- Edited
For websites and services that support MFA with hardware security keys, it is now possible to sign into these using passkeys on GrapheneOS, even though the site or service does not officially claim to support this. You don't actually need to have a security key at hand, which saves you money, while still giving you the benefit of phishing-resistant MFA. Note, that this is not possible for services that only support TOTP or push: they must explicitly support security keys.
Note also, that it does not seem possible yet to register passkeys as MFA on GrapheneOS (the same applies to stock Pixel OS). You must use a desktop OS to register. This I have tested and confirmed to work with Windows 11 and Fedora Linux (Brave). I see no reason for it to not work on macOS.
This guide may seem a bit lengthy, but it's not difficult to do this.
Having followed the instructions below, sign-in with passkeys as MFA in Vanadium and in apps on GrapheneOS will work fine. I have tested this with various services, including Proton, Standard Notes and Github. Will be glad to hear of any issues you experience.
Prerequisites:
Sandboxed Google Play
A password manager with support for passkeys on Android*
Instructions:
On GrapheneOS (only needs to be done once):
Set up auto-fill with your password manager of choice: Go to Settings > Passwords & accounts > Cogwheel > Select your password manager
Open Vanadium and go to Settings > Autofill Options > Select 'Use other providers'. If you are using Google Password Manager, select 'Default'.
Restart Vanadium
Registering a passkey as MFA
On your desktop OS, navigate to the website/service of your choice, find the relevant MFA setup page, and select to register a security key
Then:
On Windows 10/11: In the pop-up that follows: select 'iPhone, iPad or Android device'. Open the Camera app on GrapheneOS, select 'QR scan' and scan the QR.
On Linux (tested with Brave): A QR will immediately show. Open the Camera app on GrapheneOS, select QR scan and scan the QR.
Then, on GrapheneOS:
Allow Bluetooth
Grant Play Services the 'Nearby devices' permission when asked (only needs to be done once)
Optional: Select 'Skip the QR code next time' to allow the devices to remember each other
Authenticate with your password manager
MFA sign-in with a 'security key' (or rather, your passkey) on the website/service can now be done on GrapheneOS without any more effort.
*Avoid 1Password, as unless you are using one of their allowed browsers, they block using passkeys in Vanadium.
Guide has been written April 11, 2024. Will be updated with new posts.