Passkeys as MFA on GrapheneOS: a guide
Passkeys are not MFA and you cannot use Bitearden as your MFA. It can only be stored on the device locally
Upstate1618 The first post in this thread describes how to save a FIDO private key in a password manager, instead of on a hardware key. "Passkeys" is just a term that users are familiar with. I could rename the topic to "FIDO private keys as MFA in a password manager on GrapheneOS", but who's going to care.
If you are stuck and unable to continue with the guide, please specify what the issue is. If you want to make an argument for always using the term "passkey" in the FIDO Alliance's definition of the term as password-less authentication, please just start a new topic.
fid02 Google says "Your encrypted data is locked on this device" error message when creating passkey. What's wrong? Thank you.
Upstate1618 This is related to Google Password Manager not allowing you to store and sync passkeys to your Google account. I attempted to summarize the issue here, and I think the summary is still relevant: https://github.com/GrapheneOS/Vanadium/issues/390#issuecomment-2028915920
It's not clear that this is an issue specific to GrapheneOS or non-stock Android OSs, as a web search on the issue shows that some users get this error even on stock Android OSs. They had to first activate passkey sync with Google Password Manager on a different device, before they could use it on their primary device. It's all a bit confusing and unclear.
Note that this does not affect the usage of passkeys with third-party password managers.
When I try to register a passkey directly from Vanadium, an error occured.
When I try to register a passkey from Edge on Windows on GOS, after turning on bluetooth, it keeps pending with connecting and then failed eventually.
Upstate1618 These happens AFTER I wipe my GPM due to the "Your encrypted data is locked on this device" error.
Set on-device encryption on my Edge for PC
That is not going to work. The only way I know of getting passkey sync with Google Password Manager to work on GrapheneOS is to follow the exact steps that I outlined in my GitHub post. You have to provide the unlock PIN of a different phone, likely with a stock Android OS.
This thread is really not about troubleshooting Google Password Manager passkey sync. It is known to be problematic on GrapheneOS due to restrictions set by Google. Recommend creating a new thread.
fid02 thanks. I don't wanna login on my other android phone. Gotta wait for Bitwarden stable.
Hi, can you help me with Proton? There are 2 problems.
- I cannot register FIDO2 credentials on Vanadium for Proton. It ends with error messages like error while registering
- I cannot use Bitwarden as FIDO2 on Vanadium for Proton. The FIDO2 credential on Bitwarden is registered on my Edge for PC and works well on Edge PC. However I cannot use it while logging in Proton through Vanadium.
Thanks.
Upstate1618 I cannot register FIDO2 credentials on Vanadium for Proton. It ends with error messages like error while registering
You should be able to do this from within Vanadium, without a computer, without a security key, and without following my guide. When you register a security key to your Proton account, make sure to select "Allow platform keys".
fid02
I cannot register FIDO2 using my fingerprint
Upstate1618 Huh, you're right. I can't manage to either. It definitely worked for me a few weeks ago (and another user confirmed), but now doesn't. A pity.
fid02 Update to the latest Vanadium Config app release.
GrapheneOS still not work for version 22
GrapheneOS I have done that now. Although it still does not work, I suspect this feature is actually not supported by Play Services. It's regarding saving a FIDO credential on the device, not in a password manager. I can test on stock PixelOS later.
- Edited
After testing registration on webauthn.io, registration fails due to "An unknown error occurred while talking to the credential manager". The OP says registration doesn't work, is this still true or do I need to tweak something?
Also I am unsure how KeepassDX stores passkeys (or any other app for that matter). I played around with autofill, but since you can't register a passkey on GrapheneOS I can't save a passkey to keepassdx. And even if I did, I'm not sure where the passkey data is saved. Is it saved to my database or the app itself? And if it's saved to the database, where exactly does that data reside, is it user accessible?
I imagine passkeys stored on the device are stored in the security chip (in my case the Titan M1, which is a TPM right?). But under Passwords, Passkeys, and data services, to save passkeys to the device do you need to select "none"?
What does "Automatically sync app data" mean? The description doesn't help. What does it refer to?
gk7ncklxlts99w1 It sounds like you are trying to register a passkey using Vanadium without having a passkey provider set in System Settings > Passwords & Accounts. That webauthn demo page is trying to call the credential manager to register a password-less passkey. This thread is about passkeys as MFA, not password-less passkeys. I have answered your question here: https://discuss.grapheneos.org/d/12056-fido2-security-keys-on-grapheneos-a-summary/4
As to whether or not keepassdx supports passkeys, a web search might give you the answer you need.