Yubico
Add Chromebook support
I have a Chromebook Plus with Android app support. The authenticator app (version 1.2.1) installs and launches on the device, but does not respond to taps on the yubikey neo button.
The yubikey is connected via usb-a to usb-c, and I've validated that Android apps can see the "ccccc..." input when tapping the button. The Chromebook itself does not have NFC at all, so will need to use the recently added usb support instead, and it only has usb-c ports.
Any tips / patches to get this working would be much appreciated!
I don't have any experience in running Android apps on ChromeOS, but some quick Googling led me to this: https://developer.android.com/topic/arc/manifest.html
It looks like a lot of features are unavailable when running on ChromeOS. Specifically the android.hardware.usb.host hardware feature is listed as unsupported, which is required for this app. Closing the issue for now. Feel free to re-open if USB support for Android apps on ChromeOS changes!
What are your thoughts on the feasibility of a web app version, using WebUSB? Which the latest ChromeOS supports.
I don't have any experience with the WebUSB APIs either, but it might be feasible. Clearly it would require a lot of effort to do.
Might it be easier to use the Chrome USB API than WebUSB? https://developer.chrome.com/apps/app_usb
It looks like Chrome OS has added USB Host support, but via a flag: https://chromium-review.googlesource.com/c/chromium/src/+/854990
I have confirmed this is in the Chrome OS Stable channel (71) currently and can be enabled.
It looks like Chrome OS has added USB Host support, but via a flag: https://chromium-review.googlesource.com/c/chromium/src/+/854990
I have confirmed this is in the Chrome OS Stable channel (71) currently and can be enabled.
Have you checked if this works for the Yubico Authenticator app?
It looks like Chrome OS has added USB Host support, but via a flag: https://chromium-review.googlesource.com/c/chromium/src/+/854990 I have confirmed this is in the Chrome OS Stable channel (71) currently and can be enabled.
Have you checked if this works for the Yubico Authenticator app?
Unfortunately, I cannot test this. I do not have my Pixelbook in Developer Mode to sideload APKs and the Yubico Authenticator app is marked as "Not compatible" in the Play Store for the Pixelbook so I cannot install it from there.
That's an interesting update. What are the steps to enable this flag?
I checked the store listing, and the reason the app won't install on a Pixelbook at the moment is due to the android.hardware.camera requirement, which also doesn't seem to be supported on ChromeOS. Technically the app could function without it, by using manual credential entry, so we might be able to mark that dependency as optional. I currently don't have a Pixelbook (or other ChromeOS device) to test with myself, unfortunately.
That's an interesting update. What are the steps to enable this flag?
I checked the store listing, and the reason the app won't install on a Pixelbook at the moment is due to the android.hardware.camera requirement, which also doesn't seem to be supported on ChromeOS. Technically the app could function without it, by using manual credential entry, so we might be able to mark that dependency as optional. I currently don't have a Pixelbook (or other ChromeOS device) to test with myself, unfortunately.
You could also let devices without the camera be read-only. I'd definitely make that optional.
If you were to release a beta version to the Play store with that marked as optional it could be tested without having to enable dev mode. I have a Pixelbook that I'd be happy to test on (currently beta channel) though I'd prefer not needing to enable dev mode because of the annoyances that comes with.
~~Oh...dev mode may not be needed though because of the Android Studio integration they rolled out?~~
Nevermind, you still need dev mode to test apps that way.
I've published a beta that doesn't require the camera, and the play store listing indicates that it should be compatible with the Pixelbook. Unfortunately I have no way myself of testing this at the moment.
That's an interesting update. What are the steps to enable this flag?
I checked the store listing, and the reason the app won't install on a Pixelbook at the moment is due to the android.hardware.camera requirement, which also doesn't seem to be supported on ChromeOS. Technically the app could function without it, by using manual credential entry, so we might be able to mark that dependency as optional. I currently don't have a Pixelbook (or other ChromeOS device) to test with myself, unfortunately.
- Open Chrome and go to chrome://flags/#arc-usb-host
- Click the dropdown and select "Enabled."
- Restart Chrome OS
I also have a Pixelbook that I am happy to test on. I am on the Stable channel. Unfortunately, I do not see the beta on the Play Store. Can you please provide a link?
I'm not sure of how it works on ChromeOS, but for Android in the Play store listing there's a button to opt in to the beta channel for each specific app (if the app offers it). You scroll down a bit and there's a "Become a beta tester" section.
I'm not sure of how it works on ChromeOS, but for Android in the Play store listing there's a button to opt in to the beta channel for each specific app (if the app offers it). You scroll down a bit and there's a "Become a beta tester" section.
Thanks, Dain. I Have added myself to the beta program and installed it. Unfortunately, the Authenticator still shows "Tap or insert your YubiKey" when I start the app. Could some other permission be required that Chrome OS lacks? I did see a notice of "This device does not support NFC" when I opened it.
My YubiKey is plugged in and works if I tap it / use it for U2F but still does not show codes in the app.
Well, at least the app starts, I guess that's something. To dig into this further I think it will be required to run in developer mode and run the app with debug output. I'll see about getting a hold of a Pixelbook to do some in-house experimentation with. Thanks for trying it out!
@dainnilsson You should be able to use any Chromebook with Android App support if you have something other than a Pixelbook around.
USB support is here. @dainnilsson can we consider re-opening this issue?
https://www.aboutchromebooks.com/news/chrome-os-72-dev-channel-usb-sd-card-support-project-crostini-chromebooks-android-9-pie/
It's appears to still be in dev but at least we could try and see if it works now.
@scarolan ~Unfortunately that only brings support for USB mass storage by mounting the volume in the container. here is the issue for tracking full USB support in Linux containers, which would likely also bring the feature to Android apps.~
Actually as mentioned above, USB support should have been added for Android apps a while ago.
I tried running this on a Pixelbook a while back (with chrome://flags/#arc-usb-host enabled). The app runs fine, but there is absolutely no reaction when a YubiKey is plugged in. Nothing in the ADB logs or anything. If anyone has anything more insightful, or suggestions on what to try to get it to do, well anything, please let me know.
@dainnilsson Yeah now that I look I think that's a legacy flag since Android apps on ChromeOS no longer use ARC. I think we'll still need to wait for full USB support, or work on a Chrome app.
How simple is the USB interface with the Yubikey? It may be worth hacking around with the ChromeOS USB API
Hello all, has anyone had a chance to test the Yubico Authenticator with Chromebook?
Erm WEBUSB support plz. Crostini and android don't work for some enterprise scenarios.
It sounds like WebUSB may be a no-go due to security concerns of sites directly accessing the hardware and bypassing the U2F/HID interface to snoop things. https://github.com/Yubico/yubioath-desktop/issues/333#issuecomment-547003991
I find it extremely annoying that despite the fact that Android apps running on Chromebook are capable of accessing the USB and have been since 2018 - which I have personally used - the developers of Yubico don't know this and just close issues relating to use on a Chromebook without even looking at it.
#arc-usb-host
You shouldn't advertise Android support if you are going to choose not to support an entire class of Android devices. and if you find the limitations of Android difficult to get around on Chromebook you should implement native support.
Your competition - Google's Titan Security Key - is fully supported on Chromebooks now. So why can't you support it?
This issue is closed as we (both Yubico developers and others in this thread), have not been able to make use of any relevant USB or NFC support on Chrome OS, despite claims that this "should work". As can be seen in this thread, we have explored the available APIs, and we have yet to see any evidence that they do actually work for the purpose we need them to. This is very different from accessing a USB thumbdrive for storage.
Please don't see the fact that this issue is closed to mean that this will never work, or that we will never implement it. See it more as this isn't something we know how to make work, as of now. If anything new comes to light that unblocks this we'll be happy to re-open.
Regarding the Titan Security key, this is a FIDO-only device. YubiKeys also work just as well on ChromeOS for the FIDO protocols. Yubico Authenticator uses an entirely different protocol and USB interface.
@dainnilsson might it make sense to have an ongoing issue left open for researching options for Chromebook support, so there can be a single place for these discussions to move forward rather than more issues opening all the time?
@dainnilsson might it make sense to have an ongoing issue left open for researching options for Chromebook support, so there can be a single place for these discussions to move forward rather than more issues opening all the time?
Not a bad idea. We haven't been very diligent about using labels for issues, but having one for issues that are blocked seems to make sense to me, and keep them open for discoverability. I'll make the change!
I find it extremely annoying that despite the fact that Android apps running on Chromebook are capable of accessing the USB and have been since 2018 - which I have personally used - the developers of Yubico don't know this and just close issues relating to use on a Chromebook without even looking at it.
#arc-usb-hostYou shouldn't advertise Android support if you are going to choose not to support an entire class of Android devices. and if you find the limitations of Android difficult to get around on Chromebook you should implement native support.
Your competition - Google's Titan Security Key - is fully supported on Chromebooks now. So why can't you support it?
Yes. This is lame, and requests addressed to support only produce lame replies.
I have a Chromebook Plus with Android app support. The authenticator app (version 1.2.1) installs and launches on the device, but does not respond to taps on the yubikey neo button.
The yubikey is connected via usb-a to usb-c, and I've validated that Android apps can see the "ccccc..." input when tapping the button. The Chromebook itself does not have NFC at all, so will need to use the recently added usb support instead, and it only has usb-c ports.
Any tips / patches to get this working would be much appreciated!
The titan security key is only a U2F key. U2F functionality isn't the problem. The problem is interacting more directly with the USB device to interact with the custom TOTP api Yubico implemented.