Passkeys and Password Managers In GOS

Boncho

Hi everyone. I've been using GOS for about 3 years now and, as I recently got a new Pixel, I thought I'd take the opportunity to start using a password manager for both passwords and passkeys. However, I find myself getting confused about passkey implementation, both generally and for GOS specifically.

My understanding is that passkeys serve as a login mechanism (or user auth) using cryptographic keys as an alternative to password login and also to serve as 2FA. That, on a stock device not using a third-party password manager, passkeys are stored in Android StrongBox in the Secure Element, which is within Titan M2 on Pixel devices (similar to TPM 2.0 for PC's), and synced with Google cloud servers. If I choose to store passkeys within a password manager, my understanding is that they are instead stored within device storage as, what is essentially, just an encrypted file. Please let me know if I've got anything wrong here.

The questions I have are:

Does GOS have native support for handling hardware-secured passkeys? (I'm presuming so as it uses SE for Verified Boot)
Do I need to be using Play Services and/or Google Password Manager in order to store and manage passkeys within the SE?
Can I use a third-party password manager to manage and store passkeys in the SE or can they only store them in device storage?
Is storing passkeys within encrypted files in device storage considered adequately secure? (I know "adequately secure" is subjective, but do you personally consider it acceptable?)

I guess I'm trying to figure out whether it's possible to have a setup with the following attributes:

Passkeys stored within SE
Ability to use device biometrics
Passkeys and passwords managed by the same password manager
Ability to sync passwords and passkeys between multiple devices and potentially a self-hosted server (planning to do this in the future)
No interaction with Google or any other privacy invasive service

I'm fully expecting that I will need to sacrifice something here, as is often the case with these sorts of endevours. However, I would really appreciate any help to expand my understanding, establish a realistic expectation of what's possible or to find viable options. Thank you.

schklom

Boncho I'm not a passkey expert

Does GOS have native support for handling hardware-secured passkeys? (I'm presuming so as it uses SE for Verified Boot)

Same as normal Android, I can't read that GOS does anything special w.r.t. passkeys

Do I need to be using Play Services and/or Google Password Manager in order to store and manage passkeys within the SE?

I doubt either stores passkeys differently than any other password manager, since this is an AOSP feature

Can I use a third-party password manager to manage and store passkeys in the SE or can they only store them in device storage?

I believe KeepassDX and Bitwarden can handle passkeys. If not, https://apt.izzysoft.de/fdroid/index/apk/s1m.hwfido2provider can.

No clue about storage in SE or DE, but this should be handled by AOSP natively

Is storing passkeys within encrypted files in device storage considered adequately secure? (I know "adequately secure" is subjective, but do you personally consider it acceptable?)

Personally yes. I don't really use passkeys anyway, it's way too annoying to do that in a safe way. To be safe, I want to prevent a thief from using them with my phone unlocked (thieves now often ask to unlock phone before handing it over in my city), which means it needs an extra password to unlock (like with Yubikeys), which means it's tedious and I'd rather use password+TOTP.

MineralWater

I am not an expert, but as much as I understand, the advantage of passkeys is that the are always attached to the hardware.

Even if you store them in a cloud password service, it will only work on the device you created them on.

That is why you still have a password aside of the passkey, because otherwise changing your phone would lock you out from an account.

So in the end passkeys as they are implemented today have no benefits, as thiefs who steal your passwords or cloud passwords and who are able to decrypt these, don't need the passkeys at all.

A better solution would be to have biometric passwords, so to say that you would have to log in with finger prints or real eye scan etc.

But there are also things speaking against that method.

So short, use a password manager with cloud service and hope for the best. Passkeys are a nice theoretical idea, in real life they don't improve much.

Boncho

MineralWater Correct me if I'm wrong but I though the entire point of syncable passkeys (at least from the Google/apple perspective) is that it allows users to use a passkey between devices? If syncable passkeys were only able to be used on one device it makes their syncable nature useless outside of account recovery.

I agree that poor passwords and password security can potentially negate the benefits of passkeys. However, a hash of a long, complex and unique password is as good as useless on its own. Combining good password etiquette with the convenience of a device-bound passkey would, at least in theory, buck the trend of losing convenience for security.

schweizer

I am not the ultimative expert either but I know there are hardware passkeys and software passkeys. The advantage of the latter is they can be synced to a cloud which is user friendly but makes them something like a very long password. Especially if you do not save them end to end encrypted.

I use hardware passkeys but I store them in FIDO2 dongles only. This is safe but the implementation is poor. On Windows as well as on GOS. Big tech really, pushes you hard to use their cloud service. I use the Token2 Fido2 bridge which works for any make of FIDO2 keys.

vont

I use KeePassDX and it does offer the ability to store passkeys. I have not used it for this purpose though. It's my main pasaword manager. So it does look like they have an all in one solution if that's something you really want to do and investigate.

It is cross platform as well and served me well so far. It's an offline password manager that's open source. So you will have to back up the data base and an optional key file in multiple places. It can be kind of cumbersome in that if you create a new entry you have to update your backups as well.

So my setup is as follows:

Keepass for my passwords. The main password is incredibly long. Not a big deal with the thumb print setup so you don't have to type it in everytime at least on your android. Windows and linux you will as far as I know.

To take it a step further I bought some hardware keys and have them cloned so I have a backup hardware key in case of loss or failure.

The hardware key serves 3 purposes for me.

It's required to open my keepass data base on top of the password and biometrics.
It saves my passkeys (If that's what they're called). I don't know if they're one in the same. Basically some websites allow the use of a hardware key.

I try to not have all my eggs in one basket, hence why I have something different for pass keys.

I also don't like the idea of 2FA apps that store that stuff locally. I also don't trust having a browser extension.

With Keepass that hasn't been an issue. They have what's called the "Magic Keyboard" on Android which is more manual and requires a few more steps to login somewhere, but you know what they say about convienience (Hence, it's convienient to have a browser extension all setup instead of manually doing it with a few extra ateps). In my view, more conveinience less privacy and possibly less security. On your computer you would just open the Keepass and copy from the top menu and the clipboard auto clears within how ever many seconds you set it to.

It holds my 2FA codes of the devices. So instead of having an app that stores 2FA locally (The 30 second codes), they are stored in the hardware key password protected. You still have to have an app so the hardware key will display the 2FA codes, but then you have to put the password in and touch the key. At least the one I have is that way.