• General
  • Passkeys as MFA on GrapheneOS: a guide

  • Edited

For websites and services that support MFA with hardware security keys, it is now possible to sign into these using passkeys on GrapheneOS, even though the site or service does not officially claim to support this. You don't actually need to have a security key at hand, which saves you money, while still giving you the benefit of phishing-resistant MFA. Note, that this is not possible for services that only support TOTP or push: they must explicitly support security keys.

Note also, that it does not seem possible yet to register passkeys as MFA on GrapheneOS (the same applies to stock Pixel OS). You must use a desktop OS to register. This I have tested and confirmed to work with Windows 11 and Fedora Linux (Brave). I see no reason for it to not work on macOS.


This guide may seem a bit lengthy, but it's not difficult to do this.

Having followed the instructions below, sign-in with passkeys as MFA in Vanadium and in apps on GrapheneOS will work fine. I have tested this with various services, including Proton, Standard Notes and Github. Will be glad to hear of any issues you experience.

Prerequisites:

  • Sandboxed Google Play

  • A password manager with support for passkeys on Android*

Instructions:

On GrapheneOS (only needs to be done once):

  • Set up auto-fill with your password manager of choice: Go to Settings > Passwords & accounts > Cogwheel > Select your password manager

  • Open Vanadium and go to Settings > Autofill Options > Select 'Use other providers'. If you are using Google Password Manager, select 'Default'.

  • Restart Vanadium

Registering a passkey as MFA

On your desktop OS, navigate to the website/service of your choice, find the relevant MFA setup page, and select to register a security key

Then:

  • On Windows 10/11: In the pop-up that follows: select 'iPhone, iPad or Android device'. Open the Camera app on GrapheneOS, select 'QR scan' and scan the QR.

  • On Linux (tested with Brave): A QR will immediately show. Open the Camera app on GrapheneOS, select QR scan and scan the QR.

Then, on GrapheneOS:

  1. Allow Bluetooth

  2. Grant Play Services the 'Nearby devices' permission when asked (only needs to be done once)

  3. Optional: Select 'Skip the QR code next time' to allow the devices to remember each other

  4. Authenticate with your password manager

MFA sign-in with a 'security key' (or rather, your passkey) on the website/service can now be done on GrapheneOS without any more effort.

*Avoid 1Password, as unless you are using one of their allowed browsers, they block using passkeys in Vanadium.

Guide has been written April 11, 2024. Will be updated with new posts.

    I'm trying to set up a passkey for my Proton account. Proton supports MFA with hardware security keys, but I'm having some troubles with the QR code generation. I'm testing this on Brave browser, with Fedora Linux as my OS. At the moment of registration, no QR code is shown, but rather a prompt to insert a hardware key.

    Figure 1 - https://ibb.co/gwcCm7g
    Figure 2 - https://ibb.co/P65LmqW

    Is this a site-specific issue, or rather I'm doing something wrong?

      Fundamental_Physics

      You will not receive a QR code for a hardware security key (such as a Nitrokey or Yubikey).

      A QR code is often displayed with TOTP procedures - then the secret key can be scanned more conveniently with a corresponding app (e.g Aegis).

      If you want to use hardware keys, you should register a second hardware key - as a backup solution in case you lose one.

      Hardware keys and passkeys are similar but not the same.

      Even though Proton Pass now supports passkeys, they don't seem to support them (yet) to login to your Proton account:

      Can I log in to Proton Pass with Passkeys?
      No, you can’t log into Proton Pass apps using passkeys, but with passwords or passphrases, or via biometrics.

      Looking at the pictures you posted Proton wants to register a hardware security key, not a Passkey.

      • Edited

      @Fundamental_Physics Are you using the Flatpak version of Brave? I just tested this, and the Flatpak version will not work. You will have to use Brave's official RPM for the QR to be displayed: https://brave.com/linux/#fedora-rockyrhel
      I tested the release channel version of Brave just now with proton.me, and it works. I also tested proton.me before making the original post, Screenshot from the non-Flatpak version of Brave: https://ibb.co/dGJYQjj

      On a different note, it's generally recommended to avoid Flatpak or Snap versions of web browsers, as they are known to weaken the browser sandbox.

      @Murcielago Did you read my original post in this thread? It's possible to do this if you are using a compatible browser and OS. You can then use your GrapheneOS or other Android phone to authenticate with MFA using the 'passkey' that was saved to your password manager. Not sure why you are claiming otherwise. I have done testing on this, and it has been confirmed to work by another community member (who tested it on Windows).

