Passkeys not supported

Blzzrd

Passkeys do not work on GrapheneOS. I tested several sites and all of them failed.

One of them showed a error log:
Failed!
Error: registration failed: android-safetynet attestation: ctsProfileMatch: the device is not compatible

I have Sandboxed Play Services and the Play Store installed.
Since Passkeys are the future and better than Passwords, is there a way around Play Services / a own implementation of Graphene?

r3g_5z

ctsProfileMatch is a "Google certified OS" check, or in other words just a stock OS check because we're not Google certified. This is purely a software-based check. SafetyNet is also deprecated and replaced with Play Integrity API. They have their own software-based checks too such as green state verified boot (we're yellow state because we're not stock OS unless we had our own hardware vendor).

We plan to spoof these software checks so we can pass ctsProfileMatch / MEETS_DEVICE_INTEGRITY (https://github.com/GrapheneOS/os-issue-tracker/issues/1986) but it has to be done carefully, safely, and without compromising security. It's also going to be very fragile and the user will be made aware that Google at any time can and will break these bypasses because they are actively trying to prevent people from bypassing it. It's possible their changes can break apps even more.

214b9821

It works for me, at least for logging in to Google. Had to install Sandboxed Google Play Services and Chrome (the original).
On my Windows desktop, when I use Chrome to log in to my Google account I'm asked if I want to use a Passkey for login. When I do, I'm presented with a QR-code. I scan that on my Graphene OS Android phone (with a 3rd party app called Binary Eye), follow the link and see the Google-branded "Do you want to use your Passkey" screen. When I confirm, I'm asked to scan my fingerprint. Afterwards, I'm logged in on my desktop browser.
Haven't tried it with other services yet.
I had created the Passkey using the Google Android app previously. But during the process that I describe above, the Google app is deactivated.
When I relogin later, I'm not presented with the QR-code again. I can select the device ("Pixel 7") from a list and a Google Play Services notification pops up on my Graphene OS phone, which takes me to the Fingerprint screen.

214b9821

214b9821
Edit: Registration and Authentication on https://demo.yubico.com/webauthn-technical/registration works, too.

digital

214b9821 have you tried to activate passkey like in GitHub?

From my phone, if I login to GitHub (with password) and then go to GitHub settings to activate passkey, I see it says my device is partially supported (?). If I continue it says: passkey registration failed.

Am I doing something wrong and shall I configure passkey on PC and not on phone?

Relaks

214b9821
Using your steps and all the apps you mentioned, I was unable to register a passkey with my Google account on GrapheneOS. I get to the point when it's about to prompt me for fingerprint authentication, and then the Google account passkey registration page on my computer simply says "something went wrong".
This is on Windows 11, stock Chrome.

Oh, and by the way, you need to be logged in to your Google account on GrapheneOS (I logged in through Play Store) to even begin the authentication process. I don't understand what you mean by the "Google app". I am not seeing any app called simply "Google" on my device.

The Yubico demo page worked fine. There was no need to be signed in to a Google account (thankfully). Chrome still needs to be installed and enabled, as it seems to provide the registration and authentication pages. There's no need for any third-party QR scanning app.

214b9821

digital Same here for Github. Logging in to Google with a passkey still works.

214b9821

Relaks I actually have an app called Google on my phone, loaded from Play Store. If I deactivate it, logging in to Google with the Passkey on the phone doesn't work.

treequell

Google's implementation of passkeys only works on Android devices which are Google certified, which GrapheneOS is not. Other password managers such as Bitwarden and 1Password are planning to implement passkeys too, and those should work fine on GrapheneOS.

Relaks

214b9821
Interesting, thanks for your reply. I tried to reproduce this with the Google app installed, signed in to a Google account. I still get the same error. Likely treequel is right here, and I look forward to 1Password implementing passkey support in Android 14 (which they have announced they will support as soon as the APIs are available, so I choose to be optimistic :-) ).

epic_gos_user

Android will have 3rd-party passkey providers in Android 14. From there it's on apps like KeePassDX to implement passkey support. But DX probably won't implement them until KeePassXC does (looks like it will soon!). Proprietary apps like 1Password will most likely implement them sooner, but I wouldn't really trust them (and I say this as a previous 1Password customer for 4 years).

Google's passkey implementation probably won't work on GrapheneOS. Don't expect it to and don't rely on it to. Think of passkeys as an API/interface rather than a product - like USB. Any provider can implement it (Apple, Google, but also 1Password, KeePass, etc.), and any website can consume it - websites don't care who the provider is.

roxtii

I just noticed that the latest update of the android 1password app (as of September 12th) should support this. Unfortunately it is still not working.. at least for me. I can neither create passkeys nor log in with them.

latest GOS Android 14 for Pixel 5
latest 1password version (8.10.16 of September 12th)
tried browsers: Fennec, Vanadium, Bromite, Brave (w/ and w/o enabled flags for passkey support on chrome-based browsers)

Relaks

roxtii Response I received from 1Password support two days ago:

Support for saving and signing in with passkeys on Android using 1Password isn't yet available. Although Android 14 will be required for this to work, it's not yet available in 1Password for Android just yet. If you'd like to keep up to date with our passwordless developments, you may want to sign up for our newsletter:

We hope to be able to bring passkey support to Android in the very near future, so keep an eye on our newsletter, and our release notes on the Play Store or on releases.1password.com.

This is regarding the third-party API implementation of passkeys. I've yet to notice a single service offering the creation of passkeys using this new feature in Android 14. Notably, Chrome has added support but not yet enabled the feature by default.

roxtii

Relaks Thanks for the info. We'll have to wait then.
It's strange though when the release info says this:
https://pasteboard.co/BZQklzab0qNB.png

hertz-vector

Relaks I get got the PassKeys prompt from 1Password after I updated to A14. However it doesn't seem to work yet even if the app acts like it should be working

Relaks

hertz-vector Do you mind explaining how you got this working, and with which website or app you attempted to sign in with?