FIDO2 security key prompt for passkey sign-in does not appear

[FID02]

Background: Google Play Services added support for PIN with FIDO2 in September. : "[Phone] Adding Pin Protocol support for Fido2 on Android Platform."

Issue description:

On stock PixelOS, when selecting to sign in to a website using a FIDO2 passkey, the user is prompted to connect a physical security key (for websites that support it). It then prompts the user for the security key's PIN. After entering the PIN, the site signs the user in successfully.

On GOS, the prompt for plugging in the USB security key does not appear. Instead, a different message appears: "No passkeys available".

Please note that I am not referring to the usage of a security key as MFA, without an enforced PIN. The issue is merely regarding FIDO2 + PIN on a physical security key.

PixelOS sign-in prompts:

GOS:

Tested on:

• PixelOS build UQ1A.231205.015 Device model 6a Browsers: Chrome, Brave Yubikey Security Key C, Yubikey 5 USB-A w/ adapter

• GOS build UQ1A.231205.015.2023121200 Device model 6a Browsers: Chrome, Brave, Vanadium (120.0.6099.115.0) Sandboxed Play Services 23.49.13

• Tested without changing any settings within the browsers.

• I did not enable any password managers in Android settings > Passwords & accounts prior to testing this.

• Tested with the security key sign-in options on github.com, Nvidia and Microsoft. (For Microsoft, it's necessary to enable desktop mode in the browser as they still hide the security key option when viewed in mobile mode).

[LunchBoxC]

I think this might be a brave problem because I have this same issue with my YubiKey but won't have the issue in another browser other than brave. I also encounter it from time to time on my computer using Brave, and it seems related to how long I've had the browser open on my PC. (Not saying this is the same for the phone, but that Brave is the common issue) Hope that helps.

[thestinger]

Google Play services has specific whitelisted browsers, and Vanadium is one of them. Brave should be whitelisted too and should work the same way. Not clear why it wouldn't.

[FID02]

@LunchBoxC Are you saying you are not able to reproduce this issue in Vanadium? It works for you? Please note that I am talking about scenarios requiring FIDO2 + PIN, I'm not talking about FIDO U2F.

[LunchBoxC]

Yes I understand. Fido2 + PIN ... And yes Vanadium ... I primarily use Brave for things because of its ad-blocking abilities on mobile and ran into the same problem you did. I also ran into the problem on my PC and tried a different browser and it worked whereas through Brave it did not. I just assumed it was a bug in Brave that's why I wanted to mention it.

[FID02]

@LunchBoxC Forgive me, but I'm struggling to understand your reply. Are you seeing the PIN prompts (as pictured in the first two screenshots in my original post) in Vanadium? If so, it would be very helpful if you could provide some more information: your Play Services permissions and version, any custom settings in Vanadium, GOS version, device model, etc.

[LunchBoxC]

No I'm seeing the problem you describe in Brave both on my desktop and on my phone. I don't have the problem on my phone using other browsers. I was just trying to help you in saying that it might be a brave problem as I saw above from one of the screen-shots the Lion icon next to the URL. Sorry if I have confused the situation.

[FID02]

@LunchBoxC No worries at all. :-)

Update:

I am able to trigger the security key prompt (screenshots below) in Vanadium, when navigating to login.microsoftonline.com and entering my business email in the username field. However, after entering the key into the USB port, the dialog closes after I tap Yes to allow GPS access to the key. The dialog to enter a PIN does not appear, thus the authentication fails.

I have used Developer Mode to generate bug reports of both the passkey issue (detailed in OP) and the security key dialog issue. I would like to send these to GOS developers, if this is useful, in a private way. How may I do this?

[thestinger]

Passkeys are probably not supported yet.

[FID02]

Security key passkey implementation does work seamlessly on stock PixelOS. However, you might be right that the implementation is not fully supported yet: The function is barely three months old, does not yet support NFC, and it's likely more support for this feature is planned in future GPS or Android versions.

