Passkeys as MFA on GrapheneOS: a guide

fid02

Upstate1618 It seems you register a non-passkey for Proton on Proton Pass on your PC and authenticate it on your PP using Vanadium on GOS. This is impossible. Can you be sure and give more details?

It's not impossible. I simply did this:

Open up Brave on Windows with the Proton Pass extension, and sign in to ente.io or some other site that supports setting up FIDO as MFA. Ente.io calls it "passkeys". I'd prefer to avoid another discussion on the technical inaccuracies of the usage of that term, please.
Select to register the FIDO credential with the service, and observe that the Proton Pass extension asks you to register a "passkey". Now accept that.
On GrapheneOS, go to Settings > Passwords, passkeys and auto-fill > Select Proton Pass
In Vanadium, go to settings > Autofill Options > select Other providers
Sign in to the service in Vanadium

It's really very straightforward. And no, I don't have any chrome://flags set.

Upstate1618 I cannot register Proton non-passkey on GOS directly

Yes. That's why I created the guide in the first post of this thread. Perhaps you missed the details?

Upstate1618 From PC, I cannot register or authnticate passkeys and non-passkeys on GOS. I'm stuck at connecting your device after scanning QR code.

That's unfortunate, but please try basic troubleshooting first, such as rebooting your device.

Upstate1618 You cannot register passkeys on Yubikey from GOS.(This is different from stock).

You can, just not in Vanadium. See https://discuss.grapheneos.org/d/12056-fido2-security-keys-on-grapheneos-a-summary/4

Upstate1618 authenticate passkeys on Yubikey from GOS.

This works fine. See the thread I linked to above.

Upstate1618

fid02 sign in to ente.io

No, I'm not talking about Ente. I'm talking about Proton. Let me explain it to you more precisely:

On Vanadium, log in to your Proton. In Settings-Account and recovery, add a security key here with allow platform checked. Use your GOS as the security key and the procedure would fail in the end which is not expected. I'm contacting with Proton about this.
On Edge for PC, you can create a passkey for Proton on Proton Pass/Bitwarden. But you cannot authenticate it on Vanadium. This is expected and intended. You said you can authenticate it on Vanadium which is impossible.

Upstate1618

Upstate1618 You said you can authenticate it on Vanadium

Did you actually test it? Is that Passkey registered on PP extension or PP app on GOS through Bluetooth?

fid02

Upstate1618 No, I'm not talking about Ente. I'm talking about Proton. Let me explain it to you more precisely:
On Vanadium, log in to your Proton. In Settings-Account and recovery, add a security key here with allow platform checked. Use your GOS as the security key and the procedure would fail in the end which is not expected. I'm contacting with Proton about this.

I confirmed to you earlier that I can reproduce this issue. I now get the impression that you are asking me to reproduce this issue one more time. If so, it would be beneficial if you stated that request explicitly, perhaps by quoting my relevant post.

Upstate1618 On Edge for PC, you can create a passkey for Proton on Proton Pass/Bitwarden. But you cannot authenticate it on Vanadium. This is expected and intended. You said you can authenticate it on Vanadium which is impossible.

I don't know what to tell you, other than the fact that it works completely fine for me. It is not a passkey that I generated using the steps from my first post in this thread; I deleted those prior to testing saving a passkey for my Proton account in Edge, then succesffully signing in with that passkey as MFA on account.proton.me in Vanadium on GrapheneOS. I have tested this four times just now.

From Edge on Windows: https://ibb.co/F7Q6Rtr
From tapping 'Authenticate with security key' on account.proton.me from Vanadium: https://ibb.co/Sxj5CX9
(Apparently Android doesn't allow you to screenshot both the browser page contents and the passkey sign-in flow at the same time; that's why the background in the second screenshot is blacked out).

Edit: I will mostly not have access to a computer for the next three weeks, so will be unable to assist with this until after that time.

Upstate1618

Upstate1618 I'm contacting with Proton about this.

It works now

Upstate1618

Apart from that, You should be able to register ente passkey on GOS as

Login to ente on Vanadium
Add passkey and wait Proton Pass to Pop out
Save your Passkey in PP
4.Sign in to Ente using that passkey
No need to use Windows here.

fid02

Upstate1618 Did you actually test it?

Did I ever say that I tested saving a FIDO credential for a Proton account within Proton Pass?

If I say that I tested XYZ, then yes, I tested XYZ. I get the impression that you are not trusting that I have actually done what I say I've done. This isn't encouraging me to try to further troubleshoot or reproduce the issues you have put forward.

