• General
  • Passkeys as MFA on GrapheneOS: a guide

Hat Password managers such as Bitwarden and Proton Drive all store the passkeys in the cloud. I don't know how they're protected locally while they are synced to the phone, but regardless they will also be stored on their servers.

I don't know if there is a way to currently save passkeys on the HSM of an Android phone. It's certainly possible – but not clear as to how it works – to store non-passkey FIDO credentials on the Pixel device itself. But these still require Play Services and they cease you exist/function if you remove Play Services from the user profile. Even if you reinstall Play Services, you won't get them back. I know that might come as a surprise, but that is the current state of FIDO on Android.

[deleted] Seeing how long this thread is and all the problems with passkeys, I don't see why I shouldn't keep

If you prefer hardware keys, use hardware keys. Password managers might be more convenient in many contexts, but not always.

    • [deleted]

    fid02 I would rather use passkeys so I can get rid of the extra hardware though.

    • [deleted]

    • Edited

    Do I get this right that I need a desktop computer for passkeys to work? Or to set them up? I get an error message when trying to use my pixel tablet and Vanadium.

      [deleted] I admit that the title of the thread is a bit confusing. Passkeys are not really intended for MFA, and passkeys with password managers can be set up on GrapheneOS without following this guide. "Passkeys as MFA" really refers to replacing physical security keys (when used as MFA)* with your password manager. Play Services doesn't officially support this, so I made a guide to try to work around that. Not sure if that's really clear.

      I haven't checked lately if the guide is still up to date. It appears to at least not work with Bitwarden, but there are reports that it still works with Proton Pass. The latter can be set up by using Proton's browser extension on a desktop OS.

      *The more technical term is "FIDO non-discoverable credentials".

        • [deleted]

        fid02 Thank you for the info. I will give it a try.

        16 days later

        X supports passkeys recently. However I can not regieter passkeys on GOS using Bitwarden. Can you register passkeys using Proton? (In the X app-Settings and privacy-Security and account access-Security-Additional password protection-Passkey)

          Additionally, while passkeys for web browsers are supported, support for apps is coming soon in a future build.

          Form here

          This guide is about storing non-passkey FIDO credentials in a password manager. It's likely outdated now. I admit the title is technically wrong. It looks like it can be done easily using Proton Pass but it's unclear if it works with Bitwarden. Bitwarden does not support this on Android due to Play Services not officially supporting it:

          Please also note that Android does not allow 3rd party passkey providers like Bitwarden to support passkey-based 2FA (a.k.a. "non-discoverable credentials").

          I likely don't have the capacity to keep this guide up-to-date.

            13 days later

            fid02

            note that you shouldnt install an RPM file but add a repo and install with DNF or rpm-ostree

            I am pretty confused about this guide. Passkeys aka FIDO2 aka webauthn seems to not be supported in Vanadium.

            Plugging in a Nitrokey 3a-mini displays a prompt to open an app, openkeychain is supported for storing GPG keys, thats it.

            The Nitrokey 3's are now FIDO2 compliant.

            KeepassDX has theoretical support for some type of security key, but not that one.

            Tbh using the secure element as an additional passkey on the phone would be great.

              missing-root Passkeys aka FIDO2 aka webauthn seems to not be supported in Vanadium.

              It is supported. You just need to install Play Services, which is required for practically most FIDO functionality. AOSP does not have native support for it.

              missing-root Plugging in a Nitrokey 3a-mini displays a prompt to open an app

              Which app?

                fid02

                Damn, that is bad? Why would such critical system functionality depend on additional proprietary services?
                ...

                The system opens a dialog prompting to open an app. Only OpenKeyChain may be supported, but maybe not even that if it requires play services on the system

                  missing-root Surprise! I'm right there with you, I was very disappointed to discover this dependency. My first impulse was rage because these keys were supposed to solve all my problems! NO MORE PASSWORDS!!! I heard that and bought two keys without even thinking about it. I should have searched this forum first.

                  But I'm hesitant to judge since I don't know what's involving in implementing fido compatibility without google services, let alone maintaining it. I just hope one day this terrible affliction will be behind us, and we can move forward with security without reliance on centralized power actors.

                  fid02 Would I need to have play services installed to authenticate the passkey using Proton Pass?

                    duck1 Would I need to have play services installed to authenticate the passkey using Proton Pass?

                    Yes.

                    does this rely on internet connectivity? Especially when there is a permission for IPC (inter process communication), installing play services may be "fine" for the reward

                      missing-root does this rely on internet connectivity?

                      Do you mean if passkeys work without Play Services having the network permission? I tried this just now, and I could use Proton Pass to both register and sign in with a passkey when the network permission for Play Services was revoked.