- Edited
Those services seem to like a unnecessary risk. I use Kepass DX with the built-in keyboard.
Graphene OS 3rd party Passkey support on Android 14
It is obviously not yet implemented, but I believe the web service will send the challenge/response flow will be something like:
Challenge: web application -> browser -> credential manager API - > KeePassDX
Response: KeePassDX -> credential manager API -> browser -> web application
KeePassDX (or other credential provider) handles the cryptography without exposing the private key.
This is a simplified model and may not be entirely correct, and I could be wrong somewhere.
I am not sure it would add much additional risk if implemented properly and should prevent exposing a password. I am not sure how the API works under the hood.
9 days later
I attempted using Proton Pass to create a test passkey, but I got a silent failure. I am not sure how to check the console logs on Vanadium. I also tested on Brave with the same result.
I am not sure if this is due to some dependency on Google services or if there is some other error.
Did you have Play Services installed?
I do not have them installed, so I don't know if that is the cause of the error, or if it is something else.
It likely is. Most implementations use Play Services for Fido2 and Passkeys.
It appears that it requires signed in Play Services. Either that or Vanadium sends passkey creation to Google Play even when the flag is set for 3rd party passkeys only.
I use https://proton.me/pass I love it.
p338k Actually, I haven't had a chance. I don't think I have anything that even has passkey support right now. But you can try it. It's free and Proton is actually trusted.
I've tested Proton Pass and a couple more password managers (BitWarden and 1Pass) that should support passkey. I couldn't make them work. Also, I couldn't make Google Password Manager generate a passkey in a profile with Play Services enabled. It might be possible that GrapheneOS or Vanadium do not support passkey. In addition, I've tried different web browsers, such as Brave and Vivaldi and both of them can't be used to generate a passkey.
If someone has managed to generate a passkey via web browser in GrapheneOS I would like to know how.
Fundamental_Physics https://proton.me/support/pass-use-passkeys follow the steps here for Vanadium.
Additionally, you need sandboxed Google Play.
- Edited
matchboxbananasynergy I've followed Proton's instructions on how to enable 3rd party passkey (tested in Vanadium, Brave and Vivaldi) and I've also enabled sandboxed Google Play, but still I couldn't make it work.
Can you confirm if it is working for you?
Fundamental_Physics Working perfectly fine for me with the steps provided by matchboxbananasynergy.
- Edited
fid02 I was able to get it working, thanks :)
- Edited
Proton Pass seems to require one to be signed in to Google and/or Google to have network access. I am not too keen on giving Google knowledge of all of my logins. I am not sure if that is a limitation of Proton or Chromium, but it is a privacy issue either way.
Chromium has a similar issue with hardware keys, but they require do not require a Google login nor Google services to have network access.
p338k Not correct. It sounds like you are confusing Google Password Manager with Android's third-party passkey functionality. Proton Pass uses the latter, and doesn't add any further requirements. Play Services is required, but being signed in to a Google account is not required. I tested this just now. It sounds like you didn't follow the instructions Proton provided: https://proton.me/support/pass-use-passkeys
Not sure what you mean by "Google" having network access. Play Services requires network access for a lot of things. Doesn't automatically follow that all your logins are automatically sent to Google's servers. Would want to see any evidence of this happening before I would be inclined to believe that.
I respect that people would prefer to avoid using Play Services. It's unfortunate that Android's passkey functionality seems to require Play Services. Google should have integrated it fully in upstream AOSP.
When I attempt to create a passkey with Proton Pass with Google Play services installed but without being signed in, I get the following message: "Sign into your Google Account to create passkeys\nTo create passkeys, make sure you're signed into your Google Account." This indicates that it is necessary to sign in. Is am not attempting to use Google's password manager. I even have it disabled in the Passwords & accounts settings. The only deviation from the instructions was using "Enabled for 3rd party passkeys" in the web-authentication-android-credential-management flag.
Google indeed has the option to not collect login details when using FIDO credential if Google Play Store and Google Services Framework have network permissions, but there is no reason to believe Google doesn't at least collect the relying party and any non private key information. At least U2F with hardware keys doesn't require giving Google the option to collect the information (unless Vanadium sends the information to Google, but I trust that far more than a Google black box).
That does appear to get it to work without a login and without network permissions. That should make it no less private than U2F with the restricted permissions which is good. It does not require enabling Google Password Manager as an "additional provider," but it does indicate that something in the process uses the Google Password Manager somewhere.