FIDO Passkeys not working

[bcsti]

Creating passkeys is not working on GrapheneOS.
If I try to create one, the prompt to save it in my Google account is shown and the prompt to create a screen lock is shown, but if I click the button to create it, the prompt disappears and nothing happens.

I'm using Vanadium and Sandboxed Play Services with all necessary permissions.

You can try it yourself using this website: https://www.passkeys.io/

[matchboxbananasynergy]

To my understanding, this may require passing ctsProfileMatch, which GrapheneOS doesn't currently:

https://discuss.grapheneos.org/d/3540-passkeys-and-passwordless-auth/4

I expect this to move to Play Integrity API's MEETS_DEVICE_INTEGRITY instead of ctsProfileMatch, so this applies:

#1986

[girlbossceo]

Need logs to determine if this is a different issue, otherwise we're going to assume this is related to #1986 based on other reports of this issue, and may be resolved in the future.

[bigswag420]

i got some logs 🗿🍵 by trying to create a passkey

04-26 08:52:17.217 11639 11639 I Fido    : [AuthenticateChimeraActivity] onAttachmentUpdate [CONTEXT service_id=287 ]
04-26 08:52:17.217 11639 11703 I Fido    : [AuthenticateViewModel] StrongBox not needed. [CONTEXT service_id=287 ]
04-26 08:52:17.217 11639 11639 I Fido    : [AuthenticateChimeraActivity] Using default UserVerifier. [CONTEXT service_id=287 ]
04-26 08:52:17.218  1434  2864 D CoreBackPreview: Window{ad231a7 u0 com.google.android.gms/com.google.android.gms.fido.fido2.ui.Fido2FullScreenActivity}: Setting back callback OnBackInvokedCallbackInfo{mCallback=android.window.IOnBackInvokedCallback$Stub$Proxy@f9ee9fd, mPriority=0}
04-26 08:52:17.220 11639 11639 I Fido    : [StringStoreKeyHandleCache] initU2fDeviceCache
04-26 08:52:17.220 11639 11639 I Fido    : [FidoApiImpl] updateTransaction is called for resume
04-26 08:52:17.221 11639 11694 I Fido    : [RegistrationRequestHandler] Registering key via credential store.
04-26 08:52:17.227 11639 11690 E OpenGLRenderer: Unable to match the desired swap behavior.
04-26 08:52:17.232 11639 11690 W Parcel  : Expecting binder but got null!
04-26 08:52:17.242  1434  3120 D CoreBackPreview: Window{17c95bb u0 com.google.android.gms/com.google.android.gms.fido.fido2.ui.Fido2FullScreenActivity}: Setting back callback OnBackInvokedCallbackInfo{mCallback=android.window.IOnBackInvokedCallback$Stub$Proxy@8e34c6d, mPriority=0}
04-26 08:52:17.245 11639 11639 W OnBackInvokedCallback: OnBackInvokedCallback is not enabled for the application.
04-26 08:52:17.245 11639 11639 W OnBackInvokedCallback: Set 'android:enableOnBackInvokedCallback="true"' in the application manifest.
04-26 08:52:17.249 11639 11690 E OpenGLRenderer: Unable to match the desired swap behavior.
04-26 08:52:17.253 11639 11690 W Parcel  : Expecting binder but got null!
04-26 08:52:17.254  4162  4162 I Finsky  : [2] ylf.onStartJob(4): SCH: job service start with id 9177.
04-26 08:52:17.260  1434  1565 I ActivityTaskManager: Displayed com.google.android.gms/.fido.fido2.ui.Fido2FullScreenActivity: +45ms
04-26 08:52:17.261 11639 11639 I Fido    : [PasskeysCreationFragment] PasskeysCreationFragment is shown [CONTEXT service_id=287 ]
04-26 08:52:17.261  3645  3645 I GoogleInputMethodService: GoogleInputMethodService.onFinishInput():3302
04-26 08:52:17.264  3645  3645 I GoogleInputMethodService: GoogleInputMethodService.updateDeviceLockedStatus():2152 repeatCheckTimes = 0, unlocked = true
