[cbhl]

In my opinion, the root cause of this is that Linux made a conscious decision to not maintain binary ABI compatibility with device drivers.

Android is open source, and Linux-based. The licenses allow phone manufacturers to fork Android and integrate it with devices that only have closed-source binary blob drivers, without involving Google. The end result is a bunch of phones whose kernels (and thus OSes) are impossible to update. (I am told that Microsoft found this sufficiently frustrating and that it decided it would write its own drivers for the vast majority of hardware.)

Linux has a Very Good Reason to discourage binary driver compatibility -- it would rather see those drivers be open-sourced under GPL and moved in-tree. But the end result has seriously hurt the security of more than two-thirds of Android users -- users who otherwise should be inclined to choose open-source because they are paranoid about security.

I think the right answer is to require folks to have Android Q+ to continue to use security keys with an Android account, but I imagine that's not a viable choice because the optics would be that Google is doing a "money grab" in exchange for security.

[admax88q]

Are you seriously saying that the reason Google hasn't implemented a _web_ standard is because Linux doesn't provide good enough support for binary device drivers?

That's just ridiculous.

[intherdfield]

Apparently, the two are related. From the post,

"We’ve recently learned that Google Accounts has slipped their schedule for using Web Authentication to register new credentials. This delay is attributed to security key support on Android being, for most devices, non-upgradable."

[amluto]

Huh?

Linux has had perfectly fine U2F 1 support for ages. All you need on a normal desktop box is u2f-hidraw-policy [0] and, optionally, the u2f CLI tools.

[0] https://github.com/amluto/u2f-hidraw-policy