• General
  • Passkeys and Passwordless Auth

Currently, to my understanding, Passkeys/FIDO2 credentials are implemented in stock Android via Google Play Services. Quote from this page suggests so:

To try this today, developers can enroll in the Google Play Services beta and use Chrome Canary. Both features will be generally available on stable channels later this year.

A passkey implementation without google play services would be very useful. Maybe one miraculous day it can even be landed upstream in AOSP (but that day will likely never come). I know that passkeys are meant to be resistant to device loss, and that's pretty much impossible without an insert something account with cloud sync which goes against the principles with the OS. Maybe an approach similar to Seedvault, i.e. backups to USB or self-hosted cloud would be viable, but that would require a file format etc etc...... I'm just rambling on here so I'll stop.

Any plans for an implementation in GrapheneOS?

Update: testing out Chrome's implementation on macOS, it creates a single-device passkey, which is not synced. This is very much doable now, as it completely removes the syncing issue. Maybe it can be implemented in Vanadium?

Both Bitwarden and 1Password are working on passkey implementation.
I expect 3rd party support will available before anything from Google towards AOSP.

a month later

It seems like it needs to pass Google's SafetyNet in order to use it. At least that's what I get when I try to use it with Yubico's WebAuthn demo.

https://demo.yubico.com/webauthn-technical/registration

ctsProfileMatch must be true!

Regular hardware tokens do work with sandboxed Google Play though, and IMO they're more secure anyways.

4 months later

You guys mention that passkeys require Google Play Services to use passkeys at the moment, but what perms does GPS need? I have given it storage scopes and it allows me to use FIDO2 regularly, but when attempting to use passwordless on GitHub or passkeys.io via passkeys, I get a popup:

Can' create passkey, to create a passkey, make sure that you're signed in to your Google Account and have screen lock set up.

I don't particularly want to enable network + log into GPS on my phone, but I guess I might have to for now? until there is a GOS or AOSP implementation?

Thanks!

    beppi You can't use Google's implementation of passkeys on GrapheneOS, even with Google Play Services installed, because GrapheneOS does not meet device integrity with the Play Integrity API, as GrapheneOS is not a Google certified OS.

    Password managers like Bitwarden and 1Password, are working on their own implementation of passkeys. Those should work fine on GrapheneOS.

    Brave's passkeys work on GrapheneOS. Don't know exactly how it works besides Bluetooth being used to do something.

    Tested with: Google services login.