I'm not able to register or authenticate with passkeys. (cross-platform)

I’ve been trying and struggling to register or authenticate with webauthn passkeys with my garuda. It doesn’t asks for storing passkey in itself (I’ve tried firedragon, chrome, brave), but even when I choose other device and QR, when I scan the QR it just keeps loading on phone, and the browser doesn’t even show connecting to device or anything. It just times out after a while. I’ve tried with webauthn.io, no success in both registering or authentication.

I’ve even tried to register with passkey on my other windows device and authenticate on my garuda, but even that doesn’t work.
I’ve bluez installed version is 5.82-1
Using Garuda Linux Mokka - (Tried both wayland and KDE)

I’ve also tried with two of my friends who also have Garuda linux installed:

1. Garuda Dragonized - Not working
2. Garuda Mokka - Not working

So, I think its Garuda level issue.

System:
Kernel: 6.14.2-zen1-1-zen arch: x86_64 bits: 64 compiler: gcc v: 14.2.1
clocksource: tsc avail: acpi_pm
parameters: BOOT_IMAGE=/@/boot/vmlinuz-linux-zen
root=UUID=b788d186-33fd-4e97-88c7-cf14667fb3d2 rw rootflags=subvol=@
vt.default_red=30,243,166,249,137,245,148,186,88,243,166,249,137,245,148,166
vt.default_grn=30,139,227,226,180,194,226,194,91,139,227,226,180,194,226,173
vt.default_blu=46,168,161,175,250,231,213,222,112,168,161,175,250,231,213,200
quiet resume=UUID=e7a72315-b903-48cf-baa8-654b9866c6bb loglevel=3 ibt=off
Desktop: KDE Plasma v: 6.3.4 tk: Qt v: N/A info: frameworks v: 6.12.0
wm: kwin_x11 vt: 2 dm: SDDM Distro: Garuda base: Arch Linux
Machine:
Type: Desktop System: LENOVO product: 90T3008SIN v: IdeaCentre 5 14IAB7
serial: <superuser required> Chassis: type: 3 serial: <superuser required>
Mobo: LENOVO model: 3741 v: NOK serial: <superuser required>
part-nu: LENOVO_MT_90T3_BU_Lenovo_FM_IdeaCentre 5 14IAB7
uuid: <superuser required> UEFI: LENOVO v: M42KT42A date: 10/21/2022
CPU:
Info: model: 12th Gen Intel Core i5-12400 bits: 64 type: MT MCP
arch: Alder Lake gen: core 12 level: v3 note: check built: 2021+
process: Intel 7 (10nm ESF) family: 6 model-id: 0x97 (151) stepping: 5
microcode: 0x38
Topology: cpus: 1x dies: 1 clusters: 6 cores: 6 threads: 12 tpc: 2
smt: enabled cache: L1: 480 KiB desc: d-6x48 KiB; i-6x32 KiB L2: 7.5 MiB
desc: 6x1.2 MiB L3: 18 MiB desc: 1x18 MiB
Speed (MHz): avg: 800 min/max: 800/5600 scaling: driver: intel_pstate
governor: powersave cores: 1: 800 2: 800 3: 800 4: 800 5: 800 6: 800 7: 800
8: 800 9: 800 10: 800 11: 800 12: 800 bogomips: 59904
Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx
Vulnerabilities: <filter>
Graphics:
Device-1: Intel Alder Lake-S GT1 [UHD Graphics 730] vendor: Lenovo
driver: i915 v: kernel alternate: xe arch: Xe process: Intel 10nm
built: 2020-21 ports: active: DP-1,HDMI-A-1 empty: none bus-ID: 00:02.0
chip-ID: 8086:4692 class-ID: 0300
Display: x11 server: X.Org v: 21.1.16 with: Xwayland v: 24.1.6
