Update about passkeys on /e/OS 2.6

As already written in another thread, I was quite curious about /e/OS 2.6 as it potentially opens the door to using passkeys. So, I (partially ) spent my Christmas holidays playing around with the new features and want to give an update.

First of all, what changed with /e/OS 2.6:

1. Switch to microG v0.3.2.240913-102, i.e. FIDO2 USB-C sticks with PINs should now be supported
2. Switch to Android v14, i.e. the underlying OS now supports 3rd party passkey providers.

FIDO2 USB-C stick

Unfortunately, option #1 does not work: my FIDO2 USB-C contains a passkey for github.com. When I plug this stick into my FP4 and try to log in on github.com on any major browser (Firefox, Chrome, Edge), nothing happens.

While this was a bit disappointing in the first place, it’s not such a big deal since having a dedicated USB device that I always have to carry with me wasn’t my favorite option anyway.

3rd party passkey providers

I have a Raspberry Pi, so could easily run a Docker Compose stack of the Bitwarden Unified Deployment beta. This took a bit of time due to my network settings at home (reverse proxy, custom Public Key Infrastructure, etc.), but the process was straightforward and rather easy. After an hour or so, I had an up-and-running Bitwarden instance and could connect to it using my Win11 machine. Next, I installed the Bitwarden add-on for Firefox and created a passkey for github.com without any issues.

Now comes the interesting piece: I’ve installed the Bitwarden Android app on my FP4 and could connect to the self-hosted Bitwarden server running on my Raspi without any issues. When navigating to github.com in Firefox for Android, I could successfully use the previously created passkey to login

This setting is now up and running for almost two weeks and several created and used passkeys later, I must admit that I’m more than happy. There are some glitches here and there (e.g. Bitwarden Docker container still runs as root, no distroless Docker image yet), but the main purpose of providing me with a reliable passkey platform works like a charm.

Don’t hesitate to ask any questions

Hello!

I am trying to get the 3rd party passkey setup going which seems to have worked out for you. For now I am trying to create and reuse a login at https://passkeys.io to see if I can even get it to work, but so far no dice. Furthest I got is that a passkey got created, but I can’t even find it when trying to login again. Details of the setup are:

• I have Vaultwarden as my backend for Bitwarden. Tested that it supports passkeys on my laptop
• I tried with both Bitwarden client and Proton Pass as my autofill provider
• I tried chrome, builtin browser and firefox

Do you have any idea on what can be the issue? I am happy to provide more info or test more things if needed.

Thanks in advance!

First of all, great that you also joined this journey - welcome aboard don’t know whether I can help you, but I will try my best.

First of all, let’s take Android out of the game: does your backend work from your Desktop browser with a corresponding extension, i.e. can you login using Firefox on your desktop with the Bitwarden browser plugin using a passkey?

If this works, the next step for me was installing the native Bitwarden Android app - it does not work on Android with the browser plug-ins.

Last but not least, I had to enable Bitwarden as my default auto fill provider:

Screenshot_20250325-182709_Settings1080×2340 144 KB

PS: I’m only referring to Bitwarden here as I’m neither familiar with Proton passkey nor Vaultwarden
PPS: During my tests, I discovered that I can only consume passkeys on Android but not create. So I always have to create the passkeys from within my desktop browser and sync them via Bitwarden onto my Android phone.
PPPS: I also faced the issue that some of these passkey testing websites were not properly implemented so I did all my testing with the passkey functionality both here in this community and on github.com

Thanks for the support!

So, I already had the test on desktop and it works there. I also chose the app to autofill

However, like you said the issue was with passkeys.io not implementing it properly, which is quite sad since they advertise the concept Now in github I can see the autofill option and inline filling, but whenever I press use passkey it says authentication failed. On the desktop it works as expected.

After reading Bitwarden’s page on this (I tried to add a link but my post got flagged as advertisement, just search “Autofill on android” and go to the section “for use with passkeys”) my guess is that because I was able to create some passkeys on my phone (I couldn’t use them again later -_-), firefox is looking at where they are stored fail to find the ones stored in the bitwarden app. Do you have any idea on how I can delete those failed passkeys? The support article suggests using google password manager but I couldn’t find the e/os equivalent.