      It's not a question about whether or not the service officially supports password-less sign-in with discoverable credentials. I thought this was clear, but I can amend the guide if it causes confusion. There is no difference between storing discoverable credentials on a hardware key or to a cloud-service. Nothing in the way of using discoverable FIDO2 credentials as MFA.

        fid02

        I had probably viewed this discussion before and today only looked at the highlighted, unread post by Fundamental_Physics answering it without the overall context.

        Reading your original post again of course my answer doesn't make much sense - my mistake, apologies!

        fid02 On a different note, it's generally recommended to avoid Flatpak or Snap versions of web browsers, as they are known to weaken the browser sandbox.

        The few browsers I have looked into didn't have a weakened browser sandbox as Snaps, but Flatpak versions have indeed.

        fid02 I'm using the official RPM package provided by Brave. I've tested it with the Brave browser on a Windows machine, and it's working properly; a QR code is shown, and I can register a passkey.

        Now, I have to understand why I can't generate a QR on Fedora Linux. It might be related to my laptop hardware if it is working for you, but I think it is a software issue. I'll do some more testing, and I'll get back in touch.

          6 days later

          fid02 Fedora Linux 39 (Workstation Edition). I've just tried to register a passkey with Windows 10 and Brave in a Virtual Machine, that is using the same laptop where I'm running Fedora as the default OS. I couldn't generate a QR code from Proton and Discord websites, even though previously I was able to generate a QR code with Windows on a different PC.

          There must be some difference in my hardware. Right now, I can't generate a QR code to register a passkey for services that support security keys on my laptop running Fedora Linux or Windows.

            • Edited

            Fundamental_Physics I also tested with Brave on Fedora 39 Workstation, which worked for me. The computer that is failing to show you the QR code option, does it support Bluetooth? Bluetooth is needed to communicate with the Android device.

              fid02 It worked! My computer supports Bluetooth, but I had to activate it in order to generate the QR code. If Bluetooth is not activated, a QR code cannot be generated. Thank you!

              Unfortunately, I have another problem. Although I can create a passkey for a specific site or app, and save it in my password manager, this passkey is not actually saved in my account as a security key. In fact I get an error and no security key is saved.

              For example for Discord I was able to save the passkey in my password manager, but immediately after logging into the password manager I get an error from Discord (Figure 1). To be precise, the sequence is this:

              1) Scan the QR code.
              2) I am asked to save the passkey in my password manager
              3) I access the manager. At this point the error occurs.
              4) I can save the passkey for a specific account registered in my password manager.

              Figure 1 - https://ibb.co/hCh062D

              At this point if I try to log in to Discord I am not prompted for the security key (that is, the passkey), precisely because it is not registered in my Discord account, even though it is for all intents and purposes present in my password manager.

                • Edited

                Fundamental_Physics
                Which password manager are you using? And which OS are you now generating the QR code from?

                Thanks for the info about Bluetooth. Windows will always ask the user to activate Bluetooth before authentication, if it's not already turned on. Sounds like Brave on Fedora (and perhaps on other Linux distros?) won't notify the user about Bluetooth being turned off.

                  Would also be good to know the app version of the password manager, so I can try to replicate the error.

                  fid02 Proton Pass (version 1.20.0) as my password manager and Fedora Linux as my desktop OS.

                    Fundamental_Physics Proton Pass (version 1.20.0)

                    That's it. Proton Pass released a fix for the issue you're experiencing. Pretty sure the fix was in a release higher than you're on now. Check if there are updates available for Proton Pass. If there aren't, it might be that the latest version hasn't made it to stable yet. I'm on the beta and the latest release is 1.20.4.

                      fid02 Yes, that was the problem. With the latest version of Proton Pass (1.20.4) everything works corectly. Thanks!

                      Does it work without the sandboxed play services?

                      22 days later

                      I followed the instructions and I cannot get passkeys to work. I am not sure what you mean about "Allow Bluetooth" on GrapheneOS. Do you mean Turn On Bluetooth?

                      On a stock Pixel phone I simply open Google Camera app and when I point the phone to the QR code a button in the camera app pops up "Use passkeys," but when I use the GOS Camera app with QR scanner it produces UTF-8 Binary strings but nothing else.

                        Google can use your phone secure element as a security in the past but now it seems impossible. It now uses Google password manager which is nothing to do with Titan. How can I register my Titan in Pixel as security key(aka local key, like windows hello)? Also I find Google mess things up with 2fa security keys and Passkeys. Anyone have guide to distinguish these?