It seems like third-party passkey sign-in and registering is now broken in Vanadium (tested with 1Password). That is, passkeys are correctly recognized and can be selected, but websites I'm trying to sign in to throws an authentication error after the passkey is selected.

Both sign-in and registering with passkeys work fine in Brave (tested with github.com, Brave Nightly). It also does not block the security key prompts when Yubikey is registered as MFA (tested with proton.me, slapp om Brave Nightly).

The feature is still experimental, it seems, so I think it's too early to file a bug report for Vanadium.

11 days later

Note that 1Password appears to recently have restricted browser passkey support to only accept them to be used within supported browsers. Vanadium is not a supported browser by 1Password, so passkeys will refuse to fill in Vanadium.

    Relaks I've been a faithful 1password user for about 3 years now, but in all honesty I'm getting quite fed up with it because since I've been trying bit warden that thing works everywhere and I mean literally everywhere. But it doesn't have an accessibility service. So how the hell is 1password dropping the ball in so many areas such as regular autofill and now pass keys when here comes bit warden just strolling around and doing everything with ease making it look simple?

        N3rdTek But it doesn't have an accessibility service.

        From a security perspective, it's not recommended to to configure a password manager as an accessibility service. The auto-fill service exists and is the proper way to use a password manager on GrapheneOS.

          N3rdTek 1Password's desktop app is a lot better UI-wise and accesdibility-wise for me than Bitwarden, that's partially why I'm sticking to it.

          As for the passkey issue, I'd like to use physical security keys for this purpose rather than a password manager. This is why I'm excited for Google's latest Titan release. I'm just waiting for it to become available for shipping to the country I reside in, so I can test it on GOS.

          But I might be straying a bit offtopic now, so I'll stop. 😊

            3 months later

            KeePassXC 2.7.7 was recently released and thus there has been renewed interest in passkey implementation in KeePassDX and KeePass2Android. One commenter on the projects' respective Github issues claims that the Credential Manager API requires Google Play Services. Is that correct?

              p338k

              https://ibb.co/pnTrD6w

              I have now tested passkeys with 1Password in a fresh profile without Play Services. 1Password seems to run fine without it, but unfortunately, when testing passkey sign-in from both Vanadium and Brave, the passkey prompt never shows. I have made sure to test with the different options (including the default) under "Android Credential Management for passkeys" in chrome://flags. Have checked that 1Password is set as the password/passkey-filling service in Settings > Passwords and accounts. Have also checked that the passkey sign-in prompt for the sites I tested work fine in my owner profile with Play Services installed (with the exception that 1Password is blocking the autofill in Vanadium, after having chosen the correct passkey for the site).

              This is anecdotal and does not mean that Play Services is necessarily required for the Android Credential Management. I found one post in the forums where the user needed Play Services for Enpass' passkey feature, but the post is old at this point (from Oct 23). It could be that 1Password requires Play Services for this, or it could be something broken with my setup.

              You were right to question the statement in my post. I will edit it to clarify that this point is not 100% confirmed at this time.

                Those services seem to like a unnecessary risk. I use Kepass DX with the built-in keyboard.

                  MarsTrue

                  It is obviously not yet implemented, but I believe the web service will send the challenge/response flow will be something like:

                  Challenge: web application -> browser -> credential manager API - > KeePassDX
                  Response: KeePassDX -> credential manager API -> browser -> web application

                  KeePassDX (or other credential provider) handles the cryptography without exposing the private key.

                  This is a simplified model and may not be entirely correct, and I could be wrong somewhere.

                  I am not sure it would add much additional risk if implemented properly and should prevent exposing a password. I am not sure how the API works under the hood.

                    9 days later

                    I attempted using Proton Pass to create a test passkey, but I got a silent failure. I am not sure how to check the console logs on Vanadium. I also tested on Brave with the same result.

                    I am not sure if this is due to some dependency on Google services or if there is some other error.

                      TheGodfather

                      I do not have them installed, so I don't know if that is the cause of the error, or if it is something else.

                          p338k

                          It likely is. Most implementations use Play Services for Fido2 and Passkeys.

                              TheGodfather

                              It appears that it requires signed in Play Services. Either that or Vanadium sends passkey creation to Google Play even when the flag is set for 3rd party passkeys only.

                                p338k Actually, I haven't had a chance. I don't think I have anything that even has passkey support right now. But you can try it. It's free and Proton is actually trusted.

                                  I've tested Proton Pass and a couple more password managers (BitWarden and 1Pass) that should support passkey. I couldn't make them work. Also, I couldn't make Google Password Manager generate a passkey in a profile with Play Services enabled. It might be possible that GrapheneOS or Vanadium do not support passkey. In addition, I've tried different web browsers, such as Brave and Vivaldi and both of them can't be used to generate a passkey.

                                  If someone has managed to generate a passkey via web browser in GrapheneOS I would like to know how.

                                    matchboxbananasynergy I've followed Proton's instructions on how to enable 3rd party passkey (tested in Vanadium, Brave and Vivaldi) and I've also enabled sandboxed Google Play, but still I couldn't make it work.

                                    Can you confirm if it is working for you?