- Edited
fid02 I was able to get it working, thanks :)
Graphene OS 3rd party Passkey support on Android 14
- Edited
Proton Pass seems to require one to be signed in to Google and/or Google to have network access. I am not too keen on giving Google knowledge of all of my logins. I am not sure if that is a limitation of Proton or Chromium, but it is a privacy issue either way.
Chromium has a similar issue with hardware keys, but they require do not require a Google login nor Google services to have network access.
p338k Not correct. It sounds like you are confusing Google Password Manager with Android's third-party passkey functionality. Proton Pass uses the latter, and doesn't add any further requirements. Play Services is required, but being signed in to a Google account is not required. I tested this just now. It sounds like you didn't follow the instructions Proton provided: https://proton.me/support/pass-use-passkeys
Not sure what you mean by "Google" having network access. Play Services requires network access for a lot of things. Doesn't automatically follow that all your logins are automatically sent to Google's servers. Would want to see any evidence of this happening before I would be inclined to believe that.
I respect that people would prefer to avoid using Play Services. It's unfortunate that Android's passkey functionality seems to require Play Services. Google should have integrated it fully in upstream AOSP.
When I attempt to create a passkey with Proton Pass with Google Play services installed but without being signed in, I get the following message: "Sign into your Google Account to create passkeys\nTo create passkeys, make sure you're signed into your Google Account." This indicates that it is necessary to sign in. Is am not attempting to use Google's password manager. I even have it disabled in the Passwords & accounts settings. The only deviation from the instructions was using "Enabled for 3rd party passkeys" in the web-authentication-android-credential-management flag.
Google indeed has the option to not collect login details when using FIDO credential if Google Play Store and Google Services Framework have network permissions, but there is no reason to believe Google doesn't at least collect the relying party and any non private key information. At least U2F with hardware keys doesn't require giving Google the option to collect the information (unless Vanadium sends the information to Google, but I trust that far more than a Google black box).
That does appear to get it to work without a login and without network permissions. That should make it no less private than U2F with the restricted permissions which is good. It does not require enabling Google Password Manager as an "additional provider," but it does indicate that something in the process uses the Google Password Manager somewhere.
p338k These are experimental flags and we don't know how it will behave by default when it's shipped to production. I don't think we ought to make many assumptions based on the wording in the chrome flag, since it's not supposed to be user-facing yet. I'm a bit surprised that Proton instructs in enabling the flags. Other password managers support passkeys in Chromium Android unofficially, i.e. it works, but they announce that it's not supported / not working yet. I imagine Proton will be getting quite an increase in support tickets by users confused by these flags.
matchboxbananasynergy added the Solved tag .
6 days later
I did the instructions on Proton's website to enable the browser flag but I don't get a "Google Password Manager" prompt at all. The only passkey prompt I get is for USB, NFC, and "this device". Proton Pass doesn't show as one of the options, nor does the Google one as described in their screenshot with the Proton name written under the logo.
I'm using a Pixel 6A with Play Services installed. Using Vanadium. The OS and apps are up to date as of date of this post. Proton Pass says passkeys are supported in their app menu on the phone. I was able to set up a passkey in Proton Pass for Cloudflare on PC, but not on my phone. I tried Outlook.com. Same result. I only get the hardware passkey options.
Waethorn The upcoming Vanadium release greatly improves passkey support. You will no longer need to set the custom flag in chrome://flags. I suggest you try again when the new Vanadium release is released to stable. It will now also work with Google Password Manager, if you desire to use that instead of Proton Pass.
The Google Password Manager passkey support will, I think, greatly improve the on-boarding experience for users coming from stock PixelOS, who have set up passkeys on their Google account but do not use a third-party password manager. You will still need Sandboxed Google Play for this.
fid02 Okay I'll wait for it. On-device passkey is what I've been using in the meantime. I would think that there would be a good security argument to use it in place of any cloud-synced passkey management, but you end up with multiple passkeys for every piece of hardware. I guess this is more secure than just having a single passkey for an account used everywhere, similar to having independent app passwords for email and the like, so you know which ones get compromised, if that ever happens.
I'll have to look up more security details about the Titan chips in Google phones though. The recent news about Apple's secure enclave being not only compromised but also un-patchable is worrying. When I read headlines like "Bitlocker encryption bypassed" it's pretty bad too. How can encryption just be "bypassed"??? That's a total failure if that's the case. That's not encryption. That's just a padlock for access.
I would like to add my one vote for GPS less passkey support, if I may
Waethorn I guess this is more secure than just having a single passkey for an account used everywhere,
It also requires compromising a specific device which is an advantage even in the case of a Titan flaw.
Waethorn How can encryption just be "bypassed"???
I am not sure about the specific Bitlocker exploit you cite, but encryption cannot be "simply bypassed." I suspect that the attack involved obtaining the encryption keys which must be available somewhere to allow Bitlocker to decrypt the drive.
It is possible that there is some flaw in the encryption that could allow it to be effectively bypassed. Weak cyphers such as ROT13 or bit flip cypher or flawed implementation such as using "super AES" in ECB mode on a drive with 0 blocks are extreme examples, but they demonstrate some sorts of flaws that allow "bypassing" encryption.
p338k Windows patch KB5034441 was supposed to fix this. WinRE was able to just read the encrypted files in the data partition without needing proper user authentication. This patch was extremely buggy though. God help you if the system OEM put the recovery partition at the start of the drive where it couldn't be resized correctly.
23 days later
I can verify that the F-Droid version of Proton Pass 1.20.4 with Vanadium supports passkey login on GitHub.
matchboxbananasynergy changed the title to Graphene OS 3rd party Passkey support on Android 14 .
EBay, GitHub, and something else, can't find it in Proton Pass right now, but I have 3 passkeys registered through Vanadium on GrapheneOS on the latest, and also 2 updates ago.
With Sandboxed play installed.