GmsCore icon indicating copy to clipboard operation
GmsCore copied to clipboard
verified publisher icon microg

Passkey is getting more urgent

Open hirntot opened this issue 2 years ago • 15 comments

Is your feature request related to a problem? Please describe. Using Linux and /e/, I might get locked out of some accounts in the close future, just for the fact that there is no passkey support for linux/microg yet.

Describe the solution you'd like Support for passkey. In whatever way.

hirntot avatar Jun 17 '23 19:06 hirntot

From what they say, that is based on fido standards, I'd guess the difference is that instead of using an external token an internal key is used.

See implementation status and #849

I might be wrong, but it seems like google has an implementation of the api without play services https://github.com/android/identity-samples/tree/main/CredentialManager

alex9099 avatar Jul 02 '23 09:07 alex9099

I've contacted Bitwarden whether their Android app will have their own passkeys implementation (not based on Google Play Services), but the answer didn't sound promising... so it would be awesome to see this feature in microG!

mu88 avatar Nov 04 '23 13:11 mu88

Hey folks, any friendly update on this?

paaspaas00 avatar May 27 '24 18:05 paaspaas00

August 1, 2024 is tomorrow and app passwords are now obsolete and passkeys are already being pushed hard by Google as recommended. Is there any update on this?

DoubleStrike avatar Jul 31 '24 22:07 DoubleStrike

Passkey isn't yet supported but now there is support for FIDO2 authenticators with a PIN so we are now less distant.

ale5000-git avatar Aug 19 '24 19:08 ale5000-git

@ale5000-git thank you for the update! Do you think what's left to implement for passkey support is hard to implement? Can you share some technical details on what is left to do and relevant code? Thank you!

paaspaas00 avatar Aug 19 '24 22:08 paaspaas00

I haven't looked at it that much but @mar-v-in surely knows better and maybe @alex9099 too (see here: #2150). This is probably also needed: #2463

ale5000-git avatar Aug 20 '24 00:08 ale5000-git

Passkey is a very misleading marketing term, that may be used for discoverable key as well as any fido2 key, or even cross-device authorizations. And it sounds like the issue is about discoverable keys, which support is fixed with https://github.com/microg/GmsCore/pull/2885

p1gp1g avatar May 02 '25 15:05 p1gp1g

KeePassDX has a branch that supports passkeys. I've wanted to document the effects of using it here (because I think they are relevant enough).

On webauthn.io and passkeys.io trying to create a passkey leads to the microg interface and from there you can use biometric authentication. Trying to sign in on webauthn.io opens the microg interface Trying to sign in on passkeys.io open the Credential Manager/KeePassDX Credential Provider interface. (So it's impossible to sign in on passkeys.io using passkeys) On passkey.org creating a passkey opens the Credential Manager/KeePassDX Credential Provider interface. On webauthn.io it's possible to force the Credential Manager/KeePassDX Credential Provider interface by setting discoverable credential to 'Required'

PalanixYT avatar May 21 '25 14:05 PalanixYT

@PalanixYT What OS are you using ? When using the Credential provider, the OS must fallback to the Play Services FIDO API. GrapheneOS has a bug about this: https://github.com/GrapheneOS/os-issue-tracker/issues/3347

If you still want to use hardware keys, I've embedded microG fido implementation into a credential provider: https://codeberg.org/s1m/hw-fido2-provider

There is a bug in web browsers that prevent using the credential provider depending on residentKey value.

For Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1964526 , feel free to upvote it. I've attached a patch to the issue

p1gp1g avatar May 21 '25 14:05 p1gp1g

What OS are you using ?

I am currently on LineageOS 22 with microG

hardware keys

thanks you for that but I dont use hardware keys

There is a bug in web browsers that prevent using the credential provider depending on residentKey value.

that must be why I can force credential provider on webauthn.io using discoverable credential

PalanixYT avatar May 23 '25 10:05 PalanixYT

@PalanixYT What OS are you using ? When using the Credential provider, the OS must fallback to the Play Services FIDO API. GrapheneOS has a bug about this: GrapheneOS/os-issue-tracker#3347

If you still want to use hardware keys, I've embedded microG fido implementation into a credential provider: https://codeberg.org/s1m/hw-fido2-provider

There is a bug in web browsers that prevent using the credential provider depending on residentKey value.

For Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1964526 , feel free to upvote it. I've attached a patch to the issue

If I'm not wrong microG doesn't support Fido security key via bluetooth but on your repo you list bluetooth. Have you made it working?

ale5000-git avatar May 23 '25 12:05 ale5000-git

If I'm not wrong microG doesn't support Fido security key via bluetooth but on your repo you list bluetooth. Have you made it working?

Oh you're right, I thought it was working, I'll fix the description

p1gp1g avatar May 23 '25 12:05 p1gp1g