• General

  • Passkeys as MFA on GrapheneOS: a guide

After testing registration on webauthn.io, registration fails due to "An unknown error occurred while talking to the credential manager". The OP says registration doesn't work, is this still true or do I need to tweak something?

Also I am unsure how KeepassDX stores passkeys (or any other app for that matter). I played around with autofill, but since you can't register a passkey on GrapheneOS I can't save a passkey to keepassdx. And even if I did, I'm not sure where the passkey data is saved. Is it saved to my database or the app itself? And if it's saved to the database, where exactly does that data reside, is it user accessible?

I imagine passkeys stored on the device are stored in the security chip (in my case the Titan M1, which is a TPM right?). But under Passwords, Passkeys, and data services, to save passkeys to the device do you need to select "none"?

What does "Automatically sync app data" mean? The description doesn't help. What does it refer to?

    gk7ncklxlts99w1 It sounds like you are trying to register a passkey using Vanadium without having a passkey provider set in System Settings > Passwords & Accounts. That webauthn demo page is trying to call the credential manager to register a password-less passkey. This thread is about passkeys as MFA, not password-less passkeys. I have answered your question here: https://discuss.grapheneos.org/d/12056-fido2-security-keys-on-grapheneos-a-summary/4

    As to whether or not keepassdx supports passkeys, a web search might give you the answer you need.

      gk7ncklxlts99w1 Also I am unsure how KeepassDX stores passkeys (or any other app for that matter). I played around with autofill, but since you can't register a passkey on GrapheneOS I can't save a passkey to keepassdx. And even if I did, I'm not sure where the passkey data is saved. Is it saved to my database or the app itself? And if it's saved to the database, where exactly does that data reside, is it user accessible?

      KeePassDX does not currently support passkeys. When it does, I suspect it will use the same fields as KeePassXC.

        6 days later

        It looks like the Proton Pass extension for desktop (tested on Brave, Windows 11) are able to save any FIDO credential in the password manager: when you select to add a security key to an account, the extension pops up a message asking if you would like to store the passkey in Proton Pass. I tested this for Ente, Tuta and even Proton, and after being stored in Proton Pass the passkeys can be used as MFA in Vanadium without issues. I wasn't aware that the Proton Pass extension had this feature. That might be a simpler way to save passkeys and use them as MFA rather than following my guide.

        Has anyone tried this with Bitwarden or other password managers that can store passkeys?

          For Bitwarden, you can register and authenticate passkeys and non-passkeys on PC.
          You can register and authenticate passkeys using Bitwarden on GOS.
          You can register and authenticate non-passkeys directly on GOS (except Proton). You cannot register or authenticate non-passkeys using Bitwarden on GOS.

          You can register and authenticate passkeys and non-passkeys directly on PC and Yubikey on PC as well.
          You cannot register passkeys on Yubikey from GOS.(This is different from stock). authenticate not tested (requires USB and I donot have A-to-C cable).
          You can register and authenticate non-passkeys on Yubikey from GOS.

          From PC, I cannot register or authnticate passkeys and non-passkeys on GOS. This is different from your first post. I'm stuck at connecting your device after scanning QR code.
          From GOS, You cannot R/A passkey on another iPhone/Android. You maybe can R/A non-passkey on another iPhone/ANdroid.(not tested). You cannot R/A passkey/nonpasskey on another PC/Mac.

          To summary,
          My main problems are:

          1. I cannot register Proton non-passkey on GOS directly
          2. From PC, I cannot register or authnticate passkeys and non-passkeys on GOS. I'm stuck at connecting your device after scanning QR code.
            3.You cannot register passkeys on Yubikey from GOS.(This is different from stock).
          3. You cannot register passkeys on another iPhone/Android from GOS. (This may be different from stock).

          Not tested:

          1. authenticate passkeys on Yubikey from GOS.
          2. register and authenticate non-passkey on another iPhone/Android.

            fid02
            It seems you register a non-passkey for Proton on Proton Pass on your PC and authenticate it on your PP using Vanadium on GOS. This is impossible. Can you be sure and give more details?

                Test time: today
                Test enviornment: P8P GOS2024061400, Vanadium126.0.6478.110.0, Vanadium Config 24, Bitwarden Stable
                WIndows 11 22h2, Edge 126.0.2592.56, Bitwarden Extension Stable
                @fid02 If you cannot register passkeys on GOS using Proton Pass, I suggest you to clear all your chrome://flags.

                Upstate1618 It seems you register a non-passkey for Proton on Proton Pass on your PC and authenticate it on your PP using Vanadium on GOS. This is impossible. Can you be sure and give more details?

                It's not impossible. I simply did this:

                1. Open up Brave on Windows with the Proton Pass extension, and sign in to ente.io or some other site that supports setting up FIDO as MFA. Ente.io calls it "passkeys". I'd prefer to avoid another discussion on the technical inaccuracies of the usage of that term, please.
                2. Select to register the FIDO credential with the service, and observe that the Proton Pass extension asks you to register a "passkey". Now accept that.
                3. On GrapheneOS, go to Settings > Passwords, passkeys and auto-fill > Select Proton Pass
                4. In Vanadium, go to settings > Autofill Options > select Other providers
                5. Sign in to the service in Vanadium

                It's really very straightforward. And no, I don't have any chrome://flags set.

                Upstate1618 I cannot register Proton non-passkey on GOS directly

                Yes. That's why I created the guide in the first post of this thread. Perhaps you missed the details?

