Hello I’m trying to get the Nitrokey 3A to work via NFC on Bitwarden for Android. I’d either get an error message within the browser window where I’m trying to use webauthn telling me to use it via USB or an error within Bitwarden after a succesful attempt saying “NotReadableError: An unknown error occurred while talking to the credential manager”. Is there any solution for this or is it not yet supported?
Reviving this post for a PSA since I have recently come across this exact problem (with Bitwarden and other apps) and this post without reply keeps popping up when searching for it.
TLDR: Initially register Nitrokeys on Android via NFC (through your mobile browser) if you plan to use them via NFC. Do not register them plugged in via USB.
There are different configurations of FIDO2 with the exact implementation used being up to the service offering it as an authentication option:
Credentials can be either discoverable (usually referred to as passkeys and used instead of username / password) or non-discoverable (usually used for 2FA), and the protocol can require either user verification (UV) by entering a PIN or simply user presence (UP) which is usually done by tapping / pressing a button on your security key.
Android as far as I am aware only supports non-discoverable credentials with UP via NFC*. The reason is quite simply that the functionality to enter a PIN when using a hardware security key via NFC is not there so any FIDO2 authentication with UV does either not work at all or work only via USB (Android >= 14).
The only working implementation of Nitrokey + FIDO2 + PIN + NFC I am aware of is iOS >= 14 where you tap the key, enter the pin, then tap the key again.
The “problem” with Bitwarden and other services is that when you first register the key, they will default to using UV instead of UP if possible since this is regarded as the preferred option. Registering your key with Bitwarden in a setup where PIN entry is supported will configure the authentication that way which then makes the key unusable via NFC on Android.
As a workaround you can initially register the key via NFC on your smartphone which will default to UP if UV is not possible.
It might be possible to do this also by deliberately not setting a FIDO2 PIN on your Nitrokey to force it to always default to UP but I have not tested this and it would prevent discoverable credentials being used with it.
* I guess discoverable credentials with UP would theoretically work but I am not sure the FIDO2 standard allows these as they would reduce authentication to one factor (you would only need the key for access) and I have not seen any service implementing it.
