KeePassXC 2.7.7 was recently released and thus there has been renewed interest in passkey implementation in KeePassDX and KeePass2Android. One commenter on the projects' respective Github issues claims that the Credential Manager API requires Google Play Services. Is that correct?
Graphene OS 3rd party Passkey support on Android 14
I have now tested passkeys with 1Password in a fresh profile without Play Services. 1Password seems to run fine without it, but unfortunately, when testing passkey sign-in from both Vanadium and Brave, the passkey prompt never shows. I have made sure to test with the different options (including the default) under "Android Credential Management for passkeys" in chrome://flags. Have checked that 1Password is set as the password/passkey-filling service in Settings > Passwords and accounts. Have also checked that the passkey sign-in prompt for the sites I tested work fine in my owner profile with Play Services installed (with the exception that 1Password is blocking the autofill in Vanadium, after having chosen the correct passkey for the site).
This is anecdotal and does not mean that Play Services is necessarily required for the Android Credential Management. I found one post in the forums where the user needed Play Services for Enpass' passkey feature, but the post is old at this point (from Oct 23). It could be that 1Password requires Play Services for this, or it could be something broken with my setup.
You were right to question the statement in my post. I will edit it to clarify that this point is not 100% confirmed at this time.
- Edited
Those services seem to like a unnecessary risk. I use Kepass DX with the built-in keyboard.
It is obviously not yet implemented, but I believe the web service will send the challenge/response flow will be something like:
Challenge: web application -> browser -> credential manager API - > KeePassDX
Response: KeePassDX -> credential manager API -> browser -> web application
KeePassDX (or other credential provider) handles the cryptography without exposing the private key.
This is a simplified model and may not be entirely correct, and I could be wrong somewhere.
I am not sure it would add much additional risk if implemented properly and should prevent exposing a password. I am not sure how the API works under the hood.
9 days later
I attempted using Proton Pass to create a test passkey, but I got a silent failure. I am not sure how to check the console logs on Vanadium. I also tested on Brave with the same result.
I am not sure if this is due to some dependency on Google services or if there is some other error.
Did you have Play Services installed?
I do not have them installed, so I don't know if that is the cause of the error, or if it is something else.
It likely is. Most implementations use Play Services for Fido2 and Passkeys.
It appears that it requires signed in Play Services. Either that or Vanadium sends passkey creation to Google Play even when the flag is set for 3rd party passkeys only.
I use https://proton.me/pass I love it.
p338k Actually, I haven't had a chance. I don't think I have anything that even has passkey support right now. But you can try it. It's free and Proton is actually trusted.
I've tested Proton Pass and a couple more password managers (BitWarden and 1Pass) that should support passkey. I couldn't make them work. Also, I couldn't make Google Password Manager generate a passkey in a profile with Play Services enabled. It might be possible that GrapheneOS or Vanadium do not support passkey. In addition, I've tried different web browsers, such as Brave and Vivaldi and both of them can't be used to generate a passkey.
If someone has managed to generate a passkey via web browser in GrapheneOS I would like to know how.
Fundamental_Physics https://proton.me/support/pass-use-passkeys follow the steps here for Vanadium.
Additionally, you need sandboxed Google Play.
- Edited
matchboxbananasynergy I've followed Proton's instructions on how to enable 3rd party passkey (tested in Vanadium, Brave and Vivaldi) and I've also enabled sandboxed Google Play, but still I couldn't make it work.
Can you confirm if it is working for you?
Fundamental_Physics Working perfectly fine for me with the steps provided by matchboxbananasynergy.
- Edited
fid02 I was able to get it working, thanks :)
- Edited
Proton Pass seems to require one to be signed in to Google and/or Google to have network access. I am not too keen on giving Google knowledge of all of my logins. I am not sure if that is a limitation of Proton or Chromium, but it is a privacy issue either way.
Chromium has a similar issue with hardware keys, but they require do not require a Google login nor Google services to have network access.
p338k Not correct. It sounds like you are confusing Google Password Manager with Android's third-party passkey functionality. Proton Pass uses the latter, and doesn't add any further requirements. Play Services is required, but being signed in to a Google account is not required. I tested this just now. It sounds like you didn't follow the instructions Proton provided: https://proton.me/support/pass-use-passkeys
Not sure what you mean by "Google" having network access. Play Services requires network access for a lot of things. Doesn't automatically follow that all your logins are automatically sent to Google's servers. Would want to see any evidence of this happening before I would be inclined to believe that.
I respect that people would prefer to avoid using Play Services. It's unfortunate that Android's passkey functionality seems to require Play Services. Google should have integrated it fully in upstream AOSP.
When I attempt to create a passkey with Proton Pass with Google Play services installed but without being signed in, I get the following message: "Sign into your Google Account to create passkeys\nTo create passkeys, make sure you're signed into your Google Account." This indicates that it is necessary to sign in. Is am not attempting to use Google's password manager. I even have it disabled in the Passwords & accounts settings. The only deviation from the instructions was using "Enabled for 3rd party passkeys" in the web-authentication-android-credential-management flag.
Google indeed has the option to not collect login details when using FIDO credential if Google Play Store and Google Services Framework have network permissions, but there is no reason to believe Google doesn't at least collect the relying party and any non private key information. At least U2F with hardware keys doesn't require giving Google the option to collect the information (unless Vanadium sends the information to Google, but I trust that far more than a Google black box).