I'm using Pixel 7 Pro and turned on the new Passkeys feature in my Google Account two days ago. I can login to Google Account using Passkey on my Windows PC (via Windows Hello/physical security key) and iPad, but not on my Pixel phone.
When I use Edge or Chrome on my phone, it will still ask me to enter password + 2FA (the old way). But when I use my PC or iPad, it will show the Passkeys page and I can login instantly.
I understand that Passkeys are supported on Android and I was able to test it on passkeys.io or webauthn.io website, which worked perfectly on my phone.
Another strange thing is that when I try to login to my Google Account on my phone using password and it asks for 2FA, I won't be able to use my physical security key (it will say "Not supported on this device or browser" on the security key option. Only OTP, Tap Yes on phone, etc. will work)
Similarly, I have enrolled my physical security key with my company's Azure AD to sign in passwordlessly. On my PC, I can simply click "Sign in with Windows Hello or a security key" and use my security key to login without even having to enter my work email. But on my phone, this option will not appear and I'm forced to enter work email + password and approve the login via Microsoft Authenticator app.
I thought I knew about all these modern authentications like FIDO2, WebAuthn, Passkeys, etc. but it seems like I'm missing out on something.
I would like to know why Passkeys don't always work on my phone?
Thanks.
Your post outlines a few different scenarios - I'll try to break them down to attempt to explain why you're experiencing some of these issues.
When using a passkey on an application/website a few things need to be true:
While passkeys are supported on Android, not every application will support them. Inversely, just because an application supports passkeys, doesn't mean that it'll work on Android. This example isn't Android specific, it'll be true across any platform.
One major consideration outlined in your post is around passkeys on a security key vs passkeys on your Android device.
Some background; passkeys are discoverable WebAuthn credentials. Currently, Android is not able to create or use discoverable credentials on security keys; which is hindering you from using the passkeys on your security keys. So while Android supports passkeys, it only supports the native syncable option, not the security key one.
You mention testing on webauthn.io - If you want to perform another test try setting the
Discoverable Credentialoption todiscouraged, this will allow you to create a credential on your security key, but this credential will not be discoverable, and thus not a passkey.You also mention using security keys on Azure AD, which is another really good - According to this page, FIDO2 Security Key login is not available on Android.
Hope this helps.