Does Google block Bitwarden and Yubikey FIDO2 passkeys via the WebAuthn login options on Android devices where a sister passkey exists in Google Password Manager?
I did the compatibility testing below for my Yubikey, then it dawned on me that I could substitute the word ‘Yubikey’ with ‘Bitwarden’, and the results would be virtually the same. In fact, the question is, does it apply to all 3rd-party security keys and password managers?
I tested passkey functionality for Yubikey 5C on Samsung S10+ (Android 12) and co-existence with Google Password Manager.
Please refer to the attached graphic below for my detailed compatibility testing results.
I could not test Android apps, because that requires Android 14, and I am on Android 12.
Definitions:
- GPM = Google Password Manager.
- CDA = Cross Device Authentication (using your phone as a 2FA device for securely logging into websites on your Windows PC)
- PM = Password Manager
Key Findings:
The good news: There is always a passkey option that works to login on the Android smartphone
The bad news: The most secure option - security keys (Yubikeys), are blocked by GPM where a passkey exists in GPM. This blocking also extends to 3rd party PM’s (e.g.: Bitwarden).
- Android/GPM almost always blocks Yubikey and other password managers in the WebAuthn selection options when a FIDO2 passkey for that specific account exists in GPM.
- Yubikey usually works in Firefox even if a GPM passkey exists.
- Yubikey never works in Chrome if a GPM passkey exists.
- Yubikey sometimes works and is sometimes blocked in other Chromium browsers if a GPM passkey exists.
- CDA ‘Login with another device’ from Windows to Yubikey on S10+ worked on only one instance
- CDA ‘Login with another device’ from VMware Windows VM’s never works with any passkey whatsoever, including Yubikey on S10+. (because VMware does not support the WebAuthn caBLEv2 protocol extensions)
- Yubikeys never work in Samsung Secure Folder. (because Secure Folder blocks all USB and NFC devices)
- Login to apps with passkey requires Android 14 and above.
- For comparison: On Windows11, GPM, Yubikeys, and 3rd party PM’s coexist properly. On all browsers, the WebAuthn credential manager functions as designed, and presents all available passkey login options.
Questions:
- I cannot find Google Titan security keys for sale anywhere online - have they been taken off the market?
- Modern smartphones have built-in security key hardware (TEE/Secure Enclave) - is Googles stance that security keys are not needed anymore?
- Have Google engineered GPM and Android to not present other passkey login options (except CDA to another device via QR code) in the WebAuthn authentication options popup when a FIDO2 passkey exists in GPM?
- Is it Google strategy to push out 3rd party security keys and competing password managers for use of passkeys on Android devices?
I am relatively new to passkeys, and I am not a developer, so sanity-check feedback is welcome.