xYz There will be a dialog asking you to enable Bluetooth, but you have to be able to scan the QR code first.
When you scan the code with the Camera app, a string starting with "FIDO:" should show. You then have to press the tiny "Go to" icon in the upper right corner of that tiny UI box. Then start the passkey flow. I could clarify this in the guide.
fid02 Thanks for the response. Using your clarification I got further than last time but still can't get it setup with Bitwarden (I want to setup a passkey to login to my Bitwarden account).
I pressed the "go to" (box with and arrow) icon, chose to turn on Bluetooth, gave Google Play services permission, scanned the QR and at the next prompt chose "Skip the QR code next time," and then received an error message "Something went wrong, restart the process on your other device to try again." Upon going to to my other device (a Win 10 Pro laptop, standard user account) running Brave browser a popup says "Error creating passkey." I dismiss it and I see my GOS phone listed for vault.bitwarden.com. I click on it and a popup says "Check your device. A notification was sent to [name of GOS phone]." But I receive no notification.
How is the passkey notification sent? I checked noticed Google Play Services noticed Notifications permission was turned off. I turned it on and tried again and get the same message that a notification was sent, but I see nothing on the phone. After several minutes the popup says "Something went wrong. Request timed out."
So I deleted the passkey and went back through the process to create a passkey, but this time instead of saying, "Something went wrong..." it now says "No passkeys available. There aren't any applicable passkeys on this device. Try a new device or create a new passkey." Nevertheless my GOS phone passkey is once again listed in Brave Browser and it exhibits the same behavior as before when I attempt to use it... "Check your device... a notification was sent to [name of GOS phone]." I also tried disabling my laptop firewall, but it did not make a difference.
[EDIT: Additional info]
xYz Which version of Bitwarden are you using? Only the latest beta versions of Bitwarden have passkey support on Android. I'm on Bitwarden version 2024.4.1 (versioncode 10283). You'll have to opt-in to beta releases for this to work.
If you're on the beta and it still doesn't work, could you try disabling and re-enabling the toggle for Bitwarden in Settings > Passwords & accounts > Cogwheel > Bitwarden?
I did test this just now using the latest Bitwarden Beta and registration works fine, although sign-in does not work. I'll see if I can reproduce that on stock PixelOS and then report it to Bitwarden.
xYz (I want to setup a passkey to login to my Bitwarden account).
Oh, I missed that part. Do you have any password managers set in Settings > Passwords & accounts > Cogwheel? Could you please clarify if you are trying to save this passkey as MFA in your Bitwarden vault? Or for your Bitwarden account itself?
And are you trying to save the passkey on the device and not in a password manager? Using this method, I'm not sure that is doable.
I can't find the passkey flag in Vanadium. Was it removed? ProtonPass says passkeys are not supported.
Edit: nevermind. I was confused. It works. Also, wrong thread.
Is the process described in the OP not a thing on Firefox? I tried the same thing except with FF and got nothing, went ahead and installed the Brave RPM and it worked right away.
Storm Firefox on Fedora Linux does not show the passkey prompt for me. I have not tested other distributions on desktop. Firefox on Windows uses Windows' native FIDO authentication flow. I think it likely to be a missing feature in Firefox on Linux. (I thought I had posted about this, but apparently it didn't make it farther than my personal notebook).
Passkeys are not MFA and you cannot use Bitearden as your MFA. It can only be stored on the device locally
Upstate1618 The first post in this thread describes how to save a FIDO private key in a password manager, instead of on a hardware key. "Passkeys" is just a term that users are familiar with. I could rename the topic to "FIDO private keys as MFA in a password manager on GrapheneOS", but who's going to care.
If you are stuck and unable to continue with the guide, please specify what the issue is. If you want to make an argument for always using the term "passkey" in the FIDO Alliance's definition of the term as password-less authentication, please just start a new topic.
fid02 Google says "Your encrypted data is locked on this device" error message when creating passkey. What's wrong? Thank you.
Upstate1618 This is related to Google Password Manager not allowing you to store and sync passkeys to your Google account. I attempted to summarize the issue here, and I think the summary is still relevant: https://github.com/GrapheneOS/Vanadium/issues/390#issuecomment-2028915920
It's not clear that this is an issue specific to GrapheneOS or non-stock Android OSs, as a web search on the issue shows that some users get this error even on stock Android OSs. They had to first activate passkey sync with Google Password Manager on a different device, before they could use it on their primary device. It's all a bit confusing and unclear.
Note that this does not affect the usage of passkeys with third-party password managers.
When I try to register a passkey directly from Vanadium, an error occured.
When I try to register a passkey from Edge on Windows on GOS, after turning on bluetooth, it keeps pending with connecting and then failed eventually.
Upstate1618 These happens AFTER I wipe my GPM due to the "Your encrypted data is locked on this device" error.
Set on-device encryption on my Edge for PC
That is not going to work. The only way I know of getting passkey sync with Google Password Manager to work on GrapheneOS is to follow the exact steps that I outlined in my GitHub post. You have to provide the unlock PIN of a different phone, likely with a stock Android OS.
This thread is really not about troubleshooting Google Password Manager passkey sync. It is known to be problematic on GrapheneOS due to restrictions set by Google. Recommend creating a new thread.
fid02 thanks. I don't wanna login on my other android phone. Gotta wait for Bitwarden stable.
Hi, can you help me with Proton? There are 2 problems.
Upstate1618 I cannot register FIDO2 credentials on Vanadium for Proton. It ends with error messages like error while registering
You should be able to do this from within Vanadium, without a computer, without a security key, and without following my guide. When you register a security key to your Proton account, make sure to select "Allow platform keys".
fid02
I cannot register FIDO2 using my fingerprint
Upstate1618 Huh, you're right. I can't manage to either. It definitely worked for me a few weeks ago (and another user confirmed), but now doesn't. A pity.
fid02 Update to the latest Vanadium Config app release.
