Upstate1618 Sorry. And thank you for you work and efffort.
That's quite allright. :-)
Upstate1618 Bitwarden cannot authenticate non-passkey on GOS.
It sounds like either a bug or a missing feature in the Bitwarden app. Either way, I imagine a ticket could be filed with Bitwarden support.
Upstate1618 I'm contacting with Proton about this.
It works now
fid02 Prerequisites:
Sandboxed Google Play
A password manager with support for passkeys on Android*
I don't understand why a password manager is needed. The Passkey don't store the keys in the hardware security module (HSM) from the Titan M chip ?
The Passkey is generated on the password manager website and then stored on the password manager app ?
Seeing how long this thread is and all the problems with passkeys, I don't see why I shouldn't keep using my hardware keys for now :(
Hat Password managers such as Bitwarden and Proton Drive all store the passkeys in the cloud. I don't know how they're protected locally while they are synced to the phone, but regardless they will also be stored on their servers.
I don't know if there is a way to currently save passkeys on the HSM of an Android phone. It's certainly possible – but not clear as to how it works – to store non-passkey FIDO credentials on the Pixel device itself. But these still require Play Services and they cease you exist/function if you remove Play Services from the user profile. Even if you reinstall Play Services, you won't get them back. I know that might come as a surprise, but that is the current state of FIDO on Android.
fid02 I would rather use passkeys so I can get rid of the extra hardware though.
Do I get this right that I need a desktop computer for passkeys to work? Or to set them up? I get an error message when trying to use my pixel tablet and Vanadium.
[deleted] I admit that the title of the thread is a bit confusing. Passkeys are not really intended for MFA, and passkeys with password managers can be set up on GrapheneOS without following this guide. "Passkeys as MFA" really refers to replacing physical security keys (when used as MFA)* with your password manager. Play Services doesn't officially support this, so I made a guide to try to work around that. Not sure if that's really clear.
I haven't checked lately if the guide is still up to date. It appears to at least not work with Bitwarden, but there are reports that it still works with Proton Pass. The latter can be set up by using Proton's browser extension on a desktop OS.
*The more technical term is "FIDO non-discoverable credentials".
fid02 Thank you for the info. I will give it a try.
X supports passkeys recently. However I can not regieter passkeys on GOS using Bitwarden. Can you register passkeys using Proton? (In the X app-Settings and privacy-Security and account access-Security-Additional password protection-Passkey)
Upstate1618 I got it working fine with Proton Pass.
This guide is about storing non-passkey FIDO credentials in a password manager. It's likely outdated now. I admit the title is technically wrong. It looks like it can be done easily using Proton Pass but it's unclear if it works with Bitwarden. Bitwarden does not support this on Android due to Play Services not officially supporting it:
Please also note that Android does not allow 3rd party passkey providers like Bitwarden to support passkey-based 2FA (a.k.a. "non-discoverable credentials").
I likely don't have the capacity to keep this guide up-to-date.
note that you shouldnt install an RPM file but add a repo and install with DNF or rpm-ostree
I am pretty confused about this guide. Passkeys aka FIDO2 aka webauthn seems to not be supported in Vanadium.
Plugging in a Nitrokey 3a-mini displays a prompt to open an app, openkeychain is supported for storing GPG keys, thats it.
The Nitrokey 3's are now FIDO2 compliant.
KeepassDX has theoretical support for some type of security key, but not that one.
Tbh using the secure element as an additional passkey on the phone would be great.
missing-root Passkeys aka FIDO2 aka webauthn seems to not be supported in Vanadium.
It is supported. You just need to install Play Services, which is required for practically most FIDO functionality. AOSP does not have native support for it.
missing-root Plugging in a Nitrokey 3a-mini displays a prompt to open an app
Which app?
Damn, that is bad? Why would such critical system functionality depend on additional proprietary services?
...
The system opens a dialog prompting to open an app. Only OpenKeyChain may be supported, but maybe not even that if it requires play services on the system
missing-root Surprise! I'm right there with you, I was very disappointed to discover this dependency. My first impulse was rage because these keys were supposed to solve all my problems! NO MORE PASSWORDS!!! I heard that and bought two keys without even thinking about it. I should have searched this forum first.
But I'm hesitant to judge since I don't know what's involving in implementing fido compatibility without google services, let alone maintaining it. I just hope one day this terrible affliction will be behind us, and we can move forward with security without reliance on centralized power actors.
fid02 Would I need to have play services installed to authenticate the passkey using Proton Pass?
