FIDO2 security keys on GrapheneOS: a summary

Motionsickness

Thanks for the post. I have two security keys and was wondering why they weren't working on my phone. I guess I need to install google play services if I want that functionality!

DeletedUser370

I've determined why HW FIDO2 Provider sometimes fails to sign in to sites in Vanadium with some security key models. It affects security keys that are shipped with the alwaysUV option ID set to enabled (or if the user has manually enabled the option). This was the case for a Yubikey with firmware 5.7 that I tested. The workaround is to use an app to set alwaysUV to disabled. This has some security implications because you won't be forced to enter the PIN in some cases. I'll come back to this later.

When alwaysUV is set to disabled it seems that you can replace Play services with HW FIDO2 Provider in Vanadium for sign-ins.

DeletedUser370

Has anyone tested registering passkeys using HW FIDO2 Provider recently? I'm pretty sure this worked in the past, but I'm unable to register any passkeys with it now when using either Vanadium or Brave. You can try to register one by going to https://webauthn.io and keeping the default settings on that site. I can successfully complete the registration with HW FIDO2 Provider, but after entering the PIN the site displays "An unknown error occurred while talking to the credential manager.". Same issue on other sites, such as bitwarden.com. Could be a recent upstream regression with Chromium, I don't know.

Seems to only be an issue with registering, not signing in. Also tried in a new secondary profile, with a Yubikey and a Token2 key. Can anyone reproduce?

Murcielago

DeletedUser370

I can confirm this for Vanadium (138.0.7204.157.0). I also get the error message you mentioned when try using a YubiKey on https://webauthn.io/.

Registering a passkey in Bitwarden works perfectly fine in Vanadium after setting Settings> Password, passkeys & accounts> Preferred Service> Bitwarden.

I don't use Brave on mobile, so unfortunately i can't help you with that.

On a desktop PC using Brave (v1.80.122) , I can register and authenticate both YubiKey and Bitwarden passkey without any problems.

DeletedUser370

Weird, it works on amazon.com

Edit: on webauthn.io I can still save passkeys on the Pixel using HW FIDO2 Provider ("Use this device with screen lock" option).

DeletedUser370

GrapheneOS does not [currently](https://github.com/GrapheneOS/Vanadium/issues/61) have native support for FIDO security keys. To use security keys on GrapheneOS, you can install third-party apps that add support for them.

There are two known apps that enable you to use security keys on GrapheneOS:

- HW Fido2 Provider ([website](https://codeberg.org/s1m/hw-fido2-provider))
- Sandboxed Google Play

HW Fido2 Provider provides support for passkeys* and partial support for non-passkeys** on security keys in Vanadium.

Sandboxed Google Play provides support for security keys in Vanadium, and support for non-passkey sign-in in other apps.

Passkey sign-in in apps other than web browsers is the only functionality known not to work on GrapheneOS.

Those two apps can co-exist: if there is functionality that HW Fido2 Provider does not provide, a Google Play dialog will be displayed instead.

While Google Play's support is slightly more extensive, it is known to exhibit some incompatibilities on GrapheneOS. This text exists to provide you with workarounds for these incompatibilities.

(The two apps provide support for web browsers other than Vanadium as well, but Vanadium is the reference browser in this text).

# How to use Google Play for security keys

You can install Google Play from *App Store* → *Google Play services*.

For security key functionality, there is ***no*** need to:

- sign in to Play Store
- grant battery usage exemptions for Play services or Play Store
- grant extra permissions to Play services or Play Store
- enable exploit protection compatibility mode
- do anything other than leave the default settings intact

## Challenge #1: password managers

With Google Play, password managers that support passkeys take precedence over security keys, and there is no choice in Google Play's dialogs to switch between them. This is an unresolved issue with sandboxed Google Play.

Therefore, when using security keys, in most cases you must temporarily disable autofill with your password manager. To do this, go to the *Settings* app → *Passwords, passkeys & accounts* and uncheck your password manager.

## Challenge #2: registering passkeys

With sandboxed Google Play, there is an issue with registering passkeys when using Vanadium. There is no known workaround for Vanadium, but it is known to work successfully with Brave.

Note that Play services and many other services refer to all FIDO credentials as "passkeys", even when they are not. Your best bet is to just try to register the passkey/credential with Vanadium, and if that doesn't work, then try with Brave (or in Vanadium with HW Fido2 Provider).

## Challenge #3: passkeys in non-browser apps

With sandboxed Google Play, there is an issue with signing in and registering passkeys in apps other than web browsers. There is no known workaround for this. Non-passkeys work fine.

In practice, this is often not an issue, as the tendency is for apps to redirect you to the default web browser, and then redirect you back to the app after successful security key usage.

# Troubleshooting

## NFC sometimes fails

Play services does not support PIN entry when using NFC. It occasionally displays the option to use NFC, but then silently fails when you use the key. If this occurs, then try to use the USB option instead.

## Network permission for Play services and Play Store

Some users have reported that Play services and Play Store require an internet connection during the first usage of their security key. If you have disabled the Network permission for Play services and Play Store, you may have to grant them the permission, then reboot your device and try again.

## General troubleshooting

If none of the above works, you can always try the following:

- re-insert your security key
- refresh the website / close and re-open the app
- reboot your device
- double-check that you have actually registered your security key against the service that you are attempting to sign in to
- check that GrapheneOS is up-to-date
- sign in to the service on a different device, remove the security key from your account, re-add it and try again

If you are still having issues with using your key, try to look for answers by [searching the GrapheneOS forum](https://discuss.grapheneos.org/) and [community chat rooms](https://grapheneos.org/contact#community-chat).

If you are using HW Fido2 Provider, check for [known issues on their website](https://codeberg.org/s1m/hw-fido2-provider).

If you can't find a solution by searching, you can always create a thread in the GrapheneOS forum or reach out to members in the community chat rooms. In order for people to be able to assist you, please try to include the following:

- the name/model of your security key
- which third-party app you are using for security key support
- GrapheneOS version (go to the *Settings* app → *About phone* → scroll down to *Build number*)
- how to replicate your issue – for example:
    1. I am opening X app and performing Y action in the app
    2. I plug in my security key
    3. I receive the following error message
- what you have already tried (for example, "I have followed every step in this guide")

And if you are using sandboxed Google Play: 

- Play services version (go to *App Store* → *Google Play services* → look at *Installed version*) 
- GmsCompatConfig version (go to *App Store* → *Google Play services* → *GmsCompatConfig →* look at *Installed version*)

This might seem excessive, but providing this information makes it easier for people to provide relevant advice.

# Footnotes

*Otherwise known as "discoverable credentials"

**Registering non-passkeys work in some cases. Please see https://codeberg.org/s1m/hw-fido2-provider/issues/7#issuecomment-4438703

 and https://github.com/GrapheneOS/Vanadium/issues/61#issuecomment-2833515385

 for details.

Goodbye y'all 😉

mmobder

DeletedUser370 (re)moved from gist? (why)/where?

DeletedUser405

DeletedUser370 GrapheneOS does not currently have native support for FIDO security keys.

So this release note for Vanadium passkeys was reverted or never worked?

https://github.com/GrapheneOS/Vanadium/releases/tag/134.0.6998.108.0

Add support for using passkeys without Play services via the Android 15 credential manager (not every passkey provider supports this)

other8026

mmobder I believe it's all here now in their final comment.

GrapheneOS

mmobder They deleted their online accounts to spend more time offline.

Psyonico

DeletedUser405 passkeys and FIDO security keys are two different things.

Passkeys are basically just really long passwords that only work from 1 specific device (a phone, a computer on a specific browser, etc.)

A FIDO security key is a separate physical device that works in conjunction with your phone/computer/what have you.

DeletedUser405

Psyonico Passkeys are basically just really long passwords that only work from 1 specific device

https://fidoalliance.org/passkeys/
No, they're FIDO credentials that are on your password manager

Psyonico

DeletedUser405 good to know.

« Previous Page