One of the major changes in android 14 was the addition for third party apps such as password managers to manage passkeys. Graphene OS does not have 3rd party support on Android 14 (and possibly doesn't have any passkey support at all). Dashlane, 1Password, and Enpass have Android support but cannot use this support on Graphene OS. Google has also made passkeys the default login method (if you ever sign in to google, but I am sure most people here don't). Bitwarden is also adding Android 14 support soon. I suggest making 3rd party Passkey management support available in Graphene OS.
Graphene OS 3rd party Passkey support on Android 14
How do you know the third-party passkey implementation doesn't work / isn't supported on GOS? How have you tested this?
Registering passkeys through a Google account requires a Google-certified device:
https://discuss.grapheneos.org/d/4238-passkeys-not-supported/7
GoldenDuck1 1Password
1Password does not yet support the third-party API on Android: https://discuss.grapheneos.org/d/4238-passkeys-not-supported/13
Dashlane supports it for apps (currently not websites) that support it: https://support.dashlane.com/hc/en-us/articles/7888558064274-Passkeys-in-Dashlane
Relaks Yes I tested it on a Pixel 6 using all the apps I mentioned on websites and apps. (except for Bitwarden of course, because they don't have it yet.)
I use Enpass right now with passkeys and have no issues.
I was just now able to sign in to github.com with Vanadium using a passkey, saved in 1Password, without issues. I had to enable chrome://flags/#web-authentication-android-credential-management
Enabling that flag seems to break or disable prompts (they don't show up) for physical security keys, like yubikeys.
Relaks I just tried this and I have had no luck, no pop up to select a passkey or save a passkey shows up. I understand that this is still relatively new but, it still is frustrating.
GoldenDuck1 indeed, at least with enpass passkeys work only with active Google play service!
However i striped all permission from it and have no other google service active where it could steal permissions from and passkeys still work
Tozu So its not natively supported in Graphene OS by default, you have to install Play Services...
The Graphene OS developers should make a Passkey implementation so people shouldn't have to install Play Services.
- Edited
Too late to edit last post.
IT DOES WORK VIA 1PASSWORD
Give me some time to run through all the steps because it is very very janky but I will come back here with a step-by-step process. I'm currently facing issues with attaching it to Google but I was able to get it to attach to passkeys.io just fine
- Edited
N3rdTek ok so I've got good news, bad news, and strange AF news.
Let's start with the strange; correct me if I'm wrong but passkeys requires Android 14, correct? I have a few devices on hand due to being a tech enthusiast, one of which is a Galaxy S10. It only supports Android 12 because "Reasons" yet feels faster than my Pixel 7.... at times, but rarely ever worse.
However, not only can I create & sign into passkeys.io with a passkey, after enabling the chrome flag , I can do it with my Google account also. It doesn't seem to even respect my Autofill choice of 1Passwors having disabled Google as my Autofill choice in settings. Yet still detects, authenticates, and signs me into my Google account using Google password manager.
And to top it off? When I initially tested passkeys.io I wasn't aware I was doing from my S10 initially. When I went to test on my pixel, it asked if I wanted to sign in using my saved passkey from the S10....Stange AF right?
Now the bad; my pixel 7 running GoS will not work for any of my Google accounts. I've tried just about everything;
- setting 1pw as autofill
- Setting Google as autofill
- Trying regular ol chrome browser
- Trying Chrome Canary
- Trying any other browser
- Trying a brand new never used before browser (Vivaldi)
- Completely removing the Google account from device then trying
Feel free to prove me wrong I spent upwards of last hour testing.
And the good?
It works for passkey.io, it works for GitHub, I'm getting ready to try a couple more but general consensus so far seems to concur our devices will support passkeys to almost everything but Google.
Provided that you;
- enable the chrome flag as mentioned earlier
chrome://flags/#web-authentication-android-credential-management
- set your password manager as autofill
- then attempt to register your passkey/device
This is useful to know but man, what a janky as hell future to get rid of passwords amirite?
N3rdTek passkeys requires Android 14, correct?
Only Google's passkey support for third-party services requires A14. Google's first-party implementation requires merely A9: https://support.google.com/accounts/answer/13548313?hl=en
But that won't work on GOS.
N3rdTek This is useful to know but man, what a janky as hell future to get rid of passwords amirite?
The support for this in Chromium/Chrome is still experimental. That's why you have to enable the experimental flag(s)... Support allegedly will arrive later this year. I don't expect anyone to think that most people would spend an hour setting up a, for the time being, clunky feature. I'm guessing that's why 1Password and the like don't want to say they officially support it yet, even though it somewhat works.
Personally I'm sticking to FIDO2 security keys for the time being. They just work.
- Edited
Relaks o
Out the browsers I tried, for whatever reason Vivaldi felt the most stable & worked the most consistently for 1Password if that helps you or anyone else that may read this.
Previously was using mostly vanadium and brave nightly. No real reason why nightly other than cuz I just like purple
Passkey sign-in with 1Password no longer seems to work in Vanadium (although it does still work in Brave): I'm prompted to select the correct passkey, but when I press Continue it just goes in a loop, asking me to verify the passkey again.
Google recently changed the options in the flag, so you now have to select "Enabled for Google Password Manager and 3rd party passkeys", and enable both 1Password and Google Password Manager as providers in Android's settings in order for it to detect passkeys saved in 1Password.
I'm still annoyed at Google for not implementing CTAP2 within Play Services, which makes using Yubikey as a passkey on several sites, such as Microsoft, impossible. But that's a different matter.
[deleted]
Relaks Google's first-party implementation requires merely A9: https://support.google.com/accounts/answer/13548313?hl=en
I was even able to use passkeys for my Google account on Android 8.1, didn't test for third-party apps though.
It seems like third-party passkey sign-in and registering is now broken in Vanadium (tested with 1Password). That is, passkeys are correctly recognized and can be selected, but websites I'm trying to sign in to throws an authentication error after the passkey is selected.
Both sign-in and registering with passkeys work fine in Brave (tested with github.com, Brave Nightly). It also does not block the security key prompts when Yubikey is registered as MFA (tested with proton.me, slapp om Brave Nightly).
The feature is still experimental, it seems, so I think it's too early to file a bug report for Vanadium.