During my passkey experiments in the second half of 2023, I also saw the message multiple times (https://seclists.org/fulldisclosure/2024/Feb/15).
It appears to be related to not having set up "On-device encryption" (or a Chrome sync passphrase). People not doing that is, IMO, very understandable as the online help sucks.
For example, the text in the screenshot (taken from https://support.google.com/accounts/answer/11350823?hl=en) is extremely confusing. The marked caption:
❝
How on-device encryption helps protect your data
❞
should have read something like:
❝
If on-device encryption is disabled (and you're not using a Chrome sync passphrase)
❞
The Dutch translation of the help article even makes no sense at all.
Stupidity is all over the place, like in "signing in to Chrome" (I don't do that):
❝
When you sign in to Chrome, you can save info in your Google Account. You can then use your info on all your devices where you’re signed in with the same account. Learn how to sign in to Chrome.
❞
which, IMO, should be something like:
❝
When you sign in to your Google Account in Chrome, Chrome info can be automatically synchronized to your Google account. You can then use your info on all your devices where you’re signed in with the same account. Learn how to sign in to your Google Account in Chrome.
❞
It is totally unclear whether passkeys are encrypted if you set up a Chrome sync passphrase (which means that On-device encryption cannot be used).
Also, it makes no sense that one cannot change or remove a Chrome sync passphrase *without* losing all synced data, including passkeys and passwords (stored in GPM). Apparently it is *NOT* a *SYNC* passphrase.
Obviously "On-device encryption" would usually be too weak if the encryption key is derived from the screen unlock code plus the Google account password (a combination that, for most users, will be too weak to derive a static data encryption key from). Apparently that combination is used to unlock a stronger encryption key generated by and stored on Google servers.
Note that, during my tests, I experienced the situation where I had to enter my screen unlock code (and Google account password) on a Google account webpage. This means that Google has access to your on-device encryption key, because that combination suffices to get your passwords and passkeys synced to a new Android device.
npub1lafmcnnej2zq252wyp03xvs7s9xc228h8lp9qxxwp99sn23efmvsfaxdpx (npub1laf…xdpx): get your act together.
[1] https://www.google.com/search?q=%22Your+encrypted+data+is+locked+on%0D%0Athis+device%22
npub17shny2gy4ffltkxcr3rlxhyfgm7jtgay6ssper33cnvrkj9u5zfqkhd3fp (npub17sh…d3fp) npub1ps2gth0w4cktn8zrvvzaq897pd4tzscjl9y92esjw5te9vdmgr0q4ch65q (npub1ps2…h65q)
#Google #Android #Chrome #Passkey #Passkeys #GPM #AccountLockout #GooglePasswordManager #ChromeSyncPassprase #OnDeviceEncryption #SyncPassphrase
