Can't create Passkeys in Whatsapp with Play Services enabled

decadentist

Hi,

I have both Whatsapp and Play Services enabled in my main profile. I want to secure my Whatsapp with a Passkey. When I click on it I get this error message.

https://i.imgur.com/SEqn7cg.png
https://i.imgur.com/6Lf1IxY.png

Is this error caused by myself or could it possibly be whatsapps "fault" because they only allow this for google certified devices comparable to google pay?

fid03

decadentist These passkeys need to be stored somewhere.

In practice, for Whatsapp you need to have installed a password manager that supports passkeys, such as Bitwarden or Proton Pass. When you have installed and signed in to your password manager, go to the Settings app > Passwords, passkeys & accounts > toggle on your password manager.

I don't know if it will work with Google's Password Manager on GrapheneOS.

Note that you currently won't be able to use physical security keys with Whatsapp on GrapheneOS.

decadentist

fid03

Ohh okay, but I thought passkeys are stored on the Titan M2 RISCV chip, are they not? And to get saved there there needs to be a app which is responsible to managing the passkeys, correct? From my perspective this seems to be a non optimal implementation. The user shouldn't rely on a third party app to interact with passkeys, should they? ASOP should ship with passkey support out of the box imho.

... anyway... I will try it with bitwarden. I have the unix password store app installed atm, which doesn't support passkeys.

Why doesn't whatsapp allow using passkeys? Is there an official statement? Can you link a discussion where this is explained in more detail?

Thank you for your reply.

W1zardK1ng

decadentist Passkeys are implemented as a replacement for passwords, if passkeys are stored on devices how you can use it when you migrate to a new device or on your PC. Normally passkeys will be stored to the linked google or apple accounts, but you can use third party password managers like keepassdx or bitwarden to store them.

fid03

decadentist Ohh okay, but I thought passkeys are stored on the Titan M2 RISCV chip, are they not?

They can be stored on the local device's secure element, but as far as I know this is not a user-facing choice with Play services. In some cases Play services will give you the choice to store a passkey on the local device, but last time I tested that those passkeys got cleared when I reinstalled or deleted app data for Play services. So not something I would rely on, and doesn't seem to be an option for Whatsapp.

Storing passkeys to the secure element is unfortunately not a native feature to AOSP. A GrapheneOS developer has said in the past that they want to implement that feature for Vanadium. There is an open GitHub issue for it.

decadentist And to get saved there there needs to be a app which is responsible to managing the passkeys, correct? From my perspective this seems to be a non optimal implementation.

I agree. In Vanadium it's possible – but support being unreliable – to register passkeys also on an external security key – but yes, you need a third-party app to do so. You can do that with Play services or using an app such as HW Fido2 Provider. The latter also supports them being stored locally (to the secure element?), but there's no interface to manage them yet. I wrote a guide on how to (mostly) overcome the bugs with security key usage on Vanadium, but I'm not sure it's up to date anymore.

I don't know if even stock Pixel OS gives you the option in Whatsapp to save a passkey to a security key. That is possible on stock Pixel OS with Play services in general but Whatsapp can also disallow it.

W1zardK1ng Passkeys are implemented as a replacement for passwords, if passkeys are stored on devices how you can use it when you migrate to a new device or on your PC. Normally passkeys will be stored to the linked google or apple accounts, but you can use third party password managers like keepassdx or bitwarden to store them.

The FIDO Alliance decided to highlight cloud-syncable passkeys in their promotion campaigns on passkeys. I guess because that's a user-friendly approach for most people. That doesn't mean it's the only option.

decadentist

I found this app today by accident which seems to let you manage local passkeys.

"2fa"

You can find it in the accrescent app store.

EDIT: okay this seems to be just TOTP and no Passkeys.

Unb0rn

So, were you able to register a passkey in password manager?
When I'm trying to do so I go through the whole process, after initial confirmation of saving into password manager I get another screen with "Use your screen lock" that asks for my password. And after entering my password I get a popup - "Use pin, pattern or passwword. To start using passkeys on this device, try to unlock your device again by selecting "Use PIN, pattern, or password" and a button "Try again". Pressing the button will present me the same "Use your screen lock" screen and it's an endless loop.

Tried registering in other places (webauthn test) and I get exactly the same result

pingu-the-penguin

Unb0rn Play Services doesn't support Passkey registration yet. Use a cloud-based password manager like Bitwarden or Proton Pass. You could also use a local option like KeePassDX.

Edit: Issue I created about the matter a long time ago.

Unb0rn

So, this is a Graphene compatibility layer bug. Got it. Thanks!
Added a thumbs up to the PR