2 comments

[ 1.6 ms ] story [ 16.2 ms ] thread
I had previously successfully used my Solokey (a Yubikey-like product) on my Samsung S21 mobile phone. I was able to use it to log into Google, Fastmail, Facebook, et al.

At some point in the recent past I lost my ability to use my Solokey. I parked this issue for a couple of weeks/months thinking it was more likely to be user-error and making a mental note to myself to investigate it later...

So then this issue came up again today. I was trying to add a Google Account to my Android device and it kept hanging at the screen where it tries to verify my security key. I decided to do some debugging. I verified the security key works fine on my Lenovo laptop running Linux. I can e.g. sign into my AWS account via Firefox using my Solokey as 2FA with no issues.

I did some digging and found the linked Google support post by a Yubikey user having similar issues with their security key on an S21. I know that Solokeys are not a well known product so it was interesting to see the same issues has occurred with Yubikeys as well. Like the poster in that link, I was only able to add a Google account to my phone after waiting several minutes for the security key request to time out and then using an alternative 2FA method.

What I find interesting however is that security key requests in either Chrome/Android or Firefox/Android on my S21 actually pops up a Passkeys dialog box.

The Passkeys screen appears in either Chrome or Firefox when I try to sign into services that require 2FA (e.g. Fastmail). Within that Passkeys screen there is no option for using an external USB security key. Not even clicking the 'Use a different device' works -- that button just takes me to a QR code screen for using another Passkey device to sign in. Plugging in the USB security key before or during the sign in process has no effect whatsoever.

Previously I was able to use my security key to sign in without any of this Passkey nonsense. It used to work more or less the same way it works on Firefox on Linux. Essentially it would ask you to plug in the key and press the button. Doing so would then log you in straight away. It seems Firefox hands over security keys requests to Android as the dialog it shows is exactly the same as in Chrome.

Timing wise I think I lost the ability to use an external security key around the time I upgraded to Android 13 (if not earlier).

Has Google used Android 13 to silently kill support for external security keys (like Yubikey, Solokey, etc)? I also wonder if it is part of their agenda to push Passkey? Or is this a genuine user error or some sort of bug? I have no idea as there is limited documentation on this.

Hoping there's someone out there in the Hacker News community with any useful info!

Can confirm Google broke hardware tokens on Android last week. Very likely when shipping their new passkey product. I cannot login on Facebook Twitter and AWS anymore.

Classic Google. Shipping shiny new toys is great, but you should care more about maintenance.