Upstate1618 Apart from that, You should be able to register ente passkey on GOS as
Login to ente on Vanadium
Add passkey and wait Proton Pass to Pop out

Interesting. That's not the dialog I'm seeing, even with Proton Pass set as the OS autofill provider and the appropriate setting within Vanadium.
https://ibb.co/1QPc0S2

Upstate1618

Edit: For ente I have not tested it though. I will also do some test to see if there's difference between PP and Bitwarden.

Upstate1618

fid02 If I say that I tested XYZ, then yes, I tested XYZ. I get the impression that you are not trusting that I have actually done what I say I've done.

Sorry. And thank you for you work and efffort.

fid02 Interesting. That's not the dialog I'm seeing, even with Proton Pass set as the OS autofill provider and the appropriate setting within Vanadium.

After further testing, registering ente passkey on GOS with third party password manager is impossible.

fid02 If so, it would be beneficial if you stated that request explicitly, perhaps by quoting my relevant post.

I'm not requesting that.

fid02 I don't know what to tell you, other than the fact that it works completely fine for me. It is not a passkey that I generated using the steps from my first post in this thread; I deleted those prior to testing saving a passkey for my Proton account in Edge, then succesffully signing in with that passkey as MFA on account.proton.me in Vanadium on GrapheneOS. I have tested this four times just now.

You are right. Bitwarden and Proton Pass behaves differently on this. After testing, I can confirm that

both can register and authenticate passkey/non-passkey on PC.
both can register and authenticate passkey on GOS.
PP can authenticate non-passkey on GOS. Bitwarden cannot authenticate non-passkey on GOS.

fid02

Upstate1618 Sorry. And thank you for you work and efffort.

That's quite allright. :-)

Upstate1618 Bitwarden cannot authenticate non-passkey on GOS.

It sounds like either a bug or a missing feature in the Bitwarden app. Either way, I imagine a ticket could be filed with Bitwarden support.

Hat

fid02 Prerequisites:

Sandboxed Google Play

A password manager with support for passkeys on Android*

I don't understand why a password manager is needed. The Passkey don't store the keys in the hardware security module (HSM) from the Titan M chip ?
The Passkey is generated on the password manager website and then stored on the password manager app ?

fid02

Hat Password managers such as Bitwarden and Proton Drive all store the passkeys in the cloud. I don't know how they're protected locally while they are synced to the phone, but regardless they will also be stored on their servers.

I don't know if there is a way to currently save passkeys on the HSM of an Android phone. It's certainly possible – but not clear as to how it works – to store non-passkey FIDO credentials on the Pixel device itself. But these still require Play Services and they cease you exist/function if you remove Play Services from the user profile. Even if you reinstall Play Services, you won't get them back. I know that might come as a surprise, but that is the current state of FIDO on Android.

[deleted]

Seeing how long this thread is and all the problems with passkeys, I don't see why I shouldn't keep using my hardware keys for now :(

fid02

[deleted] Seeing how long this thread is and all the problems with passkeys, I don't see why I shouldn't keep

If you prefer hardware keys, use hardware keys. Password managers might be more convenient in many contexts, but not always.

[deleted]

fid02 I would rather use passkeys so I can get rid of the extra hardware though.

[deleted]

Do I get this right that I need a desktop computer for passkeys to work? Or to set them up? I get an error message when trying to use my pixel tablet and Vanadium.

fid02

[deleted] I admit that the title of the thread is a bit confusing. Passkeys are not really intended for MFA, and passkeys with password managers can be set up on GrapheneOS without following this guide. "Passkeys as MFA" really refers to replacing physical security keys (when used as MFA)* with your password manager. Play Services doesn't officially support this, so I made a guide to try to work around that. Not sure if that's really clear.

I haven't checked lately if the guide is still up to date. It appears to at least not work with Bitwarden, but there are reports that it still works with Proton Pass. The latter can be set up by using Proton's browser extension on a desktop OS.

*The more technical term is "FIDO non-discoverable credentials".

[deleted]

fid02 Thank you for the info. I will give it a try.

Upstate1618

X supports passkeys recently. However I can not regieter passkeys on GOS using Bitwarden. Can you register passkeys using Proton? (In the X app-Settings and privacy-Security and account access-Security-Additional password protection-Passkey)

fid02

Upstate1618 I got it working fine with Proton Pass.

Glacial2

Additionally, while passkeys for web browsers are supported, support for apps is coming soon in a future build.

Form here

« Previous Page Next Page »