Support for FIDO CTAP 2.1 BLE Security Key Credential Management on Android

Hi,

I’m working with a Bluetooth Low Energy (BLE)-based security key built using an STM32 module, which supports FIDO2 CTAP 2.1. On Windows 11, I’ve been managing credentials—like setting a PIN, enrolling a fingerprint, or resetting the key—through:

Settings → Accounts → Sign-in options → Security key→ Manage.

However, recently, this functionality has stopped working. When I click any button within the Windows Hello setup (e.g., to set PIN or fingerprint), the UI crashes immediately. 

Due to this and some other limitations, I’m planning to move away from Windows. Unfortunately, Linux or macOS are not viable options for my use case. Although I am interested to see if any app exists on those platforms also. So, I’m left with Android as the only platform I can use for managing the security key.

Here's the challenge:
I haven’t been able to find any Android app (open-source or commercial)—on the Play Store or elsewhere—that allows FIDO credential management (e.g., set/reset PIN, fingerprint enrollment, etc.) for external BLE-based security keys.

My current understanding is that Android may block communication with certain FIDO-related BLE UUIDs, likely for security or platform policy reasons. The Source code of the android also suggests something similar, click here. 

So, my question is:

Is it possible to interact with FIDO BLE services from a third-party Android app without rooting the device or installing a custom ROM?
If yes, are there any workarounds or libraries available?

I’d greatly appreciate any insights or guidance. If there are any low-level technical approaches, APIs, or code examples that could help build a custom solution, I'd be more than happy to explore them.

Thank you!

Best regards,
Shreyank R. B.

Regarding the regression, my understanding of it is that, it's likely not related to server-side credential ID issues. Instead, it appears to be a direct consequence of a change within Microsoft's CTAP handling service, introduced with the June 2025 Windows update (specifically build 4652).

Moving to the critical point:

Our Fido CTAP 2.1 security key, which only supports BLE: we are seeking definitive information on the availability of mobile applications (Android or iOS) from FIDO Alliance licensees that provide comprehensive management capabilities for FIDO security keys over BLE. This would entail functionalities similar to the administrative tools available on Windows, such as setting/resetting PINs, managing credentials, bio enrolment, or reset. So we can know for certain about any efforts we do to make an Android/iOS app to configure our BLE Security key is going to be in wain.

We have scoured available resources but have found no clear vendor statements, official documentations either by vendors or google themselves about android explicitly outlining platform-level restrictions that prevent such comprehensive BLE management via mobile apps. While our internal investigation into Android source code suggests hardcoded FIDO service UUIDs indeed pose significant barriers for non-system apps, we need some official clarification.

Link to android source

Specifically, we want to understand if any vendors have successfully navigated these platform-level restrictions to offer robust BLE management functionality for their FIDO security keys on mobile devices (Which seems pretty impossible as of now as concluded from our investigation).

Our stakeholders require concrete information regarding the feasibility and actual implementation of Android apps that communicate with FIDO devices for management purposes via the CTAP protocol. We are looking for definitive guidance from the FIDO Alliance on whether such an implementation is genuinely possible, as we've observed that major vendors like Yubico primarily use USB and NFC for their mobile app-based key management, which further underscores our concern about the feasibility of BLE management.
Are there any leads that we can get or any official statement regarding this?