Hello everyone
The Problem: I encountered an issue where the standard FIDO2 Applet (v2.0.5) worked perfectly over NFC on an iPhone 14 Pro Max and external USB readers (e.g., Identiv), but failed completely on Android devices and internal laptop readers. The connection would drop immediately (“Tag Lost”) or timeout.
Question: Has anyone else experienced this behavior? I suspect it might be related to power or timing on weaker NFC antennas, but I am not sure how to fix it. Is there a specific configuration or code modification required to make the applet stable on Android and internal readers?
Actually, the chip worked perfectly out of the box. The connectivity issues only appeared after wiped and re-installed the applet myself. This leads me to believe it might be software-related. Are you using a modified .cap file or specific installation parameters (like buffer size)? Could you share which exact version you are shipping?
The applet installs fine and works perfectly via NFC on an iPhone 14 Pro Max and on dedicated USB readers (e.g., Identiv uTrust 4701 F).
However, it fails completely on Android devices via NFC and on internal laptop smartcard readers (contact-based). On these devices, the connection drops immediately (“Tag Lost”) or times out during the handshake.
Question:
I suspect this might be related to the default buffer size (1024 bytes) being too aggressive for the weaker NFC field/timing of Android phones and internal readers.
When I test the FIDO2 applet on P71 devices, I typically don’t create or install attestation certificates. I use a similar gp command to just load the cap file. I don’t think the FIDO2 spec says much about when/weather a relying party must request and validate an attestation chain before enrollment. All of the test sites I’ve used (webauth.io, Yubico demo website) have never cared. Even AWS doesn’t seem to care as I was able to enroll a P71 test card as a 2FA (non-discoverable).
My main phone is a S24 Ultra and I haven’t had many issues reading my Apex, but I also have the “mega” form-factor that gets better range. Repeater stickers definitely help. I have mine placed on the outside of my case, just to the right of the camera cutout.
I’d recommend getting a P71 test card if you don’t have one yet. DT sells one that has good range. I’ve also had good luck with a few different brands from alibaba. The one from DT comes with the FIDO2 applet pre-loaded (same pre-loaded applets as the FlexSecure I believe). See if you can replicate the issue with your phone. If you can’t, then that points strongly to a coupling issue.
I have had the pleasure of dealing with this exact issue more than a few times. Folks have been unable to enroll in some services without it. Which ones? Couldn’t tell you off the top of my head.
Could you please give me a brief overview of the necessary steps? First, create a certificate with your linked tool, then load it into gp with the ID as a parameter and use the original cap file? That didn’t work just now.
