macOS 10.15.1 - YubiKey U2F not working on Google login

[khoslaventures]

Describe the bug There's no FIDO U2F popups that show up for Google when going through two-factor auth. However, other services like GitHub work fine when logging in with a security key as two-factor. I also tried installing gnubbyd but it seems to have no effect here.

To Reproduce Steps to reproduce the behavior:

1. Login into your Google account that has a security key for two-factor authentication
2. After entering username and password, you will end up here:

Message: There was a problem Try using your security key again or try another way to verify it's you

Expected behavior There should be a pop-up that lets me use the U2F key. Odd because if you go to the yubico technical demo it works. Maybe things got so ungoogled that this broke.

Environment (please complete the following information):

• OS/Platform and version: MacOS 10.15.1
• ungoogled-chromium version: Version 78.0.3904.97 (Official Build) (64-bit)

I hope this is fixable, I think it's a real shame if this was all because of Google.

[Eloston]

From https://chromium.googlesource.com/chromium/src/+/master/device/fido/:

Websites interact with them via two APIs: the older U2F API and the modern W3C Webauthn API. In Chromium, the U2F API is not directly supported but it can be used by using postMessage with an internal extension called cryptotoken. Webauthn is supported by Blink and is part of CredMan.

I'm going to guess that Google may still be using the old U2F API. If so, it requires the internal cryptotoken extension (lives in chrome/browser/resources/cryptotoken) which is currently patched (patches/core/iridium-browser/all-add-trk-prefixes-to-possibly-evil-connections.patch) and domain-substituted. As a result, cryptotoken should be trying to make requests that are being blocked by ungoogled-chromium; we can confirm that by checking the console output of the browser when you try to authenticate.

I believe the yubico tech demo is using Webauthn (you can test using this demo page: https://webauthn.io/), which doesn't use cryptotoken.

EDIT: In the event that cryptotoken is being used, it won't be as simple as re-enabling its URLs because it makes requests to Google. One option may be to modify the browser code or extension so it can be added like a regular extension (but this may not be a trivial task). Another option is to wait for Google to migrate to Webauthn, but I don't know what the timeline is for this.

[networkException]

Chromium Developers are looking into deprecating the outdated api and as such probably migrating Google Login to use WebAuthn: https://groups.google.com/a/chromium.org/g/blink-dev/c/xHC3AtU_65A?pli=1

[PF4Public]

Closing due to API deprecation.

[Apteryks]

We're in 2023, and I still can't use Yubico security keys to login to my Google accounts with ungoogled-chromium. It works with GNU IceCat. Am I alone with this problem?