• General
  • Passkeys as MFA on GrapheneOS: a guide

fid02

I had probably viewed this discussion before and today only looked at the highlighted, unread post by Fundamental_Physics answering it without the overall context.

Reading your original post again of course my answer doesn't make much sense - my mistake, apologies!

fid02 On a different note, it's generally recommended to avoid Flatpak or Snap versions of web browsers, as they are known to weaken the browser sandbox.

The few browsers I have looked into didn't have a weakened browser sandbox as Snaps, but Flatpak versions have indeed.

fid02 I'm using the official RPM package provided by Brave. I've tested it with the Brave browser on a Windows machine, and it's working properly; a QR code is shown, and I can register a passkey.

Now, I have to understand why I can't generate a QR on Fedora Linux. It might be related to my laptop hardware if it is working for you, but I think it is a software issue. I'll do some more testing, and I'll get back in touch.

    6 days later

    fid02 Fedora Linux 39 (Workstation Edition). I've just tried to register a passkey with Windows 10 and Brave in a Virtual Machine, that is using the same laptop where I'm running Fedora as the default OS. I couldn't generate a QR code from Proton and Discord websites, even though previously I was able to generate a QR code with Windows on a different PC.

    There must be some difference in my hardware. Right now, I can't generate a QR code to register a passkey for services that support security keys on my laptop running Fedora Linux or Windows.

      • Edited

      Fundamental_Physics I also tested with Brave on Fedora 39 Workstation, which worked for me. The computer that is failing to show you the QR code option, does it support Bluetooth? Bluetooth is needed to communicate with the Android device.

        fid02 It worked! My computer supports Bluetooth, but I had to activate it in order to generate the QR code. If Bluetooth is not activated, a QR code cannot be generated. Thank you!

        Unfortunately, I have another problem. Although I can create a passkey for a specific site or app, and save it in my password manager, this passkey is not actually saved in my account as a security key. In fact I get an error and no security key is saved.

        For example for Discord I was able to save the passkey in my password manager, but immediately after logging into the password manager I get an error from Discord (Figure 1). To be precise, the sequence is this:

        1) Scan the QR code.
        2) I am asked to save the passkey in my password manager
        3) I access the manager. At this point the error occurs.
        4) I can save the passkey for a specific account registered in my password manager.

        Figure 1 - https://ibb.co/hCh062D

        At this point if I try to log in to Discord I am not prompted for the security key (that is, the passkey), precisely because it is not registered in my Discord account, even though it is for all intents and purposes present in my password manager.

          • Edited

          Fundamental_Physics
          Which password manager are you using? And which OS are you now generating the QR code from?

          Thanks for the info about Bluetooth. Windows will always ask the user to activate Bluetooth before authentication, if it's not already turned on. Sounds like Brave on Fedora (and perhaps on other Linux distros?) won't notify the user about Bluetooth being turned off.

            Would also be good to know the app version of the password manager, so I can try to replicate the error.

            fid02 Proton Pass (version 1.20.0) as my password manager and Fedora Linux as my desktop OS.

              Fundamental_Physics Proton Pass (version 1.20.0)

              That's it. Proton Pass released a fix for the issue you're experiencing. Pretty sure the fix was in a release higher than you're on now. Check if there are updates available for Proton Pass. If there aren't, it might be that the latest version hasn't made it to stable yet. I'm on the beta and the latest release is 1.20.4.

                fid02 Yes, that was the problem. With the latest version of Proton Pass (1.20.4) everything works corectly. Thanks!

                Does it work without the sandboxed play services?

                22 days later

                I followed the instructions and I cannot get passkeys to work. I am not sure what you mean about "Allow Bluetooth" on GrapheneOS. Do you mean Turn On Bluetooth?

                On a stock Pixel phone I simply open Google Camera app and when I point the phone to the QR code a button in the camera app pops up "Use passkeys," but when I use the GOS Camera app with QR scanner it produces UTF-8 Binary strings but nothing else.

                  Google can use your phone secure element as a security in the past but now it seems impossible. It now uses Google password manager which is nothing to do with Titan. How can I register my Titan in Pixel as security key(aka local key, like windows hello)? Also I find Google mess things up with 2fa security keys and Passkeys. Anyone have guide to distinguish these?

                  xYz There will be a dialog asking you to enable Bluetooth, but you have to be able to scan the QR code first.

                  When you scan the code with the Camera app, a string starting with "FIDO:" should show. You then have to press the tiny "Go to" icon in the upper right corner of that tiny UI box. Then start the passkey flow. I could clarify this in the guide.

                  • xYz replied to this.
                    • Edited

                    fid02 Thanks for the response. Using your clarification I got further than last time but still can't get it setup with Bitwarden (I want to setup a passkey to login to my Bitwarden account).

                    I pressed the "go to" (box with and arrow) icon, chose to turn on Bluetooth, gave Google Play services permission, scanned the QR and at the next prompt chose "Skip the QR code next time," and then received an error message "Something went wrong, restart the process on your other device to try again." Upon going to to my other device (a Win 10 Pro laptop, standard user account) running Brave browser a popup says "Error creating passkey." I dismiss it and I see my GOS phone listed for vault.bitwarden.com. I click on it and a popup says "Check your device. A notification was sent to [name of GOS phone]." But I receive no notification.

                    How is the passkey notification sent? I checked noticed Google Play Services noticed Notifications permission was turned off. I turned it on and tried again and get the same message that a notification was sent, but I see nothing on the phone. After several minutes the popup says "Something went wrong. Request timed out."

                    So I deleted the passkey and went back through the process to create a passkey, but this time instead of saying, "Something went wrong..." it now says "No passkeys available. There aren't any applicable passkeys on this device. Try a new device or create a new passkey." Nevertheless my GOS phone passkey is once again listed in Brave Browser and it exhibits the same behavior as before when I attempt to use it... "Check your device... a notification was sent to [name of GOS phone]." I also tried disabling my laptop firewall, but it did not make a difference.

                    [EDIT: Additional info]

                      xYz Which version of Bitwarden are you using? Only the latest beta versions of Bitwarden have passkey support on Android. I'm on Bitwarden version 2024.4.1 (versioncode 10283). You'll have to opt-in to beta releases for this to work.

                      If you're on the beta and it still doesn't work, could you try disabling and re-enabling the toggle for Bitwarden in Settings > Passwords & accounts > Cogwheel > Bitwarden?

                      I did test this just now using the latest Bitwarden Beta and registration works fine, although sign-in does not work. I'll see if I can reproduce that on stock PixelOS and then report it to Bitwarden.

                      xYz (I want to setup a passkey to login to my Bitwarden account).

                      Oh, I missed that part. Do you have any password managers set in Settings > Passwords & accounts > Cogwheel? Could you please clarify if you are trying to save this passkey as MFA in your Bitwarden vault? Or for your Bitwarden account itself?

                      And are you trying to save the passkey on the device and not in a password manager? Using this method, I'm not sure that is doable.

                      • xYz replied to this.