u/aamguy

I am trying to force Android to generate a hardware-bound passkey directly on the phone's internal secure hardware (like StrongBox) instead of a synced, multi-device key.

Crucially, the passkey needs to be detected by my third-party website as a single-device credential.

Android used to support this natively, but it now defaults to synced keys via Google Password Manager. I tried using KeePassDX, but it still creates a multi-device key. To clarify, I do not want to plug in an external YubiKey. I want the phone's own internal hardware to hold a strictly non-exportable, device-bound key.

Is this a hard limitation of the Android Credential Manager API, or is there a workaround or specific app I am missing?

Can you force Android to generate a hardware-bound passkey directly on the phone's internal secure hardware (like StrongBox) instead of a synced, multi-device key?

Natively, Android defaults to synced keys via Google Password Manager. I tried KeePassDX, but it also creates a multi-device key.

To clarify, I am not looking to plug in an external YubiKey. I want the phone's own internal hardware to hold a strictly non-exportable, device-bound key.

Is this a hard limitation of the Android Credential Manager API, or is there a workaround or specific app I am missing?