compositor: kwin_x11 driver: X: loaded: modesetting
alternate: fbdev,intel,vesa dri: iris gpu: i915 display-ID: :0 screens: 1
Screen-1: 0 s-res: 3840x1080 s-dpi: 96 s-size: 1016x285mm (40.00x11.22")
s-diag: 1055mm (41.54")
Monitor-1: DP-1 pos: right model: Lenovo LI2215sD serial: <filter>
built: 2019 res: mode: 1920x1080 hz: 60 scale: 100% (1) dpi: 102 gamma: 1.2
size: 476x267mm (18.74x10.51") diag: 546mm (21.5") ratio: 16:9 modes:
max: 1920x1080 min: 720x400
Monitor-2: HDMI-A-1 mapped: HDMI-1 pos: primary,left model: Lenovo L22e-40
serial: <filter> built: 2023 res: mode: 1920x1080 hz: 60 scale: 100% (1)
dpi: 102 gamma: 1.2 size: 476x268mm (18.74x10.55") diag: 546mm (21.5")
ratio: 16:9 modes: max: 1920x1080 min: 720x400
API: EGL v: 1.5 hw: drv: intel iris platforms: device: 0 drv: iris
device: 1 drv: swrast gbm: drv: iris surfaceless: drv: iris x11: drv: iris
inactive: wayland
API: OpenGL v: 4.6 compat-v: 4.5 vendor: intel mesa v: 25.0.3-arch1.1
glx-v: 1.4 direct-render: yes renderer: Mesa Intel UHD Graphics 730 (ADL-S
GT1) device-ID: 8086:4692 memory: 7.47 GiB unified: yes
API: Vulkan v: 1.4.309 layers: 5 device: 0 type: integrated-gpu name: Intel
UHD Graphics 730 (ADL-S GT1) driver: N/A device-ID: 8086:4692
surfaces: xcb,xlib device: 1 type: cpu name: llvmpipe (LLVM 19.1.7 256
bits) driver: N/A device-ID: 10005:0000 surfaces: xcb,xlib
Info: Tools: api: clinfo, eglinfo, glxinfo, vulkaninfo
de: kscreen-console,kscreen-doctor wl: wayland-info
x11: xdpyinfo, xprop, xrandr
Audio:
Device-1: Intel Alder Lake-S HD Audio vendor: Lenovo driver: snd_hda_intel
v: kernel alternate: snd_soc_avs,snd_sof_pci_intel_tgl bus-ID: 00:1f.3
chip-ID: 8086:7ad0 class-ID: 0403
API: ALSA v: k6.14.2-zen1-1-zen status: kernel-api tools: N/A
Server-1: PipeWire v: 1.4.2 status: active with: 1: pipewire-pulse
status: active 2: wireplumber status: active 3: pipewire-alsa type: plugin
4: pw-jack type: plugin tools: pactl,pw-cat,pw-cli,wpctl
Network:
Device-1: Realtek RTL8852BE PCIe 802.11ax Wireless Network vendor: Lenovo
driver: rtw89_8852be v: kernel pcie: gen: 1 speed: 2.5 GT/s lanes: 1
port: 4000 bus-ID: 02:00.0 chip-ID: 10ec:b852 class-ID: 0280
IF: wlp2s0 state: down mac: <filter>
Device-2: Realtek RTL8125 2.5GbE vendor: Lenovo driver: r8169 v: kernel
pcie: gen: 2 speed: 5 GT/s lanes: 1 port: 3000 bus-ID: 03:00.0
chip-ID: 10ec:8125 class-ID: 0200
IF: enp3s0 state: up speed: 100 Mbps duplex: full mac: <filter>
IF-ID-1: br-e6b3d91ed856 state: up speed: 10000 Mbps duplex: unknown
mac: <filter>
IF-ID-2: br-fe92d4eaa3de state: down mac: <filter>
IF-ID-3: docker0 state: down mac: <filter>
IF-ID-4: veth0f132d2 state: up speed: 10000 Mbps duplex: full
mac: <filter>
IF-ID-5: veth34eaa31 state: up speed: 10000 Mbps duplex: full
mac: <filter>
IF-ID-6: veth4ab95c2 state: up speed: 10000 Mbps duplex: full
mac: <filter>
IF-ID-7: vethad7efd3 state: up speed: 10000 Mbps duplex: full
mac: <filter>
IF-ID-8: vethd138263 state: up speed: 10000 Mbps duplex: full
