey could help them develop what is needed for webauth.

I’m using stock Android on all phones (not GOS).

Hey @FredL,

yes, this is a known issue with Android. It’s quite sad that there is no complete FIDO2 support within Android as of today, please see our blog post about this issue: FIDO2, WebAuthn, Passkeys in 2022 and 2023 | Nitrokey (especially the “Browser und Smartphones” section mentions the missing parts within Android).

Overall webauthn.io as of today uses FIDO2 resident keys by default, there it’s named: “discoverable credentials”.
If you set (inside “advanced options”) “discoverable credentials” to “discouraged” and “user verification” to “discouraged” this will work. Technically setting any of those two to “prefered” will need full ctap2/fido2 support, which is not (yet) available for Android.

I think there is some movement happening there (find the bugtracker link in the blog post) - but I have not heard any success stories yet.

best

So that now Android supports PIN entry for FIDO2 (using the USB method) Nitrokey 3 should now work on Webauthn.io with discoverable credentials as preferred and user verification “preferred”.

Screenshot_20231230-1823411080×2400 240 KB

This update was brought in by google a couple of months ago with a Play services update and should be available for all android devices running latest google play services.
If anybody having nitrokey3 currently could test this with Android , would be great. Also remember you would need to authentic key by inserting it into the device and entering the PIN.

Hi @kevin

I tried on my phone with a Nitrokey 3A NFC

My phone is a Oneplus 5T running LineageOS 21 (Android 14).

It works with Brave

But it failed with Firefox 125.3 when trying to register:
Registration failed: 'bt' is not a valid AuthenticatorTransport

If I register with Brave then I can use Firefox to authenticate

Hope it helps

thanks for testing. Yeah it won’t work with firefox yet as they have yet to implement the functionality. All chromium based browsers uses some proprietary code for this feature , so only chromium browsers would be supported for now.