I've read various posts here in the forum that describe rather partially how the different hardware security keys interact with GOS and Vanadium, and what works with or without Google services. So I thought it would be useful to start a thread where users can share their experiences with the different keys. This can make it easier for other users to make the right choice.
It would be important for me to differentiate which functions are available with and without Gpogle services.
I look forward to your contributions.

    It isn't exactly without Google services, but I can confirm that FIDO works Vanadium using Google Play Services without login and with network disabled. If IPC scopes ever get implemented, it should be possible to use FIDO keys with trusted applications (such as Vanadium) with little privacy compromise.

    I have used Yubikey Security Key for testing purposes.

    dirksche Not sure what you want to know. Yubikeys work just fine with Sandboxed Google Play. Even sign-in with passkeys that are stored on Yubikeys now works fine. The only thing that doesn't work is registration of passkeys on the Yubikey. This must be done from another OS, such as stock PixelOS, Windows, MacOS, etc.

    If you're asking whether hardware keys will work fine without Sandboxed Google Play, then the answer is no. Some apps provide their own API in order to be able to use passkeys on hardware keys. Buypass does this. Apps could do this without Play Services. Don't know if Buypass requires Play Services. I think it likely that this will be deprecated now that Play Services support passkeys.

        I used a Nitrokey FIDO2 as a 2FA security key. But, recently I had trouble logging in to some my accounts. So I went back to using TOTP only instead.

        I might consider passwordless—passkey as they market it—in a few year, with newer Nitrokeys, when it will be more mature and widespread.

        fid02 Bitwarden mobile will soon support passkeys. I'm curious whether it will work with vanadium.

            dirksche

            I suspect it will require Google services. I believe Chromium may only through Google's password manager. That is how Proton Pass passkeys work on Android.

                I had Yubikeys too but I found it too restrictive so I stayed on double authentication by SMS or totp

                a year later

                I have GMS installed in my owner profile, but disabled and gplay deleted. In the private space I have gplay and gms so I can update apps installed from gplay in owner. Protonpass's passkeys work in owner without issues.