mac: <filter>
IF-ID-9: vethd7fab1f state: up speed: 10000 Mbps duplex: full
mac: <filter>
IF-ID-10: vethd8f8de5 state: up speed: 10000 Mbps duplex: full
mac: <filter>
Info: services: NetworkManager, systemd-timesyncd, wpa_supplicant
Bluetooth:
Device-1: Realtek Bluetooth Radio driver: btusb v: 0.8 type: USB rev: 1.0
speed: 12 Mb/s lanes: 1 mode: 1.1 bus-ID: 1-14:5 chip-ID: 0bda:4853
class-ID: e001 serial: <filter>
Report: hciconfig ID: hci0 rfk-id: 0 state: up address: <filter> bt-v: 5.2
lmp-v: 11 sub-v: 842d hci-v: 11 rev: 474 class-ID: 6c0104
Info: acl-mtu: 1021:6 sco-mtu: 255:12 link-policy: rswitch hold sniff park
link-mode: peripheral accept service-classes: rendering, capturing, audio,
telephony
Drives:
Local Storage: total: 476.94 GiB used: 61.8 GiB (13.0%)
SMART Message: Unable to run smartctl. Root privileges required.
ID-1: /dev/nvme0n1 maj-min: 259:0 vendor: Intel model: SSDPEKNU512GZL
size: 476.94 GiB block-size: physical: 512 B logical: 512 B speed: 31.6 Gb/s
lanes: 4 tech: SSD serial: <filter> fw-rev: L02C temp: 31.9 C scheme: GPT
Partition:
ID-1: / raw-size: 459.82 GiB size: 459.82 GiB (100.00%)
used: 61.8 GiB (13.4%) fs: btrfs dev: /dev/nvme0n1p2 maj-min: 259:2
ID-2: /boot/efi raw-size: 300 MiB size: 299.4 MiB (99.80%)
used: 608 KiB (0.2%) fs: vfat dev: /dev/nvme0n1p1 maj-min: 259:1
ID-3: /home raw-size: 459.82 GiB size: 459.82 GiB (100.00%)
used: 61.8 GiB (13.4%) fs: btrfs dev: /dev/nvme0n1p2 maj-min: 259:2
ID-4: /var/log raw-size: 459.82 GiB size: 459.82 GiB (100.00%)
used: 61.8 GiB (13.4%) fs: btrfs dev: /dev/nvme0n1p2 maj-min: 259:2
ID-5: /var/tmp raw-size: 459.82 GiB size: 459.82 GiB (100.00%)
used: 61.8 GiB (13.4%) fs: btrfs dev: /dev/nvme0n1p2 maj-min: 259:2
Swap:
Kernel: swappiness: 133 (default 60) cache-pressure: 100 (default) zswap: no
ID-1: swap-1 type: zram size: 15.29 GiB used: 0 KiB (0.0%) priority: 100
comp: zstd avail: lzo-rle,lzo,lz4,lz4hc,deflate,842 max-streams: 12
dev: /dev/zram0
ID-2: swap-2 type: partition size: 16.82 GiB used: 0 KiB (0.0%)
priority: -2 dev: /dev/nvme0n1p3 maj-min: 259:3
Sensors:
System Temperatures: cpu: 43.0 C mobo: N/A
Fan Speeds (rpm): N/A
Info:
Memory: total: 16 GiB available: 15.29 GiB used: 4.52 GiB (29.5%)
Processes: 424 Power: uptime: 0m states: freeze,mem,disk suspend: deep
avail: s2idle wakeups: 0 hibernate: platform avail: shutdown, reboot,
suspend, test_resume image: 6.11 GiB services: org_kde_powerdevil,
power-profiles-daemon, upowerd Init: systemd v: 257 default: graphical
tool: systemctl
Packages: pm: pacman pkgs: 1325 libs: 366 tools: octopi,paru,yay
Compilers: gcc: 14.2.1 Shell: garuda-inxi default: fish v: 4.0.1
running-in: konsole inxi: 3.3.37
Garuda (2.7.2-1):
System install date:     2025-04-07
Last full system update: 2025-04-18
Is partially upgraded:   No
Relevant software:       snapper NetworkManager dracut
Windows dual boot:       Probably (Run as root to verify)
Failed units:```

