One of the major changes in android 14 was the addition for third party apps such as password managers to manage passkeys. Graphene OS does not have 3rd party support on Android 14 (and possibly doesn't have any passkey support at all). Dashlane, 1Password, and Enpass have Android support but cannot use this support on Graphene OS. Google has also made passkeys the default login method (if you ever sign in to google, but I am sure most people here don't). Bitwarden is also adding Android 14 support soon. I suggest making 3rd party Passkey management support available in Graphene OS.

    How do you know the third-party passkey implementation doesn't work / isn't supported on GOS? How have you tested this?

    Registering passkeys through a Google account requires a Google-certified device:
    https://discuss.grapheneos.org/d/4238-passkeys-not-supported/7

    GoldenDuck1 1Password

    1Password does not yet support the third-party API on Android: https://discuss.grapheneos.org/d/4238-passkeys-not-supported/13
    Dashlane supports it for apps (currently not websites) that support it: https://support.dashlane.com/hc/en-us/articles/7888558064274-Passkeys-in-Dashlane

      Relaks Yes I tested it on a Pixel 6 using all the apps I mentioned on websites and apps. (except for Bitwarden of course, because they don't have it yet.)

      I use Enpass right now with passkeys and have no issues.

      I was just now able to sign in to github.com with Vanadium using a passkey, saved in 1Password, without issues. I had to enable chrome://flags/#web-authentication-android-credential-management

      Enabling that flag seems to break or disable prompts (they don't show up) for physical security keys, like yubikeys.

        Relaks I just tried this and I have had no luck, no pop up to select a passkey or save a passkey shows up. I understand that this is still relatively new but, it still is frustrating.

        Relaks I activated that flag + 3 party, at least in Google I can choose about password + yubikey or use passkey. Can talk much about other websites but it's definitely supported in the is.

          Tozu

          Tozu I activated that flag + 3 party, at least in Google

          Does this feature require Google Services to be installed?

          • Tozu replied to this.

            Tozu
            Testing on github.com and accounts.google.com, with the flag(s) enabled I do get the option for signing in with password+yubikey, but pressing the option for yubikey does not actually show the yubikey prompt. Does it work for you?

            • Tozu replied to this.

              GoldenDuck1 indeed, at least with enpass passkeys work only with active Google play service!
              However i striped all permission from it and have no other google service active where it could steal permissions from and passkeys still work

                Relaks did not test it before as i use passkeys now (if supported). You are right it also get into an error. Somehow I managed to get the prompt once while playing around with google services but couldn't reproduce it.

                Tozu So its not natively supported in Graphene OS by default, you have to install Play Services...
                The Graphene OS developers should make a Passkey implementation so people shouldn't have to install Play Services.

                Relaks no it does not. I just enabled via your flag using 1pw and it keeps giving the "something went wrong" error.
                Tested on Vanadium, Chrome Canary, and Vivaldi

                Too late to edit last post.
                IT DOES WORK VIA 1PASSWORD

                Give me some time to run through all the steps because it is very very janky but I will come back here with a step-by-step process. I'm currently facing issues with attaching it to Google but I was able to get it to attach to passkeys.io just fine

                  N3rdTek ok so I've got good news, bad news, and strange AF news.
                  Let's start with the strange; correct me if I'm wrong but passkeys requires Android 14, correct? I have a few devices on hand due to being a tech enthusiast, one of which is a Galaxy S10. It only supports Android 12 because "Reasons" yet feels faster than my Pixel 7.... at times, but rarely ever worse.

                  However, not only can I create & sign into passkeys.io with a passkey, after enabling the chrome flag , I can do it with my Google account also. It doesn't seem to even respect my Autofill choice of 1Passwors having disabled Google as my Autofill choice in settings. Yet still detects, authenticates, and signs me into my Google account using Google password manager.
                  And to top it off? When I initially tested passkeys.io I wasn't aware I was doing from my S10 initially. When I went to test on my pixel, it asked if I wanted to sign in using my saved passkey from the S10....Stange AF right?

                  Now the bad; my pixel 7 running GoS will not work for any of my Google accounts. I've tried just about everything;

                  • setting 1pw as autofill
                  • Setting Google as autofill
                  • Trying regular ol chrome browser
                  • Trying Chrome Canary
                  • Trying any other browser
                  • Trying a brand new never used before browser (Vivaldi)
                  • Completely removing the Google account from device then trying

                  Feel free to prove me wrong I spent upwards of last hour testing.

                  And the good?
                  It works for passkey.io, it works for GitHub, I'm getting ready to try a couple more but general consensus so far seems to concur our devices will support passkeys to almost everything but Google.
                  Provided that you;

                  • enable the chrome flag as mentioned earlier chrome://flags/#web-authentication-android-credential-management
                  • set your password manager as autofill
                  • then attempt to register your passkey/device

                  This is useful to know but man, what a janky as hell future to get rid of passwords amirite?

                    N3rdTek passkeys requires Android 14, correct?

                    Only Google's passkey support for third-party services requires A14. Google's first-party implementation requires merely A9: https://support.google.com/accounts/answer/13548313?hl=en
                    But that won't work on GOS.

                    N3rdTek This is useful to know but man, what a janky as hell future to get rid of passwords amirite?

                    The support for this in Chromium/Chrome is still experimental. That's why you have to enable the experimental flag(s)... Support allegedly will arrive later this year. I don't expect anyone to think that most people would spend an hour setting up a, for the time being, clunky feature. I'm guessing that's why 1Password and the like don't want to say they officially support it yet, even though it somewhat works.

                    Personally I'm sticking to FIDO2 security keys for the time being. They just work.

                      Relaks o
                      Out the browsers I tried, for whatever reason Vivaldi felt the most stable & worked the most consistently for 1Password if that helps you or anyone else that may read this.

                      Previously was using mostly vanadium and brave nightly. No real reason why nightly other than cuz I just like purple

                      18 days later

                      Passkey sign-in with 1Password no longer seems to work in Vanadium (although it does still work in Brave): I'm prompted to select the correct passkey, but when I press Continue it just goes in a loop, asking me to verify the passkey again.
                      Google recently changed the options in the flag, so you now have to select "Enabled for Google Password Manager and 3rd party passkeys", and enable both 1Password and Google Password Manager as providers in Android's settings in order for it to detect passkeys saved in 1Password.

                      I'm still annoyed at Google for not implementing CTAP2 within Play Services, which makes using Yubikey as a passkey on several sites, such as Microsoft, impossible. But that's a different matter.

                      24 days later

                      It seems like third-party passkey sign-in and registering is now broken in Vanadium (tested with 1Password). That is, passkeys are correctly recognized and can be selected, but websites I'm trying to sign in to throws an authentication error after the passkey is selected.

                      Both sign-in and registering with passkeys work fine in Brave (tested with github.com, Brave Nightly). It also does not block the security key prompts when Yubikey is registered as MFA (tested with proton.me, slapp om Brave Nightly).

                      The feature is still experimental, it seems, so I think it's too early to file a bug report for Vanadium.