I will keep testing this function in future GPS and GOS versions, and report back if I notice any improvements.

On a different note, thank you for developing this very private and secure OS: I think it's possibly unique in the high level of care put into developing an open and private Android OS. (And no, I'm not trying to flatter anyone into taking a second look at this report; I realise it's still a very niche function and not noticed by many users).

[nrdxp]

I am having this issue universally on a pixel 7 with Graphene. I vaguely remember it working in the past, but can't say for sure.

The browser I use doesn't matter, not even Vanadium works. i tried multiple services (GitHub, Google), and also I have a USB C yubikey but even plugging it in does not work.

Tried with and without Google Play Services installed. Perhaps I have misconfigured something, but nothing seems to work, unfortunately.

I know the NFC works because if I tap the key on the back of the phone I get sent to the yubikey demo site.

[thestinger]

FIDO2 security keys are supported. Passkeys are not supported yet.

[FID02]

@nrdxp Hello. This Github issue is filed as an issue with passkeys stored on security keys. Because Play Services does not yet support passkey authentication via NFC, it sounds like you have an issue with FIDO U2F, not FIDO2 passkeys.

[nrdxp]

Like I said, neither works, so my issue is actually both. I use passkeys to sign in to my GitHub for example, and the auth just fails immediately even when I have my yubikey directly pluggined in to my USB port. The NFC issue may be out of scope for this issue, but not the passkey issue.

[FID02]

I have good news. In my testing, sign-in with passkeys stored on Yubikeys now works just as well as it does on stock PixelOS: all prompts are shown, PIN input works, selection of stored passkey credential works.

There are a few exceptions, noted below, which I will try to reproduce on stock PixelOS later. I'm sorry for the wall of text.

Summary of my results from testing this today:

Device: Yubikey 5 (USB) Browser: Vanadium

Passkey sign-in tested and confirmed to work with the following sites:

• vault.bitwarden.eu
• microsoft.com
• amazon.com
• nvidia.com
• github.com
• adobe.com

Microsoft.com was also tested with a Yubikey Security Key series and confirmed working.

Passkey sign-in tested and confirmed to not work:

• google.com

Registering passkeys is a different matter: only microsoft.com would allow me to do this on a Yubikey. Other sites simply displayed the Google Password Manager registration prompt, which provides no alternative registration method: but this issue is about sign-in and not registration, so that is merely a side note. You can always register passkeys on the Yubikey from a desktop OS.

More details:

When attempting to sign in, Google.com asks for Google Password Manager with no option to select a passkey on a hardware key. This is also the case for some other sites, when the account you are attempting to sign in with has an non-hardware passkey registered (in addition to the Yubikey). If you remove that passkey, you can sign in with a passkey stored on a Yubikey. Not clear how this will work with third-party password managers when Chromium adds support for that. In any case, I suspect that this behaviour is not specific to GrapheneOS or AOSP; will test on PixelOS shortly.

(If this last paragraph is hard to comprehend, please note that English is not my primary language and I have some difficulties).

It's likely that passkey sign-in also now works on other security keys.

It seems to me like this is largely now a non-issue. Would of course be helpful if others could test.

[savely-krasovsky]

I have also tested some sites. Worked with both Yubikey 5 and Solo 2C.

[thestinger]

@FID02 Please file a new issue about the parts which still don't work.

[thestinger]

It seems like we need an issue about google.com sign-in and a separate issue about registering passkeys.

[FID02]

Passkey registration issue filed as https://github.com/GrapheneOS/os-issue-tracker/issues/3347

[FID02]

Signing in with FIDO2 passkeys on security keys on google.com now seems to work fine on GrapheneOS as well, so an issue for that specifically is not needed. Passkey sign-in on google.com even works with NFC. Confirmed that this is actually the passkey/passwordless sign-in flow, and not the MFA sign-in flow. Also confirmed to work with the Play Store sign-in flow.