FID02
commented
3 months ago I have found a workaround for this in Vanadium. It requires changing a specific chrome://flags setting called 'Android Credential Management for passkeys' from Default to either Enabled for 3rd party passkeys or Enabled for Google Password Manager and 3rd party passkeys.
Change that flag, relaunch Vanadium, and you can now store passkeys on your security key.
Of course, changing that flag causes other breakages in Vanadium, so this is only to demonstrate that it does work and is possible to work, and there doesn't appear to be an issue with Sandboxed Google Play.
It appears that you need Play Services 24.22.13 or newer in order to test this. I have tested this on GrapheneOS 2024061200 on both a Pixel 8 and Pixel 6a.
Notably, this works out of the box in both Chrome and Brave, on GrapheneOS, without having to change any settings at all. Which might point towards an issue in Vanadium (but this is me making an uneducated guess based on my observations so far).
You can test storing passkeys on a security key by going to https://passkey.org and signing up for an account there. You don't need to have a security key in order to trigger the menus.
Screenshots of the passkey menus that are shown when the flag is set in chrome://flags in Vanadium:
When you are not signed in to the Play Store:
When you are signed in to the Play Store:
thestinger
oppressor1761
On GrapheneOS, registering a FIDO2 passkey on a security key is currently not possible on most websites, due to a missing registration prompt.
Background: Google Play Services added support for PIN with FIDO2 in September. : "[Phone] Adding Pin Protocol support for Fido2 on Android Platform."
Issue description:
On stock PixelOS using Chrome, when attempting to register a passkey on a website, the user is presented with a dialog offering to save a passkey to Google Password Manager. However, the user is also offered the option to "Use a different device" which, when pressed, further offers the option to save the passkey on a USB security key. This works fine on PixelOS.
Screenshot from Chrome on PixelOS:
On GrapheneOS using Vanadium, the dialog that offers to save a passkey to Google Password Manager is also shown. However, the option to "Use a different device" is not present. The dialog otherwise appears identical to the dialog shown on PixelOS.
Screenshot from Vanadium:
A notable exception is microsoft.com which, when the user selects to store a passkey on a security key, the Google Password Manager dialog is not shown but skips directly to the USB security key prompt. In Vanadium, saving a passkey for microsoft.com on a security key works fine, and the passkey on the security key can then be used to sign in to microsoft.com on GrapheneOS without issues.
I saved logs from both Play Services and GSF immediately after triggering the dialog in Vanadium (from the second screenshot). Logs are attached here, although unclear to me if these are in any way helpful: Google Play services log 7c2d0f845e7c.txt Google Services Framework log b921c8d5a686.txt
Stock PixelOS version AP1A.240305.019.A1 tested on a P6a with Chrome 122.0.6261.106. GrapheneOS version 2024031400 tested on a P8 with Vanadium 123.0.6312.40 and Play Services version 24.08.12.