GrapheneOS still not work for version 22
GrapheneOS I have done that now. Although it still does not work, I suspect this feature is actually not supported by Play Services. It's regarding saving a FIDO credential on the device, not in a password manager. I can test on stock PixelOS later.
After testing registration on webauthn.io, registration fails due to "An unknown error occurred while talking to the credential manager". The OP says registration doesn't work, is this still true or do I need to tweak something?
Also I am unsure how KeepassDX stores passkeys (or any other app for that matter). I played around with autofill, but since you can't register a passkey on GrapheneOS I can't save a passkey to keepassdx. And even if I did, I'm not sure where the passkey data is saved. Is it saved to my database or the app itself? And if it's saved to the database, where exactly does that data reside, is it user accessible?
I imagine passkeys stored on the device are stored in the security chip (in my case the Titan M1, which is a TPM right?). But under Passwords, Passkeys, and data services, to save passkeys to the device do you need to select "none"?
What does "Automatically sync app data" mean? The description doesn't help. What does it refer to?
gk7ncklxlts99w1 It sounds like you are trying to register a passkey using Vanadium without having a passkey provider set in System Settings > Passwords & Accounts. That webauthn demo page is trying to call the credential manager to register a password-less passkey. This thread is about passkeys as MFA, not password-less passkeys. I have answered your question here: https://discuss.grapheneos.org/d/12056-fido2-security-keys-on-grapheneos-a-summary/4
As to whether or not keepassdx supports passkeys, a web search might give you the answer you need.
gk7ncklxlts99w1 Also I am unsure how KeepassDX stores passkeys (or any other app for that matter). I played around with autofill, but since you can't register a passkey on GrapheneOS I can't save a passkey to keepassdx. And even if I did, I'm not sure where the passkey data is saved. Is it saved to my database or the app itself? And if it's saved to the database, where exactly does that data reside, is it user accessible?
KeePassDX does not currently support passkeys. When it does, I suspect it will use the same fields as KeePassXC.
It looks like the Proton Pass extension for desktop (tested on Brave, Windows 11) are able to save any FIDO credential in the password manager: when you select to add a security key to an account, the extension pops up a message asking if you would like to store the passkey in Proton Pass. I tested this for Ente, Tuta and even Proton, and after being stored in Proton Pass the passkeys can be used as MFA in Vanadium without issues. I wasn't aware that the Proton Pass extension had this feature. That might be a simpler way to save passkeys and use them as MFA rather than following my guide.
Has anyone tried this with Bitwarden or other password managers that can store passkeys?
For Bitwarden, you can register and authenticate passkeys and non-passkeys on PC.
You can register and authenticate passkeys using Bitwarden on GOS.
You can register and authenticate non-passkeys directly on GOS (except Proton). You cannot register or authenticate non-passkeys using Bitwarden on GOS.
You can register and authenticate passkeys and non-passkeys directly on PC and Yubikey on PC as well.
You cannot register passkeys on Yubikey from GOS.(This is different from stock). authenticate not tested (requires USB and I donot have A-to-C cable).
You can register and authenticate non-passkeys on Yubikey from GOS.
From PC, I cannot register or authnticate passkeys and non-passkeys on GOS. This is different from your first post. I'm stuck at connecting your device after scanning QR code.
From GOS, You cannot R/A passkey on another iPhone/Android. You maybe can R/A non-passkey on another iPhone/ANdroid.(not tested). You cannot R/A passkey/nonpasskey on another PC/Mac.
To summary,
My main problems are:
Not tested:
fid02
It seems you register a non-passkey for Proton on Proton Pass on your PC and authenticate it on your PP using Vanadium on GOS. This is impossible. Can you be sure and give more details?
Test time: today
Test enviornment: P8P GOS2024061400, Vanadium126.0.6478.110.0, Vanadium Config 24, Bitwarden Stable
WIndows 11 22h2, Edge 126.0.2592.56, Bitwarden Extension Stable
@fid02 If you cannot register passkeys on GOS using Proton Pass, I suggest you to clear all your chrome://flags.
Upstate1618 It seems you register a non-passkey for Proton on Proton Pass on your PC and authenticate it on your PP using Vanadium on GOS. This is impossible. Can you be sure and give more details?
It's not impossible. I simply did this:
It's really very straightforward. And no, I don't have any chrome://flags set.
Upstate1618 I cannot register Proton non-passkey on GOS directly
Yes. That's why I created the guide in the first post of this thread. Perhaps you missed the details?
Upstate1618 From PC, I cannot register or authnticate passkeys and non-passkeys on GOS. I'm stuck at connecting your device after scanning QR code.
That's unfortunate, but please try basic troubleshooting first, such as rebooting your device.
Upstate1618 You cannot register passkeys on Yubikey from GOS.(This is different from stock).
You can, just not in Vanadium. See https://discuss.grapheneos.org/d/12056-fido2-security-keys-on-grapheneos-a-summary/4
Upstate1618 authenticate passkeys on Yubikey from GOS.
This works fine. See the thread I linked to above.
fid02 sign in to ente.io
No, I'm not talking about Ente. I'm talking about Proton. Let me explain it to you more precisely:
Apart from that, You should be able to register ente passkey on GOS as
Upstate1618 You said you can authenticate it on Vanadium
Did you actually test it? Is that Passkey registered on PP extension or PP app on GOS through Bluetooth?
Edit: For ente I have not tested it though. I will also do some test to see if there's difference between PP and Bitwarden.
