FIDO2 security keys on GrapheneOS: a summary

AelwennBZH

Yes, the yubico app was already installed, both on phone and tablet.
When I saw that it wasn't working, I open it with my yubikey and tried the pin code : It works inside yubico app.
I've just reinstalled yubico to test, restarted my phone. Still the same problem: I'm asked for the pin code twice and the sign-in failed...

If the yubico authenticator application also allowed you to deactivate and reactivate the key protocols, like yubico manager on windows, that would partially solve my problem, but I don't know if that's planned.

DeletedUser87

AelwennBZH that's unfortunate. May be a problem with Play Services? I'm not really sure. @DeletedUser370 is a lot more knowledgeable on that matter, so hopefully they can chime in soon.

AelwennBZH

DeletedUser87

May be a problem with Play Services?

Maybe, since without pin code, it works fine. My phone/tablet and apps are up to date, so if it was coming from there, I guess the problem would affect everyone, at least on GrapheneOS.

It's really frustrating that fido/passkey integration is so bad on android, even though google is very involved in the field...
it just makes me want to throw away my keys and give up on 2FA.

trilogy6202

AelwennBZH I completely agree. I haven't invested in HW keys because the solution on Android (at least on GOS) seams so flaky and volatile.

AelwennBZH

trilogy6202

I've registered my keys with a dozen services.
Everything works on Windows. But I had to register again my key on half of these services because on android, some apps or websites, I had to explicitly disable the fido2 protocol and only use fido U2F just to register the key.
GitHub and Bitwarden works with Fido2, but Standard Notes and Proton works only with Fido U2F.
It's not uniform at all. Fido is really a huge improvement in security, but it's currently discouraging.

trilogy6202

AelwennBZH And it's really sad that fido2 and Fido u2f isn't part of AOSP but requires gps. I don't use gps on my main profile so it's not really an option for me until it's included in AOSP or GOS makes their own implementation which I assume is pretty unlikely to happen.

AelwennBZH

trilogy6202

https://gist.github.com/FID02/48f5130c2151b6d10a04bdfda0cb1c90#user-content-fn-2-b5ffcad6ab91d3f1c1b323c46b15ec23

This is planned, but no ETA.
However, if google makes a "bad" implementation right now, I wonder if integrating directly on AOSP will change anything....

trilogy6202

AelwennBZH Thanks I wasn't aware of that. I don't expect anything in the near future however.

DeletedUser370

AelwennBZH Ente, Standard Notes and Proton apps ask me my pin code as a second factor (USB is required on the tablet), I enter it, and the same window reappears to ask me for it a second time, then error. Impossible to connect.

Grant Play services the network permission and reboot your device.

AelwennBZH

DeletedUser370

Play services already have network permission, on the tablet and on the phone.
I've revoked then restored, rebooted, still the same problem.

GrapheneOS

AelwennBZH Play Store needs it rather than Play services for it to fetch the dynamite module for FIDO2.

AelwennBZH

GrapheneOS

Yup, but both Play store and play services have network permission, from the beginning.
But it's possible that I'm just unlucky and that the pin code works for other people. Random bug maybe.
I've got a third device I can test, so I'll see.

DeletedUser370

Due to a recent upstream change in Chromium, OS autofill services that support passkeys can no longer be enabled if you want to use passkeys on security keys. In practice, that means that password managers such as Proton Pass and Bitwarden must be disabled in Settings > Passwords, passkeys & autofill. You'll lose password autofill by disabling this.

This is due to Sandboxed Google Play not displaying the option of choosing between security keys and password managers / local passkeys in Play's FIDO authentication dialog. This is possible for several months now on stock PixelOS, but Sandboxed Google Play seems to be displaying an older UI which does not have this option.

In Vanadium and other Chrimium-based browsers it was possible to work around this by disabling the experimental flag "Android Credential Management for passkeys", but this flag has now been removed from Chromium. Play seems to favour passkeys with password managers / local passkeys.

For apps that don't call the default web browser for signing in/up with passkeys (such as Discord and Microsoft Teams), it doesn't seem possible to sign in with security keys unless they are used as MFA (in that case, you are probably not signing in with passkeys anyway).