04-26 08:52:17.264  3645  3645 I GoogleInputMethodService: GoogleInputMethodService.onStartInput():1930 onStartInput(EditorInfo{inputType=0x0(NULL) imeOptions=0x0 privateImeOptions=null actionName=UNSPECIFIED actionLabel=null actionId=0 initialSelStart=-1 initialSelEnd=-1 initialCapsMode=0x0 hintText=null label=null packageName=com.google.android.gms fieldId=-1 fieldName=null extras=null}, false)
04-26 08:52:17.268  3645  3645 I GoogleInputMethodService: GoogleInputMethodService.shouldHideHeaderOnInitialState():4116 ShouldHideHeaderOnInitialState = false
04-26 08:52:17.269  3645  3645 I GoogleInputMethodService: GoogleInputMethodService.updateDeviceLockedStatus():2152 repeatCheckTimes = 2, unlocked = true
04-26 08:52:17.293  3645  3645 I GoogleInputMethodService: GoogleInputMethodService.onFinishInput():3302
04-26 08:52:17.293  3645  3645 I GoogleInputMethodService: GoogleInputMethodService.updateDeviceLockedStatus():2152 repeatCheckTimes = 0, unlocked = true
04-26 08:52:17.294  3645  3645 I GoogleInputMethodService: GoogleInputMethodService.onStartInput():1930 onStartInput(EditorInfo{inputType=0x0(NULL) imeOptions=0x0 privateImeOptions=null actionName=UNSPECIFIED actionLabel=null actionId=0 initialSelStart=-1 initialSelEnd=-1 initialCapsMode=0x0 hintText=null label=null packageName=com.google.android.gms fieldId=-1 fieldName=null extras=null}, false)
04-26 08:52:17.294  3645  3645 I GoogleInputMethodService: GoogleInputMethodService.shouldHideHeaderOnInitialState():4116 ShouldHideHeaderOnInitialState = false
04-26 08:52:17.294  3645  3645 I GoogleInputMethodService: GoogleInputMethodService.updateDeviceLockedStatus():2152 repeatCheckTimes = 2, unlocked = true
04-26 08:52:17.358  4162  4711 I Finsky  : [26] xvd.accept(55): SCH: Scheduling phonesky job Id: 1-1337, CT: 1682512985498, Constraints: [{ L: 21600000, D: 33747038, C: 1, I: 1, N: 1 }]
04-26 08:52:17.358  4162  4711 I Finsky  : [26] xvd.accept(55): SCH: Scheduling phonesky job Id: 34-199, CT: 1682507976363, Constraints: [{ L: 79199997, D: 1375199997, C: 1, I: 1, N: 1 }]
04-26 08:52:17.381  4162  4712 I Finsky  : [27] yjt.apply(99): SCH: Scheduling 1 system job(s)
04-26 08:52:17.382  4162  4712 I Finsky  : [27] yjs.d(4): SCH: Scheduling system job Id: 9183, L: 21048117, D: 33195155, C: false, I: false, N: 1
04-26 08:52:17.394  4162 12203 I Finsky  : [131] ylf.a(16): SCH: job service finished with id 9177.
04-26 08:52:37.240  3527  3527 D BoundBrokerSvc: onBind: Intent { act=com.google.android.gms.auth.key.retrieval.service.START dat=chimera-action:/... cmp=com.google.android.gms/.chimera.GmsApiService }
04-26 08:52:37.241  3527  3527 D BoundBrokerSvc: Loading bound service for intent: Intent { act=com.google.android.gms.auth.key.retrieval.service.START dat=chimera-action:/... cmp=com.google.android.gms/.chimera.GmsApiService }
04-26 08:52:37.252  3123  3123 D BoundBrokerSvc: onBind: Intent { act=com.google.android.gms.gmscompliance.service.START dat=chimera-action:/... cmp=com.google.android.gms/.chimera.PersistentBoundBrokerService }
04-26 08:52:37.252  3123  3123 D BoundBrokerSvc: Loading bound service for intent: Intent { act=com.google.android.gms.gmscompliance.service.START dat=chimera-action:/... cmp=com.google.android.gms/.chimera.PersistentBoundBrokerService }
04-26 08:52:37.256 11639 11639 I Fido    : [PasskeysCreationConsentFragment] PasskeysCreationConsentFragment is shown [CONTEXT service_id=287 ]
04-26 08:52:39.074  3527  5012 I RecoverableKeyStoreGms: [FolsomSyncManager] Starting sync for event: SET_CONSENT