Oh you tried creating passkeys on your phone? So my understanding so far was the following: neither the Google substitute microG nor /e/OS have some sort of storage for passkeys, i.e. without Bitwarden, passkeys created on Android are just transient and will get lost.
But now with Bitwarden as a store for passkeys, this changes. But since I don’t know what exactly Bitwarden’s statement creation of passkeys on Android is not yet supported means, it’s hard to say what actually happened in your case without digging into the source code. But since nothing has changed in terms of /e/OS or microG, maybe you’re lucky and the newly created passkey is only partially corrupt (just a rather naive assumption from someone who doesn’t really know what’s going on under the hood) but was synced to your vault. In that case, I’d sync the vault on Android, open it with the Bitwarden app on Windows, open the GitHub entry, remove the corrupt passkey entry from there, save and sync. Now when syncing again on Android, the passkey should be gone and you have a clean place to start. But that’s really just a poor assumption

Seems like a fair assumption, but sadly I did not create the passkeys with Bitwarden but whatever builtin thing that handles it. Here are the screenshots of each step

IMG_20250327_1739531224×1983 125 KB

IMG_20250327_1740321217×2456 107 KB

IMG_20250327_1740101224×2472 109 KB

After this, if I try to login again it just fails finding the previously created passkeys for this site. However, it also ignores the ones on Bitwarden for both this site and github. Thats why it makes me think that the signin with passkey button is looking at the wrong place, which is also hinted at in the docs with this line:

Warning

In order to activate Bitwarden as your preferred passkey provider it may be necessary to:
...
- Remove any passkeys stored in Google Password Manager, as Android will preference this provider (be sure not to delete any important passkeys that will result in lockout from an account).

Can you try to reset both the Bitwarden and Firefox app on your phone? Maybe it’s cached somewhere

Furthermore, I think the autofill configuration on your phone is not yet set up correctly: the second screenshot in your previous post shows a dialog coming from the OS about handling passkeys (which is not yet implemented properly). If everything is set up correctly, it has to look like that:

Screenshot_20250328-140447_Credential manager1080×2340 116 KB

I cleaned up the cache for both, still no dice

I think thats because passkeys.io does not implement the auto fill correctly. On github I see this inline fill option for auto fill

IMG_20250331_0021391224×1411 86.1 KB

and I have the auto fill set like shown here

IMG_20250331_0019231224×501 21.6 KB

Sorry, you lost me somehow passkeys.io seems broken to me, but what about GitHub or our current forum? Can you create a passkey on Windows and login using this passkey on Android?

Apologies, let me try to make a summary

• passkeys.io’s implementation of autofill does not work on mobile regardless of passkeys or email, probably is broken
• I can create a passkey and use it with bitwarden on my laptop
• I can use the autofill with bitwarden app for passwords on my phone with firefox mobile (for example, I can autofill a username and password for github)
• I can share the passkey entry from my laptop’s bitwarden to my phone (I can see the passkey entry on my phone app)
• I cannot use the shared passkey, it does not give me the pop up that you screenshotted.
• I tried deleting app cache for both bitwarden and firefox
• I am sure autofill provider is bitwarden and inline fill is turned on
• I did use the OS way of creating passkeys (I think three times), none of them worked again after the initial creation
• I did read on the bitwarden forum that if there are passkeys created and managed by the OS, the OS just prefers that location to look for all keys. However, e/os does not have any method that allows me to delete them as far as I can see. So my theory is, whenever I try to use a passkey login, it is searched at OS generated location, ignoring bitwarden.

Is this more clear? If a part is vague I can edit to clarify.

P.S. thank you for the help and patience!

Thx for the heads-up, now I’m back on track

I did read on the bitwarden forum that if there are passkeys created and managed by the OS, the OS just prefers that location to look for all keys. However, e/os does not have any method that allows me to delete them as far as I can see. So my theory is, whenever I try to use a passkey login, it is searched at OS generated location, ignoring bitwarden.

I think this is only true for versions of Android where the OS has some sort of storage for passkeys. But with /e/OS and microG, the OS has no such storage - at least to my understanding

But to be honest, I’m running out of ideas. The only remaining thing which comes to my mind is that you try to apply your current setup on Android a second time, be it a different Android user or on a completely different device.

Or you might wanna ask the dedicated Bitwarden family: https://community.bitwarden.com/

I will keep the separate profile option in mind and report back if I do it. For now I think I will just test passkeys on my PC and keep an eye out for updates mentioning passkeys.

Thanks for the support!

This topic was automatically closed after 90 days. New replies are no longer allowed.