You mean Wayland and X11?

In the end, all are KDE desktop environments.
Which program in Garuda should save your passkey?
I don’t know any.

I use Vaultwarden for that and it works, btw.

image11908×996 149 KB

grafik1224×518 41 KB

• After rebooting, post the FULL output of garuda-inxi in the body of the post (not linked externally, or collapsed with the “hide details” feature)

• Format terminal output (including your garuda-inxi) as a code block by clicking the preformatted text button (</>) , or put three tildes (~) above and below the text

Linux does not have a builtin Passkey store. If you want to store passkeys locally you have to use a password manager with this feature (ProtonPass, Bitwarden, etc.).

I am not using any external application for this, I am using chrome, it opens up an alert to scan a QR, that I scan with my phone and nothing happens.
Also, I don’t want to use any builtin passkey store, I just want to store it externally on phone, it works on windows/mac .

You can try opening a chromium based browser and open webauthn.io and try to register a passkey it will prompt you for a QR if you cancel your existing password manager to store the passkeys

Did you check my pictures? It works with Vaultwarden without a QR code.

Thats the whole point, I don’t want to use Vaultwarden or bitwarden, I have passkeys registered for many websites like gmail and many more on my phone, I want to authenticate with it but it won’t let me do because of timeouts.
The problem lies with detection of caBLE devices.

So

Is wrong. It’s not a Garuda issue.

I am unable to post pictures otherwise I would’ve posted screenshot…

garuda ain’t able to detect caBLE devices. Low Energy bluetooth devices. something that works with FIDO

See this:

Sorry, IDK what you are talking about, which app you use on your phone for this? What OS you use on your phone?
caBLE? And so on

It works with any Android or iOS phones camera, no external apps needed

The QR from your picture works on my phone.

grafik613×1280 102 KB

Yes, it does work on the phone it keeps saying connecting but nothing after that. The request times out in the browser.

Steps to reproduce:
open any chromium based browser - brave/chrome
then go to webauthn website
enter any username - then click register - scan the qr code - then it will work on phone will say connecting and it will keep loading until the request times out in the browser.

Try it once

I do not use brave or chrome, I do not connect my phone with this QR code. I do not get the QR code on Firedragon, it just opens Vaultwarden and works.

So, I am sorry, but I am out.

But it is not a Garuda OS issue.

If you have password manager installed then you can choose use your device or hardware key when it asks for storing, then it will prompt for the QR.

In this:

You can choose the below blue option
gerat oder hardware one and I guess it will popup for asking the device- choose phone after that

I played around with this in the context of YubiKey (are hardware token for various passwordless authentications). Unfortunatly, there are different ways and protocols so it’s rather difficult to pinpoint the issue without knowing the exact context.

What I generally concluded:

• Use a chromium-based browser for the build-in support, e.g. chromium
• Install the libfido2 package
• Possibly install password manager, e.g. bitwarden-chromium
• (Edit) If you want to store passkeys locally, you may need tpm-fido-git

Names above are AUR packages.

PS: AUR is more Arch than Garuda and Arch wiki is a goldmine. The page on webAuthn is rather short though, most of them have more information and longer troubleshooting sections.

I tried to see the recommended way to use this, and I find nothing useful.

I also noticed that this seems to be a private repo now: https://github.com/fido-alliance/fido-2-specs/pull/724

According to the link above, CABLEv2 is now supported via the newer CTAP spec, but it’s still not very clear to me.

I found this page referring to the previously required flags, but those flags don’t exist anymore. I can only guess they have been implemented.

What you like to do and it fails have more reason then one.
Security inside M$ and security Linux..sorry..different.
Perhaps you don’t have the right advanced settings (webauth.io) for linux.
Perhaps you don´t have all installed to do this. Protocol, etc.
If you use this you must be in the same acc (android&browser)
Browser settings must be correct (sync is on + bluetooth must be enabled (chrome://flags/
default is disabled)
I mean cable v2 support is not your issue you use bluetooth or ?
If you use cable connected you must install protocol + fido + relevant settings browser
And it´s not a Garuda issue.
Learning by doing.. if you like this.. i do this at the moment…daily i mean (arch+garuda+apps+hardware).
The links from Technetium should help that you can do this what you like to do.

Another library that would provide support for this has it listed as not fully implemented yet, look at the linked issues about why:

So then this is the next best thing to check:

Unfortunately, I don’t see any mention of Bluetooth interoperability in there… At all.
I think you are stuck waiting for support.

Consider using TPM for key storage instead of relying on another device: