University 2FA: Bridging institutional security and privacy focus

quasarsunerisvenus937

I recently migrated to GrapheneOS and encountered an interesting situation with my university's 2FA setup. Therefore I had some thoughts and questions. Maybe some parts are a bit off topic to the title of this thread (I'm sorry if yes).

The university requires device-based authentication (WebAuthn/Passkeys) for students and staff. After some trial and error, I managed to get it working with a Proton Pass passkey, but only in the profile with Google Play Services.

Current setup:

Working: Profile with Google Play Services with minimal throwaway Google Account)
Not working: Profile without Google Play Services
Using: Brave browser on both profiles (identical Brave and Chromium versions)
Authentication method: Proton Pass passkey (initially created via Windows/Brave and device registration didn't work somehow)

General 2FA infos:

device-based
concrete method is unknown to me and unsure if I would post it here if I'd know
Google Account required (GPS wasn't mentioned in the documentation)
Windows Hello is needed on Windows
Linux isn't supported directly because they don't support the method, which makes no sense to me but indirectly authentication via Yubikey or passkeys would be possible on Linux
Authentication on Android devices would use Screen Lock methods (PIN, biometrics)

The university explicitly requires a Google Account on Android devices for their WebAuthn implementation, likely due to Platform Authenticator API of FIDO2/WebAuthn requirements (but I'm not sure since I'm not from IT). I was wondering if there are any thoughts, plans or already existing integration regarding WebAuthn support without Google Play Services in GrapheneOS?

Context:
A couple of universities in my region were recently hit by ransomware and my university is constantly targeted by huge amount of cyberattacks, so I understand the strict authentication requirements. I'm very well connected within my organization and could potentially discuss internal support for GrapheneOS devices for 2FA if a possible solution meets the institutional security needs.
As far as I know there were serious considerations some time ago to use Pixel Phones with GrapheneOS to provide work cell phones for administration staff members but was rejected by the board of directors due to uncertainties about security and user-friendlyness since most employees are overwhelmed by just 2FA. Problem here was the fact that this suggestion was rejected by people who don't understand Security and Privacy at all AND without getting opinions from our IT data center, where many GOS users are.

I'm degoogling for a long time now with a lot struggle in understanding the needs and processes of Privacy and for reasons I don't understand this information spread widely within the staff and I get constantly asked for advices by people I don't even know about Privacy topics and protecting your identity on the internet. Got also requested for a collegial training. I would like to take this oppurtunity to draw some attention to GrapheneOS!!

It would be possible to initialize some internal projects facing the administration staff towards this topic. There could be also some possibilities for 3rd-party funds for a small research project measuring societal impacts. I know at this point this thoughts are very vague and incoherent to drawing attention GOS. But I'm very Interested in your insights and thoughts on this.

The main topics to be cleared and discussed would be:

Is this a known and possible use case for FIDO2/WebAuthn with GrapheneOS?
Which technical components would be necessary for a Google-free implementation for my institution?
How could GrapheneOS fulfill the security requirements of a university? (Even the data protection officer was thrilled by GOS)
Are there already plans/developments in this direction? Or is this a very difficult to solve challenge?
How would you interpret this huge amount of demand and interest to privacy by late majority adopters and laggards to digital innovations?
I'm shockingly worried about the amount of fear and insecurity I witness when talking to people about this sensitive topics. It's not that kind of psychotic paranoia I see on other Social Media Privacy platform, it's like a absolute desperate helplessness.

fid02

My impression is that you're raising topics far beyond just support for Webauthn and FIDO, most of which I'm unable to answer.

quasarsunerisvenus937 Working: Profile with Google Play Services with minimal throwaway Google Account)
Not working: Profile without Google Play Services

Google Play services is required for practically most FIDO functionality. This is because there is currently no native support for FIDO in the Android Open Source Project (AOSP), which GrapheneOS is based upon. Apps can provide FIDO functionality without Play services if they include a non-Play FIDO library for that, but very few apps do this. Most apps choose to use the Google Play FIDO library, which depends on Play services. Chromium also has no native FIDO support.

quasarsunerisvenus937 I was wondering if there are any thoughts, plans or already existing integration regarding WebAuthn support without Google Play Services in GrapheneOS?

The GrapheneOS project has expressed that there are plans to develop support for FIDO2 in GrapheneOS without a reliance on Google Play services. There is an open GitHub issue on this in the issue tracker. A GrapheneOS developer also recently expressed some potential aspects of the planned feature:

it's very unfortunate that there never ended up simply being FIDO2 via the built-in secure element, that's something we can implement ourselves though
we're going to make our own but it will probably start out just using the secure element for it and not bothering with external keys until later if at all

Note that the GrapheneOS project rarely announces ETAs for the launch of specific features, and there is no ETA for this.

Please note that I do not speak for the GrapheneOS project.

quasarsunerisvenus937 The university explicitly requires a Google Account on Android devices for their WebAuthn implementation, likely due to Platform Authenticator API of FIDO2/WebAuthn requirements (but I'm not sure since I'm not from IT).

Using passkeys with Proton Pass doesn't actually require you to sign in to a Google account in the profile where it's being used. Only the presence of Play services is required. Naturally, if you are to use Google's cloud-synced passkey service you will have to sign in with a Google account.