Device-bound passkeys created in Chrome not discoverable in app
69 views
Skip to first unread message
Martin Zářecký
4:05 AM (5 hours ago) 4:05 AM
to FIDO Dev (fido-dev)
Hello,
we are integrating passkey (WebAuthn) authentication on Android and are encountering an issue related to device-bound (local) passkeys created in Chrome.
Scenario:
- A passkey is created in Chrome on Android (platform authenticator, device-bound, not synced).
- The passkey is successfully stored and usable within Chrome.
- However, when attempting to use this passkey from our Android app (via Credential Manager / WebAuthn flow) on the same device, it is not discoverable.
Observation:
- Synced (multi-device) passkeys are available via Google Password Manager and work correctly across web and app flows.
- Device-bound passkeys do not appear to be exposed outside of Chrome and are not available for app-based authentication.
Question:
Is this behavior expected by design?
If so, is there any supported mechanism for a third-party Android app or browser to access or trigger authentication using device-bound passkeys created in Chrome on the same device?
We would appreciate any clarification or guidance on the intended model here, and whether there is a recommended integration pattern for this scenario.
Best regards,
Martin Zarecky
we are integrating passkey (WebAuthn) authentication on Android and are encountering an issue related to device-bound (local) passkeys created in Chrome.
Scenario:
- A passkey is created in Chrome on Android (platform authenticator, device-bound, not synced).
- The passkey is successfully stored and usable within Chrome.
- However, when attempting to use this passkey from our Android app (via Credential Manager / WebAuthn flow) on the same device, it is not discoverable.
Observation:
- Synced (multi-device) passkeys are available via Google Password Manager and work correctly across web and app flows.
- Device-bound passkeys do not appear to be exposed outside of Chrome and are not available for app-based authentication.
Question:
Is this behavior expected by design?
If so, is there any supported mechanism for a third-party Android app or browser to access or trigger authentication using device-bound passkeys created in Chrome on the same device?
We would appreciate any clarification or guidance on the intended model here, and whether there is a recommended integration pattern for this scenario.
Best regards,
Martin Zarecky
Tim Cappalli
4:16 AM (5 hours ago) 4:16 AM
to Martin Zářecký, FIDO Dev (fido-dev)
There is no device-bound passkey credential manager on Android by default.
Synced passkeys in Google Password Manager, Samsung Pass, or another credential manager can be used.
From: fido...@fidoalliance.org <fido...@fidoalliance.org> on behalf of Martin Zářecký <marza...@gmail.com>
Sent: Monday, March 23, 2026 3:29:07 AM
To: FIDO Dev (fido-dev) <fido...@fidoalliance.org>
Subject: [FIDO-DEV] Device-bound passkeys created in Chrome not discoverable in app
Sent: Monday, March 23, 2026 3:29:07 AM
To: FIDO Dev (fido-dev) <fido...@fidoalliance.org>
Subject: [FIDO-DEV] Device-bound passkeys created in Chrome not discoverable in app
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/4613bc6c-88e3-43b7-87c1-0329ef61f21bn%40fidoalliance.org.
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/4613bc6c-88e3-43b7-87c1-0329ef61f21bn%40fidoalliance.org.
My1
7:10 AM (2 hours ago) 7:10 AM
to Tim Cappalli, Martin Zářecký, FIDO Dev (fido-dev)
apparently you can still create device bound credentials, by just not making them use the resident-key options.
and android still labels them as "Passkey", which you can store on "this device" (lock icon)
wasnt able to verify the attestation as I haven't prepped my sandbox for android-key yet, but it does try sending an attestation.
the semantics of webauthn-compatible credentials are extremely annoying as everyone uses passkey in a different way. some only use it for synced credentials, others use it for platform stored credentials regardless if synced (windows hello), another group allows resident credentials regardless of whether you store in on device, or on a FIDO2-Stick, and finally there's those who just encompass webauthn in its entirety as "Passkeys".
Sachin Kant
7:20 AM (2 hours ago) 7:20 AM
to fido...@fidoalliance.org
Fake details data you provide me dev portal my all credentials identity API you takeover again MISLEADING me
Why you send this mail iam not talk you passkey
Reply all
Reply to author
Forward
0 new messages