Graphene OS 3rd party Passkey support on Android 14

p338k

I attempted using Proton Pass to create a test passkey, but I got a silent failure. I am not sure how to check the console logs on Vanadium. I also tested on Brave with the same result.

I am not sure if this is due to some dependency on Google services or if there is some other error.

TheGodfather

p338k

Did you have Play Services installed?

p338k

TheGodfather

I do not have them installed, so I don't know if that is the cause of the error, or if it is something else.

TheGodfather

p338k

It likely is. Most implementations use Play Services for Fido2 and Passkeys.

p338k

TheGodfather

It appears that it requires signed in Play Services. Either that or Vanadium sends passkey creation to Google Play even when the flag is set for 3rd party passkeys only.

Sloff1155

I use https://proton.me/pass I love it.

p338k

Sloff1155

Have you used the passkey feature? If so, do you have google services installed?

Sloff1155

p338k Actually, I haven't had a chance. I don't think I have anything that even has passkey support right now. But you can try it. It's free and Proton is actually trusted.

Fundamental_Physics

I've tested Proton Pass and a couple more password managers (BitWarden and 1Pass) that should support passkey. I couldn't make them work. Also, I couldn't make Google Password Manager generate a passkey in a profile with Play Services enabled. It might be possible that GrapheneOS or Vanadium do not support passkey. In addition, I've tried different web browsers, such as Brave and Vivaldi and both of them can't be used to generate a passkey.

If someone has managed to generate a passkey via web browser in GrapheneOS I would like to know how.

matchboxbananasynergy

Fundamental_Physics https://proton.me/support/pass-use-passkeys follow the steps here for Vanadium.

Additionally, you need sandboxed Google Play.

Fundamental_Physics

matchboxbananasynergy I've followed Proton's instructions on how to enable 3rd party passkey (tested in Vanadium, Brave and Vivaldi) and I've also enabled sandboxed Google Play, but still I couldn't make it work.

Can you confirm if it is working for you?

DeletedUser370

Fundamental_Physics Working perfectly fine for me with the steps provided by matchboxbananasynergy.

Fundamental_Physics

DeletedUser370 I was able to get it working, thanks :)

p338k

Proton Pass seems to require one to be signed in to Google and/or Google to have network access. I am not too keen on giving Google knowledge of all of my logins. I am not sure if that is a limitation of Proton or Chromium, but it is a privacy issue either way.

Chromium has a similar issue with hardware keys, but they require do not require a Google login nor Google services to have network access.

DeletedUser370

p338k Not correct. It sounds like you are confusing Google Password Manager with Android's third-party passkey functionality. Proton Pass uses the latter, and doesn't add any further requirements. Play Services is required, but being signed in to a Google account is not required. I tested this just now. It sounds like you didn't follow the instructions Proton provided: https://proton.me/support/pass-use-passkeys

Not sure what you mean by "Google" having network access. Play Services requires network access for a lot of things. Doesn't automatically follow that all your logins are automatically sent to Google's servers. Would want to see any evidence of this happening before I would be inclined to believe that.

I respect that people would prefer to avoid using Play Services. It's unfortunate that Android's passkey functionality seems to require Play Services. Google should have integrated it fully in upstream AOSP.

p338k

DeletedUser370

When I attempt to create a passkey with Proton Pass with Google Play services installed but without being signed in, I get the following message: "Sign into your Google Account to create passkeys\nTo create passkeys, make sure you're signed into your Google Account." This indicates that it is necessary to sign in. Is am not attempting to use Google's password manager. I even have it disabled in the Passwords & accounts settings. The only deviation from the instructions was using "Enabled for 3rd party passkeys" in the web-authentication-android-credential-management flag.

Google indeed has the option to not collect login details when using FIDO credential if Google Play Store and Google Services Framework have network permissions, but there is no reason to believe Google doesn't at least collect the relying party and any non private key information. At least U2F with hardware keys doesn't require giving Google the option to collect the information (unless Vanadium sends the information to Google, but I trust that far more than a Google black box).

DeletedUser370

p338k The only deviation from the instructions was using "Enabled for 3rd party passkeys"

That won't work, and that's why it's not working for you. You have to follow the instructions.

p338k

DeletedUser370

That does appear to get it to work without a login and without network permissions. That should make it no less private than U2F with the restricted permissions which is good. It does not require enabling Google Password Manager as an "additional provider," but it does indicate that something in the process uses the Google Password Manager somewhere.

DeletedUser370

p338k These are experimental flags and we don't know how it will behave by default when it's shipped to production. I don't think we ought to make many assumptions based on the wording in the chrome flag, since it's not supposed to be user-facing yet. I'm a bit surprised that Proton instructs in enabling the flags. Other password managers support passkeys in Chromium Android unofficially, i.e. it works, but they announce that it's not supported / not working yet. I imagine Proton will be getting quite an increase in support tickets by users confused by these flags.

« Previous Page Next Page »