04-26 08:52:39.083 11639 11703 I Fido    : [PasskeysCreationConsentFragment] recordConsentFuture: onFailure [CONTEXT service_id=287 ]
04-26 08:52:39.083 11639 11703 I Fido    : [PasskeysCreationConsentFragment] handleKeyRetrievalError... [CONTEXT service_id=287 ]
04-26 08:52:39.084 11639 11703 I Fido    : [PasskeysCreationConsentFragment] handleKeyRetrievalError: non-resolvable exception [CONTEXT service_id=287 ]
04-26 08:52:39.084 11639 11703 E Fido    : [PasskeysCreationConsentFragment] Set consent failed without resolution intent. [CONTEXT service_id=287 ]
04-26 08:52:39.084 11639 11703 E Fido    : zwd: 38501: Could not sync consent.
04-26 08:52:39.084 11639 11703 E Fido    :      at aaqs.a(:com.google.android.gms@231312044@23.13.12 (190400-519946965):2)
04-26 08:52:39.084 11639 11703 E Fido    :      at aabv.c(:com.google.android.gms@231312044@23.13.12 (190400-519946965):2)
04-26 08:52:39.084 11639 11703 E Fido    :      at pqn.a(:com.google.android.gms@231312044@23.13.12 (190400-519946965):0)
04-26 08:52:39.084 11639 11703 E Fido    :      at ppe.em(:com.google.android.gms@231312044@23.13.12 (190400-519946965):0)
04-26 08:52:39.084 11639 11703 E Fido    :      at gsn.onTransact(:com.google.android.gms@231312044@23.13.12 (190400-519946965):8)
04-26 08:52:39.084 11639 11703 E Fido    :      at android.os.Binder.execTransactInternal(Binder.java:1316)
04-26 08:52:39.084 11639 11703 E Fido    :      at android.os.Binder.execTransact(Binder.java:1270)
04-26 08:52:39.084  1434  2864 D CoreBackPreview: Window{17c95bb u0 com.google.android.gms/com.google.android.gms.fido.fido2.ui.Fido2FullScreenActivity}: Setting back callback null
04-26 08:52:39.085 11639 11694 I Fido    : [RequestController] Timeout Runnable is removed, and timer is stopped.
04-26 08:52:39.086 11639 11690 D OpenGLRenderer: endAllActiveAnimators on 0xb400c7b4e9d7b400 (RippleDrawable) with handle 0xb400c693ac57a1e0
04-26 08:52:39.097 11639 11694 I Fido    : [RequestController] Timeout Runnable is removed, and timer is stopped.
04-26 08:52:39.097  1434  4989 W InputManager-JNI: Input channel object '17c95bb com.google.android.gms/com.google.android.gms.fido.fido2.ui.Fido2FullScreenActivity (client)' was disposed without first being removed with the input manager!
04-26 08:52:39.102  1434  1569 V WindowManager: Unknown focus tokens, dropping reportFocusChanged
04-26 08:52:39.102 11639 11639 I Fido    : [FidoApiImpl] updateTransaction is called for pause
04-26 08:52:39.102 11639 11639 E Fido    : [FidoApiImpl] pauseSecurityKeyRequestController should not be called when SecurityKeyRequestController is null.
04-26 08:52:39.109 10228 10228 E cr_Fido2Request: FIDO2 API call resulted in error: 35 Unable to get sync account.
04-26 08:52:39.124 10228 10228 I cr_OfflineDetector: Running updateState mConnectivityDetectorInitialized: true, mTimeWhenLastForegrounded: 722846, getElapsedTime: 722846, mTimeWhenLastOfflineNotificationReceived: 0, mTimeWhenLastOnline: 184164, mApplicationState: 1, mIsOfflineLastReportedByConnectivityDetector: false, mIsEffectivelyOffline: false
04-26 08:52:39.124 10228 10228 I cr_OfflineDetector: updateState(): timeSinceLastForeground: 0, timeSinceOfflineNotificationReceived: 722846, timeSinceLastOnline: 538682, timeNeededForForeground: 2000, timeNeededForOffline: -720846
04-26 08:52:39.126 10228 10228 I cr_InactivityTracker: Last background time read from the SharedPreference is:1682513537194.
04-26 08:52:39.127 10228 10228 I cr_VideoPersist: Exited picture in picture with reason: 0
