Google Play Services adds support for NFC-enabled FIDO2 security keys: How Yubico makes Android passkey authentication seamless

The continued global efforts behind passkey adoption represents one of the most exciting shifts in digital identity. Google recently took a big step forward by introducing an update to Google Play Services that allows account authentication through NFC security keys that support CTAP2 – including all Android versions starting with Android 9 and later. Google’s efforts provide much wider access to hardware-backed passkey usage, but as any security leader or user knows, broad support is only half the battle: the actual role passkeys play in safeguarding our digital identities depends heavily on user experience.

Historically, user feedback has echoed reality: without proper implementation guidelines and software optimization, experience has shown that users are easily frustrated when confronted with the process of changing security settings. While Google has offered general NFC support on Android for years, passkey operations (enrollment and authentication) over NFC were unsupported and we are delighted about the recent announcement and forward movement in the ecosystem.

That is why we are excited to introduce the general availability of YubiKey Passkey Enabler, which expands overall capabilities and provides a seamless Android passkey authentication experience of users. Let’s dive into the details and new features this provides.

Creating a seamless user experience for Android

Built on top of the Android Credential Manager Provider API and our robust YubiKit SDK, the YubiKey Passkey Enabler provides a dedicated Android Credential Provider. Instead of a rigid, confusing login sequence, this service app bridges the gap between hardware-backed security and mainstream usability – creating a highly polished, intuitive user experience.

For enterprise customers, the app can be centrally deployed and configured via Mobile Device Management (MDM) software – allowing organizations to instantly roll out a frictionless, high-assurance authentication workflow across their entire Android fleet. 

Here’s a look at the great features and benefits the app delivers on Android devices:

  • Passkey configuration: The app guides the user to the appropriate Android settings to enable passkey providers and to update the preferred service to YubiKeys.
  • Always ask for PIN: When this option is enabled, the user is only required to tap the YubiKey once, instead of twice (once before and once after the PIN). This provides a nicer user experience.
  • Temporary PIN Support: When a user assumes ownership of a new YubiKey, they are sometimes required to change the PIN on the YubiKey when used for the first time. The app enables this to occur over USB or NFC.
  • PIN complexity: The app reads the PIN complexity configuration from the YubiKey firmware and provides guidance to the user.
  • Antenna hints: Each Android phone manufacturer places the NFC antenna in a different spot, so the antenna hint shows the user exactly where to place the YubiKey.
  • MDM / managed configuration: The Passkey Enabler app allows corporate IT administrators to deploy the correct configuration settings so that the end user can simply use YubiKeys.
A deeper look behind the scenes

For the developers and security architects interested in the details of how this works behind the scenes, the YubiKey Passkey Enabler is built directly on YubiKit’s enterprise-grade FIDO stack, supporting the full suite of modern passkey ceremonies.

The provider fully supports passkey registration (create) and authentication (get) ceremonies over both USB and NFC interfaces. It enforces FIDO2 / CTAP2 standards, prioritizing discoverable credentials and robust user verification. It features broad compatibility out of the box for hardware-backed passkeys, supporting all current YubiKeys – including YubiKey 5 Series, Security Key Series, YubiKey 5 CCN Series, YubiKey 5 FIPS Series and the YubiKey Bio Series.

Passkeys are designed to resist phishing and adversary-in-the-middle (AiTM) attacks – each credential is cryptographically bound to the website’s origin, so it can’t be used on a look-alike or proxy site. The app enforces that binding by verifying who is asking before any signing takes place:

  • Browser callers: The app accepts requests only from trusted browsers (verified by package name and signing certificate) and confirms the website’s origin matches the relying party’s ID — the same domain, a subdomain, or, when the relying party has explicitly published related origins via Related Origin Requests (ROR), one of those declared sites.
  • Native Android apps: Through Digital Asset Links (DAL), the provider confirms the calling app’s package name and signing certificate are among those the relying party has authorized in its assetlinks.json.

If verification fails, the request is rejected before any cryptographic operation runs.

Empowering users for a passkey future

As cyber threats grow more sophisticated, security leaders require more seamless experiences to implement passkeys across their organizations. The YubiKey Passkey Enabler empowers organizations to adopt passkeys at scale by turning what used to be a complex, fragmented mobile rollout into a scalable reality. Large organizations can roll out the YubiKey Passkey Enabler app silently to all their users, which creates a seamless user experience for users while raising the security bar toward phishing resistance with hardware-backed passkeys.

Download the YubiKey Passkey Enabler today at the Google Play Store and check out the User Guide for information on how to get started with the app. For assistance with securing your mobile workforce with the gold standard of hardware-backed trust, reach out to our team.

Talk to our team

Share this article: