Passkeys without sync/backdoor with Google

Trying to set up passkeys on Android. Suggests that this will be stored in your Google account. I cannot seem to find a way around this. Has any of you managed this? If so how can this be done?

N.b. this is not the same as using your phone as a security key. Same tech different implementation.

1 Like

i don’t think there is a way around this. The documentation around this seems to be limited.
I guess when they say passkeys will be stored on your device , it means it will be automatically linked to your account and synced to your other devices. A quick search for documentation shows that , passkeys are synced with your google account using google password manger and is supposedly “end to end encrypted”. source - Passkey support on Android and Chrome  |  Authentication  |  Google for Developers .
So far i haven’t used this feature much. But i do have enabled passwordless login for github through my yubikey which is just like a passkey but stored on your separate physical device.
so using yubikey for passwordless login looks much better option , if you don’t want to trust apple/google ecosystem.
But for an average user passkeys should be much better option if the websites are compatible

1 Like

We agree on all things here.
I just hate that it seems impossible to avoid Google here. It seems like a bad idea and I wonder how Bitwarden and 1password will do their implementation of key syncing in that case.

You mention you stored a passkey on your yubikey for github. But does that allow you to login on android with it?

The implementation with Google also does not work on GrapheneOS btw as it doesnt meet the sts (safetynet).

1 Like

it doesn’t exactly seem to work on android for some reason . but it allows yubikey to be used after entering your login and password and then clicking on passkeys option

Sure that’s the webauthn fido2 as security key MFA. But passkeys implementation doesn’t seem to work that way which is sad and slightly worrying


yeah i kinda hoped that when websites start supporting passkeys , webauthn fido2 would automatically start working on these websites too , which would have been a great feature for power users.

you can now use yubikey on android to do passwordless logins by entering the pin. It works on github.
it might be due to a some recent updates in play services.
Though for some reason it doesn’t gives the option to use it over NFC but only by physicaly connecting it via the usb.

Can you describe the steps you take to get here? That would be syper helpful. I have not been able to do this so far.

i didn’t do any particular steps , I am on Android 13 with latest play system updates (nov23) installed. It might have been enabled after the recent play system updates. After which i installed github app and tried to use passkey on yubikey and it gave me a pop-up to either use a “security key” or “this Device” .

Also to be clear it only allowed me to login with the yubikey and still doesn’t allow registering new passkey with a yubikey.

I think google suggests in this article that the passkeys that are stored in their password manager are encrypted by a key stored by the Android keystore system which can be unlocked only by your screen lock password.

well, this I only get when adding it as two factor. If you try to add a passkey, it prompts me to create on stored in the Google account on the phone.

1 Like

It will add the passkey to your google account in first step , but what my understanding from the pop-up was , they will encrypt that passkey with your local device password , while the passkey being synced to the cloud.
Though still not 100% sure if its the case.

Ah, well, so that’s not on the YubiKey then. Definitely not going to put any passkeys in google account.

I can confirm that a Play Services update in September '23 added support for FIDO2 with PIN on security keys. It works really well in my testing on PixelOS. It, however, does not currently work on GrapheneOS. Unclear why.

1 Like

More on this:

Its sad to see that google made passkeys a play services feature , rather than making it a part of the Aosp project itself as was thought by many initially.
Also to note they still require a google for registering passkey and no option for using security key instead.

I think you are missing the point of the discussion once again.

Fyi this screen is only shown the first time you use passkeys, i believe that the keys still sit in the secure elements, but are then synced to the cloud

As an alternative, you can create and store passkeys in something like Proton Pass.

Yep now this works well. I have been testing this. Creation still doesn’t seem to work but using the ones saved earlier works well.