No problems with Google passkey and RCS

Anais

Hello, I am writing this message because I do not understand certain things: I have read several posts from people here who say that the RCS messages are not working. I just changed operator and as if by magic the RCS works well. Second question: I manage to save passkeys with the Google password manager when some people here can't do it either... Does anyone have an explanation?

fid02

Anais Second question: I manage to save passkeys with the Google password manager when some people here can't do it either... Does anyone have an explanation?

Because of restrictions set by Google which I'm not sure anyone but Google know what actually are.

It started working for some people after a Play Services update several weeks ago. It seems like your Google account needs to have used passkeys on an eligible device or eligible Android OS previously – because when setting up passkeys on a new device or profile, you need to provide the unlock PIN of one of your other current or previously used devices. If anyone is actually confident about the mechanics and/or logics behind this, please ping me.

And if anyone is interested in using passkeys with their Google account (on GrapheneOS), I made a guide here (scroll down to the first headline), which has worked when I have tested it on fresh Google accounts made on GrapheneOS.

You can see from my instructions that it's all a mess.

Anais

fid02 My Google account is brand new. I created it this morning on grapheneos and besides I didn't need to provide a phone number. The passkeys work, the RCS works. It must be an update, Google had to tolerate Grapheneos... I don't know.

fid02

Anais Holy cow. Maybe Google lifted some more restrictions. Or someone waved a magic wand. Which Play Services version are you on? I will be testing this later.

fid02

Anais I just now created a new Google account on GrapheneOS in a fresh profile, and tried to create a passkey for the Google account and passkey.org. Google Password Manager is selected as the preferred passkey manager, but both sites fail with generic error messages. Play Services 24.24.63.

Are you sure you didn't sign in to another device before creating a passkey with Google Password Manager on GrapheneOS? If not, did you do something else to get it to work?

Anais

fid02 He asked me if I wanted to use the smartphone

fid02

Anais Not sure I understand.

FYI: when signing in to a Google account, even on GrapheneOS, it will automatically create a Google account passkey for that device. This can be used to sign in to your Google account in any web browser on GrapheneOS that supports passkeys. It will automatically ask you to confirm with your PIN or fingerprint. This passkey isn't saved to Google Password Manager, but follows the current installation of Play Services in the profile.

Perhaps this is what you mean?

If you have managed to store passkeys (with Google Password Manager) for sites other than Google, could you please provide me with the names of those sites? Would be beneficial if I could test against those.

Anais

fid02 that must be it, in fact for my google account I enter my fingerprint but it is not recorded in my account

fid02

Anais Thanks for reporting back. I think that clears things up for me.

For anyone not being able to use passkeys with Google Password Manager (or prefer not to), I'd recommend just going with a third-party manager. It's the approach most likely to just work, without too much hassle. Alternatively, a physical security key, if that suits you better.

Anais

fid02 I was talking earlier with a developer who works for a large government company and he told me that where he works they are forbidden to use browser password managers (Google or Firefox). I told him about Tavis Ormandy's blog article and he replied that every security flaw was too big a risk to have your database stolen. From his point of view, it's a serious mistake to use a gafam password manager. That got me thinking, and I'm reviewing the whole thing. This guy only uses offline tools for sensitive things like passwords and credit cards.

fid02

Anais You can use physical security keys with GrapheneOS with Sandboxed Google Play. You can store your passkeys on those. That would count as storing things offline, I assume.

fid02

Anais From his point of view, it's a serious mistake to use a gafam password manager.

Although I'm not sure why they consider password managers make by "big tech" corporations to be more "wrong" than products made by smaller companies, I assume they might have referred to cloud-synced password managers in general.

In any case, institutions that handle sensitive information that should never be leaked to the public under any circumstance, need to* carefully evaluate the services which they use to store that information. Storing passwords to sensitive systems in a third-party cloud might be considered too much of a risk: An individual's password manager being compromised and passwords leaked means the damage gets contained to that individual**, compared to attackers getting remote access to sensitive data that can damage hundreds of people's sense of privacy if leaked. It's an entirely different risk assessment.

Compromising corporate systems can also be much more motivating to an attacker simply because there is much more financial gain to be earned from blackmailing businesses.

*Or, should. Of course, lots of corporations never take digital security seriously.
**Assuming that the account logins stored in the manager belong only to that individual.

Anais

fid02 I need to think about my threat model but I think I'll switch to fdroid. They've improved their security with reproducible builds. Maybe use another profile with play services

Anais

Last night I started by transferring everything I could put offline like passwords, calendar...