I’ve recently activated PasseKey on https://passkeys.io and Github on my Samsung Galaxy S23 Android 13 and 14.
I’m looking where is stored the private part of the passkey on my device - (for instance if I want to revoke it).
For information:
- I’m not using Google Credential Manager neither Samsung Pass.
- Github enable me to use the Passkey only for 2nd factor authentication I cannot authenticate directly with the passkey button it gives me a message telling me ther is no passkey
- Same for passkey.io
- But once I filled login/password (on both Github and Passkey.io) it asks me to unlock the passkey with biometry (fingerprint in my case).
Webauthn is the basis for FIDO and Passkeys. It seems that Android introduced the capability for Smartphone to act as a FIDO security key a few years ago. So here is the mixup between two technologies.
On my smartphone it’s asking me to configure a Passkey but actually it’s using the FIDO security key which is automatically setup once you configured a biomtric authentication or PIN.
The messages offered by the differents websites passkeys.io, Github and my Smartphone are all misleading. It’s not using a Passkeys but a FIDO security key. Hence if I want to revoke the private key I have to remove my PIN and all biometric configured.
Next step make passkeys working on my Smartphone - but this is a another story.