FIDO2 security keys on GrapheneOS: a summary

AelwennBZH

Yup, but both Play store and play services have network permission, from the beginning.
But it's possible that I'm just unlucky and that the pin code works for other people. Random bug maybe.
I've got a third device I can test, so I'll see.

DeletedUser370

Due to a recent upstream change in Chromium, OS autofill services that support passkeys can no longer be enabled if you want to use passkeys on security keys. In practice, that means that password managers such as Proton Pass and Bitwarden must be disabled in Settings > Passwords, passkeys & autofill. You'll lose password autofill by disabling this.

This is due to Sandboxed Google Play not displaying the option of choosing between security keys and password managers / local passkeys in Play's FIDO authentication dialog. This is possible for several months now on stock PixelOS, but Sandboxed Google Play seems to be displaying an older UI which does not have this option.

In Vanadium and other Chrimium-based browsers it was possible to work around this by disabling the experimental flag "Android Credential Management for passkeys", but this flag has now been removed from Chromium. Play seems to favour passkeys with password managers / local passkeys.

For apps that don't call the default web browser for signing in/up with passkeys (such as Discord and Microsoft Teams), it doesn't seem possible to sign in with security keys unless they are used as MFA (in that case, you are probably not signing in with passkeys anyway).

I'll update the guide at some point.

DeletedUser370

DeletedUser370 In Vanadium and other Chrimium-based browsers it was possible to work around this by disabling the experimental flag "Android Credential Management for passkeys", but this flag has now been removed from Chromium.

This also means that registering passkeys on security keys no longer seems possible (no dialog is ever shown).

AelwennBZH

DeletedUser370

This is due to Sandboxed Google Play not displaying the option of choosing between security keys and password managers / local passkeys in Play's FIDO authentication dialog. This is possible for several months now on stock PixelOS, but Sandboxed Google Play seems to be displaying an older UI which does not have this option.

Is this an possible exclusion of non-certified alternative OS from Google to use this option ?
The GrapheneOS play services are supposed to be the same as Google's, except for the privileges. What could make this function incompatible?

Murcielago

AelwennBZH proclaim

Did you pay attention to this hint posted by DeletedUser370 ?

Due to a recent upstream change in Chromium, OS autofill services that support passkeys can no longer be enabled if you want to use passkeys on security keys. In practice, that means that password managers such as Proton Pass and Bitwarden must be disabled in Settings > Passwords, passkeys & autofill. You'll lose password autofill by disabling this.

This is due to Sandboxed Google Play not displaying the option of choosing between security keys and password managers / local passkeys in Play's FIDO authentication dialog. This is possible for several months now on stock PixelOS, but Sandboxed Google Play seems to be displaying an older UI which does not have this option.

In Vanadium and other Chrimium-based browsers it was possible to work around this by disabling the experimental flag "Android Credential Management for passkeys", but this flag has now been removed from Chromium. Play seems to favour passkeys with password managers / local passkeys.

I was able to reproduce your error (Vanadium 135.0.7049.38.0 | Build 2025032500), when, contrary to the above mentioned instruction, i enabled my password manager in Settings> Passwords, passkeys & accounts> Preferred service for passwords, passkeys & autofill.

If I set it to none my security key works fine with Vanadium (with the drawback that autofilling passwords/usernames no longer works).

A small hint: If you don't always want to search this and other discussions:

@DeletedUser370 was so kind and made the effort to write (and apparently update) an instructive overview about security keys and their interaction with GrapheneOS here:

https://gist.github.com/FID02/48f5130c2151b6d10a04bdfda0cb1c90

Molasses

DeletedUser370

Thanks for the tip.

Temporarily setting the Autofill Provider to none and switching it back after using my Yubikeys worked.

BaronAfanas

DeletedUser370 I get the notification in Brave that the browser is not supported. What a pity. It only works on my laptop for now.

DeletedUser370

I rewrote the guide. It should be up to date as of this post. I added some jokes as well. Just to express my frustration. They're not funny. Wasn't motivated to update the guide otherwise. I will probably remove them later and write a satirical essay instead.

DeletedUser370

AelwennBZH Is this an possible exclusion of non-certified alternative OS from Google to use this option ?

I don't know. Seems a bit weird if they ban aftermarket operating systems from using a single menu option instead of banning them from using Play's FIDO altogether. The actual functionality works but it's just that menu option that isn't displayed. If Play expected privileged access then I guess that should be apparent from looking at the app logs. I haven't looked at them.

AelwennBZH

Has anyone managed to use a security key on vanadium today ? (135.0.7049.38.0 / GOS 2025032500, both current stable channel)
As soon as I enter my login details, I get an authentication error, even before entering my key.
It works on an android app (Proton calendar), but not on sites with vanadium (proton.me)
Am I the only one experiencing this problem, or is it a chromium/vanadium bug?