                Upstate1618 From PC, I cannot register or authnticate passkeys and non-passkeys on GOS. I'm stuck at connecting your device after scanning QR code.

                That's unfortunate, but please try basic troubleshooting first, such as rebooting your device.

                Upstate1618 You cannot register passkeys on Yubikey from GOS.(This is different from stock).

                You can, just not in Vanadium. See https://discuss.grapheneos.org/d/12056-fido2-security-keys-on-grapheneos-a-summary/4

                Upstate1618 authenticate passkeys on Yubikey from GOS.

                This works fine. See the thread I linked to above.

                            fid02 sign in to ente.io

                            No, I'm not talking about Ente. I'm talking about Proton. Let me explain it to you more precisely:

                            1. On Vanadium, log in to your Proton. In Settings-Account and recovery, add a security key here with allow platform checked. Use your GOS as the security key and the procedure would fail in the end which is not expected. I'm contacting with Proton about this.
                            2. On Edge for PC, you can create a passkey for Proton on Proton Pass/Bitwarden. But you cannot authenticate it on Vanadium. This is expected and intended. You said you can authenticate it on Vanadium which is impossible.

                                Apart from that, You should be able to register ente passkey on GOS as

                                1. Login to ente on Vanadium
                                2. Add passkey and wait Proton Pass to Pop out
                                3. Save your Passkey in PP
                                  4.Sign in to Ente using that passkey
                                  No need to use Windows here.

                                  Upstate1618 You said you can authenticate it on Vanadium

                                  Did you actually test it? Is that Passkey registered on PP extension or PP app on GOS through Bluetooth?

                                      Edit: For ente I have not tested it though. I will also do some test to see if there's difference between PP and Bitwarden.

                                      Upstate1618 Did you actually test it?

                                      Did I ever say that I tested saving a FIDO credential for a Proton account within Proton Pass?

                                      If I say that I tested XYZ, then yes, I tested XYZ. I get the impression that you are not trusting that I have actually done what I say I've done. This isn't encouraging me to try to further troubleshoot or reproduce the issues you have put forward.

                                      Upstate1618 Apart from that, You should be able to register ente passkey on GOS as
                                      Login to ente on Vanadium
                                      Add passkey and wait Proton Pass to Pop out

                                      Interesting. That's not the dialog I'm seeing, even with Proton Pass set as the OS autofill provider and the appropriate setting within Vanadium.
                                      https://ibb.co/1QPc0S2

                                            Upstate1618 No, I'm not talking about Ente. I'm talking about Proton. Let me explain it to you more precisely:
                                            On Vanadium, log in to your Proton. In Settings-Account and recovery, add a security key here with allow platform checked. Use your GOS as the security key and the procedure would fail in the end which is not expected. I'm contacting with Proton about this.

                                            I confirmed to you earlier that I can reproduce this issue. I now get the impression that you are asking me to reproduce this issue one more time. If so, it would be beneficial if you stated that request explicitly, perhaps by quoting my relevant post.

                                            Upstate1618 On Edge for PC, you can create a passkey for Proton on Proton Pass/Bitwarden. But you cannot authenticate it on Vanadium. This is expected and intended. You said you can authenticate it on Vanadium which is impossible.

                                            I don't know what to tell you, other than the fact that it works completely fine for me. It is not a passkey that I generated using the steps from my first post in this thread; I deleted those prior to testing saving a passkey for my Proton account in Edge, then succesffully signing in with that passkey as MFA on account.proton.me in Vanadium on GrapheneOS. I have tested this four times just now.

                                            From Edge on Windows: https://ibb.co/F7Q6Rtr
                                            From tapping 'Authenticate with security key' on account.proton.me from Vanadium: https://ibb.co/Sxj5CX9
                                            (Apparently Android doesn't allow you to screenshot both the browser page contents and the passkey sign-in flow at the same time; that's why the background in the second screenshot is blacked out).

                                            Edit: I will mostly not have access to a computer for the next three weeks, so will be unable to assist with this until after that time.

                                                  fid02 If I say that I tested XYZ, then yes, I tested XYZ. I get the impression that you are not trusting that I have actually done what I say I've done.

                                                  Sorry. And thank you for you work and efffort.

                                                  fid02 Interesting. That's not the dialog I'm seeing, even with Proton Pass set as the OS autofill provider and the appropriate setting within Vanadium.

                                                  After further testing, registering ente passkey on GOS with third party password manager is impossible.

                                                  fid02 If so, it would be beneficial if you stated that request explicitly, perhaps by quoting my relevant post.

                                                  I'm not requesting that.

                                                  fid02 I don't know what to tell you, other than the fact that it works completely fine for me. It is not a passkey that I generated using the steps from my first post in this thread; I deleted those prior to testing saving a passkey for my Proton account in Edge, then succesffully signing in with that passkey as MFA on account.proton.me in Vanadium on GrapheneOS. I have tested this four times just now.

                                                  You are right. Bitwarden and Proton Pass behaves differently on this. After testing, I can confirm that

                                                  1. both can register and authenticate passkey/non-passkey on PC.
                                                  2. both can register and authenticate passkey on GOS.
                                                  3. PP can authenticate non-passkey on GOS. Bitwarden cannot authenticate non-passkey on GOS.

                                                            Upstate1618 Sorry. And thank you for you work and efffort.

                                                            That's quite allright. :-)

                                                            Upstate1618 Bitwarden cannot authenticate non-passkey on GOS.

                                                            It sounds like either a bug or a missing feature in the Bitwarden app. Either way, I imagine a ticket could be filed with Bitwarden support.

                                                                25 days later