Does Google block Bitwarden FIDO2 passkeys on Android devices?

Does Google block Bitwarden and Yubikey FIDO2 passkeys via the WebAuthn login options on Android devices where a sister passkey exists in Google Password Manager?

I did the compatibility testing below for my Yubikey, then it dawned on me that I could substitute the word ‘Yubikey’ with ‘Bitwarden’, and the results would be virtually the same. In fact, the question is, does it apply to all 3rd-party security keys and password managers?

I tested passkey functionality for Yubikey 5C on Samsung S10+ (Android 12) and co-existence with Google Password Manager.

Please refer to the attached graphic below for my detailed compatibility testing results.

I could not test Android apps, because that requires Android 14, and I am on Android 12.

Definitions:

  • GPM = Google Password Manager.
  • CDA = Cross Device Authentication (using your phone as a 2FA device for securely logging into websites on your Windows PC)
  • PM = Password Manager

Key Findings:

:grinning: The good news: There is always a passkey option that works to login on the Android smartphone
:face_with_spiral_eyes: The bad news: The most secure option - security keys (Yubikeys), are blocked by GPM where a passkey exists in GPM. This blocking also extends to 3rd party PM’s (e.g.: Bitwarden).

  1. Android/GPM almost always blocks Yubikey and other password managers in the WebAuthn selection options when a FIDO2 passkey for that specific account exists in GPM.
  2. Yubikey usually works in Firefox even if a GPM passkey exists.
  3. Yubikey never works in Chrome if a GPM passkey exists.
  4. Yubikey sometimes works and is sometimes blocked in other Chromium browsers if a GPM passkey exists.
  5. CDA ‘Login with another device’ from Windows to Yubikey on S10+ worked on only one instance
  6. CDA ‘Login with another device’ from VMware Windows VM’s never works with any passkey whatsoever, including Yubikey on S10+. (because VMware does not support the WebAuthn caBLEv2 protocol extensions)
  7. Yubikeys never work in Samsung Secure Folder. (because Secure Folder blocks all USB and NFC devices)
  8. Login to apps with passkey requires Android 14 and above.
  9. For comparison: On Windows11, GPM, Yubikeys, and 3rd party PM’s coexist properly. On all browsers, the WebAuthn credential manager functions as designed, and presents all available passkey login options.

Questions:

  1. I cannot find Google Titan security keys for sale anywhere online - have they been taken off the market?
  2. Modern smartphones have built-in security key hardware (TEE/Secure Enclave) - is Googles stance that security keys are not needed anymore?
  3. Have Google engineered GPM and Android to not present other passkey login options (except CDA to another device via QR code) in the WebAuthn authentication options popup when a FIDO2 passkey exists in GPM?
  4. Is it Google strategy to push out 3rd party security keys and competing password managers for use of passkeys on Android devices?

I am relatively new to passkeys, and I am not a developer, so sanity-check feedback is welcome.

It does seem to me that the big three (Google, Microsoft, and Apple) are dead set on leveraging passkey technology as an ecosystem lock-in strategy, and trying to kill competition by making use of independent authenticators difficult to impossible.

I’d be very interested to hear if there are any grumblings (or outright arguments) about this issue at the meetings of the FIDO Alliance…

1 Like

This blog post is from the pioneer developer who created the Webauthn library for Rust.

He sounds very disillusioned with the direction passkeys have gone down, and provides an insiders view of the problems.

His blog post:
‘Passkeys: A Shattered Dream’

He goes into a lot of the issues.

Excerpts:

"The kicker is that Chrome has internal feature flags that they can use for Google’s needs. They can simply enable their own magic features that control authenticator models for their policy, while everyone else has to have a lesser experience.

The greater warning here is that many of these decisions are made at “F2F” or Face to Face meetings held in the US. This excludes the majority of international participants leading some voices to be stronger than others. "

and

"At this point I think that Passkeys will fail in the hands of the general consumer population. We missed our golden chance to eliminate passwords through a desire to capture markets and promote hype.

Corporate interests have overruled good user experience once again. Just like ad-blockers, I predict that Passkeys will only be used by a small subset of the technical population, and consumers will generally reject them."
.
.
Personally …
I think the way to get around this problem is to simply create as many passkeys as the relying party will allow on each different type of platform authenticator. For Windows Hello, one for each Windows O.S. instance.

That way, at least one passkey will work seamlessly for every scenario. Not ideal, but that is the world we have to live in.

It does make a case for Bitwarden increasing its maximum allowed quota of 5 passkeys.