Can't register passkey

[ThatOneCalculator]

Even with Google Play Services enabled, I can't register a passkey.

https://github.com/GrapheneOS/Vanadium/assets/44733677/23008ad6-314f-4af6-bd95-f35cdaa1ef1c

[thestinger]

It's not supported by the sandboxed Google Play compatibility layer yet. It works on the Vanadium side, although it would be nice to have another implementation which we have an issue filed about (FIDO2 support without Play APIs is a prerequisite).

[ThatOneCalculator]

Would this be potentially useful? https://github.com/cotechde/hwsecurity

[ghost]

Would this be potentially useful? https://github.com/cotechde/hwsecurity

They have stopped updating the open source version, the last commit was on 24/03/2021

[ThatOneCalculator]

True, but I was wondering just in terms of looking at it for reference/potential implementation

[FID02]

This is now possible with Sandboxed Google Play and Vanadium: passkeys can be saved to Google Password Manager from Vanadium. Tested this just now with passkey.org. Play Services 24.09.59 Vanadium 123.0.6312.80.1

[ThatOneCalculator]

I'm getting the registration prompt but it fails

Vanadium version 123.0.6312.80.1 Play Services version 24.05.13

[FID02]

ThatOneCalculator: it might be necessary to be on a newer version of Play Services.

[ThatOneCalculator]

The "Apps" app isn't telling me there's an update for play services

[Marocco2]

This is now possible with Sandboxed Google Play and Vanadium: passkeys can be saved to Google Password Manager from Vanadium. Tested this just now with passkey.org. Play Services 24.09.59 Vanadium 123.0.6312.80.1

I can confirm: Play Services 24.09 is essential to create and use passkeys

[Marocco2]

The "Apps" app isn't telling me there's an update for play services

You need to go Settings - Apps- Sandbox Play Services - Play Services info, go to bottom and tap to google play store link. There you'll see an update

[FID02]

There are several people on Discord still reporting issues. Seems it was premature of me to report that this is now working. @Marocco2 When you set up the first passkey with Google Password Manager, were you asked to enter your unlock code for a different (non-GrapheneOS) device?

[Marocco2]

@Marocco2 When you set up the first passkey with Google Password Manager, were you asked to enter your unlock code for a different (non-GrapheneOS) device?

Yeah, that's right. I encrypted my vault with my other phone screen gestures

[FID02]

Having tested this further for a couple of hours, I think I know what's happening (although I could be entirely wrong on this).

It seems that Google scrapped the requirement that passkeys on Google Password Manager (GPW) can only be used and managed on a Google-certified OS (I'm assuming that was the case, up until now). But there are conditions.

Prerequisities:

1. Play Services version 24.09 or newer
2. Having previously enabled "On-device encryption" for GPW on your Google account – either from a different Android phone, or from stock PixelOS on the same phone

If you have done this, then GPW on GrapheneOS will ask you for your other device's (either existing or dead) unlock code when you attempt to set up passkey sync.

Prerequisite no. 2 appears to initially need to be done on a different Android OS, and can't initially be done from GrapheneOS. I'm basing this on the following:

On Pixel 8 running GrapheneOS, when setting up passkeys on GPW, I had to provide the unlock code for a Pixel 6a that had run PixelOS a day earlier. Skorp on Discord reported something similar. Another user reported that they instead were met with a message saying "Your encrypted data is locked on this device", and was unable to proceed. I replicated this by creating a new Google account in a new profile and attempting to set up passkeys in GPW from there, and got the same error.

I'm assuming that prerequisite no. 2 involves a a Google/GMS requirement, although I don't have proof of that.

---

After the initial authentication, it seems that you can use your GrapheneOS device's unlock code to authenticate with GPW on other phones just as easily:

On a fresh install of GrapheneOS on a Pixel 6a later, I could get passkeys on GPW working by simply providing the unlock PIN for my Pixel 8 that is also running GrapheneOS. (GPW was not able to provide the device model of the GrapheneOS phone; it just showed up as "Android device", but it was selectable and its unlock PIN was accepted. Could replicate this in a different profile).

For how long the screen lock of a wiped or lost phone can be used to authenticate to GPW on a new phone, I don't know. But likely not more than 64 days. At least, probably not forever.

---

To enable on-device encryption for GPW on GrapheneOS (and Android in general), do this: Go to Play Store > Profile icon > Manage your Google account > Security > scroll down to Password Manager: Manage passwords > cogwheel > On-device encryption: select Use screen lock

[oppressor1761]

If you set on-device encryption mistakely on your GOS, you can wipe your GPM here. no need for a new Google account.

[oppressor1761]

It still does NOT work. My procedure: (using GPM)

1. Set on-device encryption on my Edge for PC
2. on GOS, open GPM. It asks for my Google account password to sync.
3. turn on use screen lock on GOS. everything seems fine.
4. Settings > Passwords & accounts > Cogwheel > Select your password manager=Google
5. Open Vanadium and go to Settings > Autofill Options > Select 'Use other providers' select 'Default'.
6. reboot
7. register a passkey at webauthn.io. failed. The GPM UI pop up and then it says an unkown error occurred while talking to the credential manager. also failed on passkey.org
8. P8P 2024052100 Vanadium 125.0.6422.72.1 Play service 24.20.13

[oppressor1761]

not the problem of permissions either. I have grant nearly all of permissions to Play service and it's still NOT working.