04-26 08:52:39.130 10228 10228 I cr_InactivityTracker: Last visible time read from the SharedPreference is:1682513529296.
04-26 08:52:39.140  3645  3645 I GoogleInputMethodService: GoogleInputMethodService.onFinishInput():3302
04-26 08:52:39.141  3645  3645 I GoogleInputMethodService: GoogleInputMethodService.updateDeviceLockedStatus():2152 repeatCheckTimes = 0, unlocked = true
04-26 08:52:39.141  3645  3645 I GoogleInputMethodService: GoogleInputMethodService.onStartInput():1930 onStartInput(EditorInfo{inputType=0x0(NULL) imeOptions=0x13000000 privateImeOptions=null actionName=UNSPECIFIED actionLabel=null actionId=0 initialSelStart=-1 initialSelEnd=-1 initialCapsMode=0x0 hintText=null label=null packageName=app.vanadium.browser fieldId=-1 fieldName=null extras=null}, false)
04-26 08:52:39.142  3645  3645 I GoogleInputMethodService: GoogleInputMethodService.shouldHideHeaderOnInitialState():4116 ShouldHideHeaderOnInitialState = false
04-26 08:52:39.142  3645  3645 I GoogleInputMethodService: GoogleInputMethodService.updateDeviceLockedStatus():2152 repeatCheckTimes = 2, unlocked = true
04-26 08:52:39.162 11639 11639 I Fido    : [FidoApiImpl] updateTransaction is called for stop
04-26 08:52:39.162 11639 11639 E Fido    : [FidoApiImpl] finishSecurityKeyRequestController should not be called when SecurityKeyRequestController is null.
04-26 08:52:39.164  1434  2588 D CoreBackPreview: Window{ad231a7 u0 com.google.android.gms/com.google.android.gms.fido.fido2.ui.Fido2FullScreenActivity}: Setting back callback null
04-26 08:52:39.168  1434  2588 W InputManager-JNI: Input channel object 'ad231a7 com.google.android.gms/com.google.android.gms.fido.fido2.ui.Fido2FullScreenActivity (client)' was disposed without first being removed with the input manager!
04-26 08:52:40.483   959   974 D rlsservice: MonitorDisplayStatus client num 1, display status 1, sensor status 1
04-26 08:52:48.134  2435  3206 D PowerUI : can't show warning due to - plugged: true status unknown: false```

[FID02]

This now works in the latest Vanadium.

[oppressor1761]

No this does not work for me. Is this related to cts? If not can we reopen this issue again?

[thestinger]

No, if there's a new issue it should be opened as a new issue. First, make sure it's not a configuration issue.

[oppressor1761]

I wanna know what's the official guide for passkeys on GOS. Is it not planned because passkeys on Google Password Manager need cts? Someone report it to be working @FID02. I cannot reproduce. Is it should be working? What about third party providers?

[FID02]

I wanna know what's the official guide for passkeys on GOS. Is it not planned because passkeys on Google Password Manager need cts? Someone report it to be working @FID02. I cannot reproduce. Is it should be working? What about third party providers?

Passkeys with third-party password managers (Bitwarden, Proton Pass, etc.) work completely fine on GrapheneOS with Sandboxed Google Play. Please search the forums and you'll find numerous threads on h6is to set this up.

Google Password Manager is known to be problematic because of restrictions set by Google. I have clearly outlined that in the GitHub issue you referenced. I have provided specific steps which you have deviated from. There are no other known steps to get passkeys with GPM working.

I could write an info thread in the forums for passkeys, but if users do not use the search function then that is no use. I won't assist you further on this tracker because it's not the place for support questions.