1

I'm using Pixel 7 Pro and turned on the new Passkeys feature in my Google Account two days ago. I can login to Google Account using Passkey on my Windows PC (via Windows Hello/physical security key) and iPad, but not on my Pixel phone.

When I use Edge or Chrome on my phone, it will still ask me to enter password + 2FA (the old way). But when I use my PC or iPad, it will show the Passkeys page and I can login instantly.

I understand that Passkeys are supported on Android and I was able to test it on passkeys.io or webauthn.io website, which worked perfectly on my phone.

Another strange thing is that when I try to login to my Google Account on my phone using password and it asks for 2FA, I won't be able to use my physical security key (it will say "Not supported on this device or browser" on the security key option. Only OTP, Tap Yes on phone, etc. will work)

Similarly, I have enrolled my physical security key with my company's Azure AD to sign in passwordlessly. On my PC, I can simply click "Sign in with Windows Hello or a security key" and use my security key to login without even having to enter my work email. But on my phone, this option will not appear and I'm forced to enter work email + password and approve the login via Microsoft Authenticator app.

I thought I knew about all these modern authentications like FIDO2, WebAuthn, Passkeys, etc. but it seems like I'm missing out on something.

I would like to know why Passkeys don't always work on my phone?

Thanks.

BlackMiracle
  • 363
  • 2
  • 8

1 Answers1

1

Your post outlines a few different scenarios - I'll try to break them down to attempt to explain why you're experiencing some of these issues.

When using a passkey on an application/website a few things need to be true:

  • The application supports passkeys
  • The operating system supports passkeys
  • Your device supports passkeys

While passkeys are supported on Android, not every application will support them. Inversely, just because an application supports passkeys, doesn't mean that it'll work on Android. This example isn't Android specific, it'll be true across any platform.

One major consideration outlined in your post is around passkeys on a security key vs passkeys on your Android device.

Some background; passkeys are discoverable WebAuthn credentials. Currently, Android is not able to create or use discoverable credentials on security keys; which is hindering you from using the passkeys on your security keys. So while Android supports passkeys, it only supports the native syncable option, not the security key one.

You mention testing on webauthn.io - If you want to perform another test try setting the Discoverable Credential option to discouraged, this will allow you to create a credential on your security key, but this credential will not be discoverable, and thus not a passkey.

You also mention using security keys on Azure AD, which is another really good - According to this page, FIDO2 Security Key login is not available on Android.

Hope this helps.

Cody Salas
  • 431
  • 1
  • 6
  • OK, I'm starting to get the idea. The documentations on Yubico's website explains it a lot. But I still don't understand why passkeys don't work with my Google Account on my phone. I get that I will not be able to authenticate with my security key because Google doesn't support discoverable creds, but the Pixel phone itself also acts as a security key (the native syncable one that you mentioned, I believe) and should be able to authenticate to Google Account, just like when I try setting `discouraged` on `Discoverable Credential` on webauthn.io, no? – BlackMiracle May 05 '23 at 16:24
  • Interesting, I just tested the flow on my own Android device, and have noted a similar behavior. Ultimately this will boil down to an applications functionality - so note this isn't as much as issue with passkeys, as it is with an application's specific implementation. Sadly I'm not privy to Google's specific implementation, so perhaps attempt to send them feedback. I do agree this is not an ideal UX – Cody Salas May 05 '23 at 17:19