Upstate1618 You said you can authenticate it on Vanadium
Did you actually test it? Is that Passkey registered on PP extension or PP app on GOS through Bluetooth?
Passkeys as MFA on GrapheneOS: a guide
- Edited
Edit: For ente I have not tested it though. I will also do some test to see if there's difference between PP and Bitwarden.
- Edited
Upstate1618 Did you actually test it?
Did I ever say that I tested saving a FIDO credential for a Proton account within Proton Pass?
If I say that I tested XYZ, then yes, I tested XYZ. I get the impression that you are not trusting that I have actually done what I say I've done. This isn't encouraging me to try to further troubleshoot or reproduce the issues you have put forward.
Upstate1618 Apart from that, You should be able to register ente passkey on GOS as
Login to ente on Vanadium
Add passkey and wait Proton Pass to Pop out
Interesting. That's not the dialog I'm seeing, even with Proton Pass set as the OS autofill provider and the appropriate setting within Vanadium.
https://ibb.co/1QPc0S2
- Edited
Upstate1618 No, I'm not talking about Ente. I'm talking about Proton. Let me explain it to you more precisely:
On Vanadium, log in to your Proton. In Settings-Account and recovery, add a security key here with allow platform checked. Use your GOS as the security key and the procedure would fail in the end which is not expected. I'm contacting with Proton about this.
I confirmed to you earlier that I can reproduce this issue. I now get the impression that you are asking me to reproduce this issue one more time. If so, it would be beneficial if you stated that request explicitly, perhaps by quoting my relevant post.
Upstate1618 On Edge for PC, you can create a passkey for Proton on Proton Pass/Bitwarden. But you cannot authenticate it on Vanadium. This is expected and intended. You said you can authenticate it on Vanadium which is impossible.
I don't know what to tell you, other than the fact that it works completely fine for me. It is not a passkey that I generated using the steps from my first post in this thread; I deleted those prior to testing saving a passkey for my Proton account in Edge, then succesffully signing in with that passkey as MFA on account.proton.me in Vanadium on GrapheneOS. I have tested this four times just now.
From Edge on Windows: https://ibb.co/F7Q6Rtr
From tapping 'Authenticate with security key' on account.proton.me from Vanadium: https://ibb.co/Sxj5CX9
(Apparently Android doesn't allow you to screenshot both the browser page contents and the passkey sign-in flow at the same time; that's why the background in the second screenshot is blacked out).
Edit: I will mostly not have access to a computer for the next three weeks, so will be unable to assist with this until after that time.
fid02 If I say that I tested XYZ, then yes, I tested XYZ. I get the impression that you are not trusting that I have actually done what I say I've done.
Sorry. And thank you for you work and efffort.
fid02 Interesting. That's not the dialog I'm seeing, even with Proton Pass set as the OS autofill provider and the appropriate setting within Vanadium.
After further testing, registering ente passkey on GOS with third party password manager is impossible.
fid02 If so, it would be beneficial if you stated that request explicitly, perhaps by quoting my relevant post.
I'm not requesting that.
fid02 I don't know what to tell you, other than the fact that it works completely fine for me. It is not a passkey that I generated using the steps from my first post in this thread; I deleted those prior to testing saving a passkey for my Proton account in Edge, then succesffully signing in with that passkey as MFA on account.proton.me in Vanadium on GrapheneOS. I have tested this four times just now.
You are right. Bitwarden and Proton Pass behaves differently on this. After testing, I can confirm that
- both can register and authenticate passkey/non-passkey on PC.
- both can register and authenticate passkey on GOS.
- PP can authenticate non-passkey on GOS. Bitwarden cannot authenticate non-passkey on GOS.
Upstate1618 Sorry. And thank you for you work and efffort.
That's quite allright. :-)
Upstate1618 Bitwarden cannot authenticate non-passkey on GOS.
It sounds like either a bug or a missing feature in the Bitwarden app. Either way, I imagine a ticket could be filed with Bitwarden support.
25 days later
Upstate1618 I'm contacting with Proton about this.
It works now
13 days later
fid02 Prerequisites:
Sandboxed Google Play
A password manager with support for passkeys on Android*
I don't understand why a password manager is needed. The Passkey don't store the keys in the hardware security module (HSM) from the Titan M chip ?
The Passkey is generated on the password manager website and then stored on the password manager app ?
[deleted]
Seeing how long this thread is and all the problems with passkeys, I don't see why I shouldn't keep using my hardware keys for now :(
Hat Password managers such as Bitwarden and Proton Drive all store the passkeys in the cloud. I don't know how they're protected locally while they are synced to the phone, but regardless they will also be stored on their servers.
I don't know if there is a way to currently save passkeys on the HSM of an Android phone. It's certainly possible – but not clear as to how it works – to store non-passkey FIDO credentials on the Pixel device itself. But these still require Play Services and they cease you exist/function if you remove Play Services from the user profile. Even if you reinstall Play Services, you won't get them back. I know that might come as a surprise, but that is the current state of FIDO on Android.
[deleted]
fid02 I would rather use passkeys so I can get rid of the extra hardware though.
[deleted]
- Edited
Do I get this right that I need a desktop computer for passkeys to work? Or to set them up? I get an error message when trying to use my pixel tablet and Vanadium.
[deleted] I admit that the title of the thread is a bit confusing. Passkeys are not really intended for MFA, and passkeys with password managers can be set up on GrapheneOS without following this guide. "Passkeys as MFA" really refers to replacing physical security keys (when used as MFA)* with your password manager. Play Services doesn't officially support this, so I made a guide to try to work around that. Not sure if that's really clear.
I haven't checked lately if the guide is still up to date. It appears to at least not work with Bitwarden, but there are reports that it still works with Proton Pass. The latter can be set up by using Proton's browser extension on a desktop OS.
*The more technical term is "FIDO non-discoverable credentials".
[deleted]
fid02 Thank you for the info. I will give it a try.
16 days later
X supports passkeys recently. However I can not regieter passkeys on GOS using Bitwarden. Can you register passkeys using Proton? (In the X app-Settings and privacy-Security and account access-Security-Additional password protection-Passkey)
Upstate1618 I got it working fine with Proton Pass.
This guide is about storing non-passkey FIDO credentials in a password manager. It's likely outdated now. I admit the title is technically wrong. It looks like it can be done easily using Proton Pass but it's unclear if it works with Bitwarden. Bitwarden does not support this on Android due to Play Services not officially supporting it:
Please also note that Android does not allow 3rd party passkey providers like Bitwarden to support passkey-based 2FA (a.k.a. "non-discoverable credentials").
I likely don't have the capacity to keep this guide up-to-date.
13 days later
- Edited
note that you shouldnt install an RPM file but add a repo and install with DNF or rpm-ostree