MarsTrue

It is obviously not yet implemented, but I believe the web service will send the challenge/response flow will be something like:

Challenge: web application -> browser -> credential manager API - > KeePassDX
Response: KeePassDX -> credential manager API -> browser -> web application

KeePassDX (or other credential provider) handles the cryptography without exposing the private key.

This is a simplified model and may not be entirely correct, and I could be wrong somewhere.

I am not sure it would add much additional risk if implemented properly and should prevent exposing a password. I am not sure how the API works under the hood.

    9 days later

    I attempted using Proton Pass to create a test passkey, but I got a silent failure. I am not sure how to check the console logs on Vanadium. I also tested on Brave with the same result.

    I am not sure if this is due to some dependency on Google services or if there is some other error.

      TheGodfather

      I do not have them installed, so I don't know if that is the cause of the error, or if it is something else.

          p338k

          It likely is. Most implementations use Play Services for Fido2 and Passkeys.

              TheGodfather

              It appears that it requires signed in Play Services. Either that or Vanadium sends passkey creation to Google Play even when the flag is set for 3rd party passkeys only.

                p338k Actually, I haven't had a chance. I don't think I have anything that even has passkey support right now. But you can try it. It's free and Proton is actually trusted.

                  I've tested Proton Pass and a couple more password managers (BitWarden and 1Pass) that should support passkey. I couldn't make them work. Also, I couldn't make Google Password Manager generate a passkey in a profile with Play Services enabled. It might be possible that GrapheneOS or Vanadium do not support passkey. In addition, I've tried different web browsers, such as Brave and Vivaldi and both of them can't be used to generate a passkey.

                  If someone has managed to generate a passkey via web browser in GrapheneOS I would like to know how.

                    matchboxbananasynergy I've followed Proton's instructions on how to enable 3rd party passkey (tested in Vanadium, Brave and Vivaldi) and I've also enabled sandboxed Google Play, but still I couldn't make it work.

                    Can you confirm if it is working for you?

                        Proton Pass seems to require one to be signed in to Google and/or Google to have network access. I am not too keen on giving Google knowledge of all of my logins. I am not sure if that is a limitation of Proton or Chromium, but it is a privacy issue either way.

                        Chromium has a similar issue with hardware keys, but they require do not require a Google login nor Google services to have network access.

                          p338k Not correct. It sounds like you are confusing Google Password Manager with Android's third-party passkey functionality. Proton Pass uses the latter, and doesn't add any further requirements. Play Services is required, but being signed in to a Google account is not required. I tested this just now. It sounds like you didn't follow the instructions Proton provided: https://proton.me/support/pass-use-passkeys

                          Not sure what you mean by "Google" having network access. Play Services requires network access for a lot of things. Doesn't automatically follow that all your logins are automatically sent to Google's servers. Would want to see any evidence of this happening before I would be inclined to believe that.

                          I respect that people would prefer to avoid using Play Services. It's unfortunate that Android's passkey functionality seems to require Play Services. Google should have integrated it fully in upstream AOSP.

                              fid02

                              When I attempt to create a passkey with Proton Pass with Google Play services installed but without being signed in, I get the following message: "Sign into your Google Account to create passkeys\nTo create passkeys, make sure you're signed into your Google Account." This indicates that it is necessary to sign in. Is am not attempting to use Google's password manager. I even have it disabled in the Passwords & accounts settings. The only deviation from the instructions was using "Enabled for 3rd party passkeys" in the web-authentication-android-credential-management flag.

                              Google indeed has the option to not collect login details when using FIDO credential if Google Play Store and Google Services Framework have network permissions, but there is no reason to believe Google doesn't at least collect the relying party and any non private key information. At least U2F with hardware keys doesn't require giving Google the option to collect the information (unless Vanadium sends the information to Google, but I trust that far more than a Google black box).

                                  p338k The only deviation from the instructions was using "Enabled for 3rd party passkeys"

                                  That won't work, and that's why it's not working for you. You have to follow the instructions.

                                      fid02

                                      That does appear to get it to work without a login and without network permissions. That should make it no less private than U2F with the restricted permissions which is good. It does not require enabling Google Password Manager as an "additional provider," but it does indicate that something in the process uses the Google Password Manager somewhere.

                                          p338k These are experimental flags and we don't know how it will behave by default when it's shipped to production. I don't think we ought to make many assumptions based on the wording in the chrome flag, since it's not supposed to be user-facing yet. I'm a bit surprised that Proton instructs in enabling the flags. Other password managers support passkeys in Chromium Android unofficially, i.e. it works, but they announce that it's not supported / not working yet. I imagine Proton will be getting quite an increase in support tickets by users confused by these flags.