Yubico Forum

I'm using a Nexus 5X, and I have set up my Google account (via my laptop) to use a YubiKey 4C for 2FA; plug it into the laptop, it works great. I'd like to be able to plug it into my Nexus 5X as well, but it is not yet supported. I have been following the progress of the Yubico Authenticator app for Android, and it seems to be coming along nicely. However, I'm curious about the Chrome 2FA interface. Here's what I see happening as of Dec 2 2017:

This screen appears after entering my Google password for my account that has already been configured to use the YubiKey 4C:


At this point, I plug the 4C into the phone, and Google Play Services asks for permission to access the USB device; seems good:


I tap 'OK', but nothing happens. Touching the leads on the YubiKey highlights and subsequently jumps to the Bluetooth screen (like 'Tab' -> 'Enter' would). If I remove the YubiKey or tap the back arrow, I get this error message and am asked to try again:


Now the key request screen has changed slightly, but the procedure loops from here; asked for permission, 'OK', nothing:


It appears that the phone has support for USB keys as well as Bluetooth and NFC, but it's failing to recognize the YubiKey 4C as anything other than an external keyboard (and various Yubico support documents have stated I should expect this behavior).

Will it be possible for Yubico to take steps to enable the 4C through this Android interface?
Is there something Google can do to support the 4C on Android Chrome the same way they do in desktop Chrome?

Some additional notes:

1) There is an option in chrome://flags to enable WebUSB, but turning this on does not affect the flow I described above. I cannot find any flags related to security keys.

2) Google Authenticator v5.0, released Sept 27, supposedly added "experimental Security Key (FIDO U2F) support to Chrome", but I cannot find any information within the app about using a key, and plugging in the YubiKey 4C with the app open does nothing (aside from the external keyboard thingy). Also, I'm not sure why the note says Chrome but the app is Authenticator?

3) The only info about the Chrome app and U2F I can find is in this article, which talks about the new Advanced Protection Program. This requires TWO security keys, one USB for desktops/laptops and one Bluetooth/NFC for mobile devices. I do not understand why two keys would be required if it was possible to use one key with all devices. Does anyone know of a security reason? Or any technical details about why mobile devices will not support plugging in a USB key? If the response is, "it will never be possible", then I suppose I will get a wireless key for my mobile device, but if it's going to be supported in the near future then I'm comfortable waiting for development.

I'm digging through everything I can find at this point...

The Android API, com.google.android.gms.fido, defines a Transport enum with 'USB' as one of the four options (also 'NFC' and Bluetooth classic / low energy). It's used to get a KeyHandle.

Any devs know if this is functional?
At this point I feel like the issue is on Google's end, and they need to fully implement Chrome's use of the API. Is Yubico in contact with Google devs?

I was wondering this same thing. I have a Pixel 2 XL and thought (admittedly I didn't do enough research! ) that since Google is part of the FIDO Alliance their newer phones would support U2F over USB C. Guess I'll just need to return my Yubikey 4C and get a NEO instead.

Google only allows access to Advanced Protection Program protected accounts via a Security Key and password, all other methods are blocked in order to make the account login as secure as currently possible. If you lose one security key you can still access your account with the other, if you lose both it's a 3-5 day wait for Google to disable your 2FA (and I assume some sort of verification process to ensure it's you accessing your account).