I'll update the guide at some point.

DeletedUser370

DeletedUser370 In Vanadium and other Chrimium-based browsers it was possible to work around this by disabling the experimental flag "Android Credential Management for passkeys", but this flag has now been removed from Chromium.

This also means that registering passkeys on security keys no longer seems possible (no dialog is ever shown).

AelwennBZH

DeletedUser370

This is due to Sandboxed Google Play not displaying the option of choosing between security keys and password managers / local passkeys in Play's FIDO authentication dialog. This is possible for several months now on stock PixelOS, but Sandboxed Google Play seems to be displaying an older UI which does not have this option.

Is this an possible exclusion of non-certified alternative OS from Google to use this option ?
The GrapheneOS play services are supposed to be the same as Google's, except for the privileges. What could make this function incompatible?

Murcielago

AelwennBZH proclaim

Did you pay attention to this hint posted by DeletedUser370 ?

Due to a recent upstream change in Chromium, OS autofill services that support passkeys can no longer be enabled if you want to use passkeys on security keys. In practice, that means that password managers such as Proton Pass and Bitwarden must be disabled in Settings > Passwords, passkeys & autofill. You'll lose password autofill by disabling this.

This is due to Sandboxed Google Play not displaying the option of choosing between security keys and password managers / local passkeys in Play's FIDO authentication dialog. This is possible for several months now on stock PixelOS, but Sandboxed Google Play seems to be displaying an older UI which does not have this option.

In Vanadium and other Chrimium-based browsers it was possible to work around this by disabling the experimental flag "Android Credential Management for passkeys", but this flag has now been removed from Chromium. Play seems to favour passkeys with password managers / local passkeys.

I was able to reproduce your error (Vanadium 135.0.7049.38.0 | Build 2025032500), when, contrary to the above mentioned instruction, i enabled my password manager in Settings> Passwords, passkeys & accounts> Preferred service for passwords, passkeys & autofill.

If I set it to none my security key works fine with Vanadium (with the drawback that autofilling passwords/usernames no longer works).

A small hint: If you don't always want to search this and other discussions:

@DeletedUser370 was so kind and made the effort to write (and apparently update) an instructive overview about security keys and their interaction with GrapheneOS here:

https://gist.github.com/FID02/48f5130c2151b6d10a04bdfda0cb1c90

Molasses

DeletedUser370

Thanks for the tip.

Temporarily setting the Autofill Provider to none and switching it back after using my Yubikeys worked.

BaronAfanas

DeletedUser370 I get the notification in Brave that the browser is not supported. What a pity. It only works on my laptop for now.

DeletedUser370

I rewrote the guide. It should be up to date as of this post. I added some jokes as well. Just to express my frustration. They're not funny. Wasn't motivated to update the guide otherwise. I will probably remove them later and write a satirical essay instead.

DeletedUser370

AelwennBZH Is this an possible exclusion of non-certified alternative OS from Google to use this option ?

I don't know. Seems a bit weird if they ban aftermarket operating systems from using a single menu option instead of banning them from using Play's FIDO altogether. The actual functionality works but it's just that menu option that isn't displayed. If Play expected privileged access then I guess that should be apparent from looking at the app logs. I haven't looked at them.

AelwennBZH

Has anyone managed to use a security key on vanadium today ? (135.0.7049.38.0 / GOS 2025032500, both current stable channel)
As soon as I enter my login details, I get an authentication error, even before entering my key.
It works on an android app (Proton calendar), but not on sites with vanadium (proton.me)
Am I the only one experiencing this problem, or is it a chromium/vanadium bug?

DeletedUser370

AelwennBZH As soon as I enter my login details, I get an authentication error, even before entering my key.

You mean before selecting "Authenticate" in Proton's login flow to be able to use the security key? If so, it sounds like you're entering the wrong username or password.

AelwennBZH

DeletedUser370

After login with my mail/password.
Once I'm on the ‘use your security key’ page, I immediately get an error message (specifi on each sites) and I can't do anything. On addy, on proton, on github.
My login details are correct, since I go through bitwarden, and it works on the proton app but not the web version.
I don't have my tablet with me to test on a second device

« Previous Page Next Page »