DeletedUser370

AelwennBZH As soon as I enter my login details, I get an authentication error, even before entering my key.

You mean before selecting "Authenticate" in Proton's login flow to be able to use the security key? If so, it sounds like you're entering the wrong username or password.

AelwennBZH

DeletedUser370

After login with my mail/password.
Once I'm on the ‘use your security key’ page, I immediately get an error message (specifi on each sites) and I can't do anything. On addy, on proton, on github.
My login details are correct, since I go through bitwarden, and it works on the proton app but not the web version.
I don't have my tablet with me to test on a second device

proclaim

AelwennBZH

I have similar issue with Vanadium from month and still same w/o fix . I post here https://discuss.grapheneos.org/d/21340-yubikeys-stop-working-again .

For now I just installed other browser (Vivaldi) and set it to default to get web/app logins to work with my yubikeys .

I love Vanadium, and always be my prefered browser on GOS, but ultimate experience is terrible, sorry .

AelwennBZH

proclaim

At least it reassures me that I'm not the only one with the problem...
However, some apps, like tutanota, will also use vanadium for fido, so even installing another browser only partially solves the problem.

proclaim

AelwennBZH
You must be set the installed browser as default .
edit: To fix issues with apps like example Tuta.

AelwennBZH

proclaim

Thanks for the tip, I thought it was always on vanadium.
Well, there's no rush, so I'll wait a while before installing another browser. I hope that Fido will one day be stable on Android.

proclaim

Murcielago
Thanks, I test again with autofill option set to none and yes is works now . Sadly no autofill, for now I goin to use autofill with my pm, and just when I need security keys disable the option , since I think Vanadium not need to be restarted to apply the changes .

DeletedUser370

Ok, so the workaround of disabling OS autofill services for passkeys now seems to be needed for all authentication with FIDO. Will have to update my guide. (Will also scream into a pillow).

AelwennBZH

That's what I tried last before coming here, but I didn't think about restarting vanadium...
it works for me too, but... It's still a big step backwards, I don't understand the point. It worked well before.

DeletedUser370

AelwennBZH It's still a big step backwards, I don't understand the point.

This is not by design. It's a regression somewhere.

AelwennBZH

DeletedUser370

I hope so, but google sometimes makes me doubt...
Or maybe it's GrapheneOS that needs to make corrections, but if there's a regression 3 times a year, it's going to get complicated for them too.

DeletedUser370

Holy cow I wrote a long post. You are excused for not reading it.

AelwennBZH I've seen the project account state that they're aware that some people have recurring issues with security keys and Play services but that it's not clear why. There are more than 3 regressions a year, I can tell you (but some of these might be reproducible on stock PixelOS as well).

On PixelOS, the FIDO menus from Play services look and behave slightly differently compared to Sandboxed Google Play. It looks like Sandboxed Google Play displays menus that PixelOS used to display in the past. It might be that the new menus on PixelOS are simply bundled with PixelOS and not Play services itself, or that they require privileged access. It would explain the incompatibility issues with Sandboxed Google Play, but I'm just guessing wildly here.

On top of that, you have frequent changes to upstream Chromium which requires frequent testing to discover if regressions have been introduced. I'm following the GrapheneOS Alpha/beta testing chat quite closely, but cannot recall that anyone has mentioned issues with security keys and Vanadium recently.

It's not clear how many GrapheneOS users are using security keys, but the low number of issue reports suggest that there is not a high number of users that do. Furthermore, there are other regressions in the OS with almost every update to AOSP that need to be hunted down and fixed because they will affect a significant number of users.

If I were to say that "the developers of GrapheneOS probably have a lot on their hands", I suspect that that would be an understatement. I'm not sure how many resources the GrapheneOS team wants to use in fixing all the issues with security keys – or figuring out if they are fixable. The plan is for GrapheneOS to provide native support for FIDO, so how many hours would fixing existing (and weird) issues with Sandboxed Google Play take away from that, one may wonder.

There have been cases where FIDO broke so badly that the developers prioritized fixing it as soon as possible. I recall an OS release in the alpha channel being cancelled because users reported FIDO dying. (Although a fix was later released through Gmscompatconfig instead).

It seems that security keys are especially prone to breakage.

Meanwhile, it seems pretty clear to me that Google – a FIDO Alliance board level member – is not prioritizing fixing very apparent issues with FIDO in their own software. For instance, on PixelOS it is not possible to use Play Store to add a passkey to your account, because the button for it does nothing. I was initially so surprised by this that I tested it across two different Pixel devices, and since then I have occasionally checked it again between every factory reset of my Pixel 6a (about a dozen), and after probably half a year that button still doesn't work.

Please note that I do not speak for the GrapheneOS project.

« Previous Page Next Page »