Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for Passkeys #1421

Open
alensiljak opened this issue Oct 15, 2022 · 89 comments
Open

Support for Passkeys #1421

alensiljak opened this issue Oct 15, 2022 · 89 comments
Labels

Comments

@alensiljak
Copy link

alensiljak commented Oct 15, 2022

Wondering if it is time to resurrect the request for passkeys support. The initial support has come to Android and it may soon be possible to have 3rd-party apps managing passkeys on devices. I'd like my passkeys stored in .kdbx files, along with other sensitive data.
At this point, this is a brainstorming and research stage. Also, this could be related to some other issues involving FIDO standards.

The end-result is to have KeePassDX as the storage and a key generator for Passkeys on Android.

Background info:

Add Android Credential provider :

Emphasis on the statement from Google:

Note: In the future, Android users will be able to use third-party credential management apps to store their passkeys.

@alensiljak
Copy link
Author

also keepassxreboot/keepassxc#8214

@matchboxbananasynergy
Copy link

https://developers.google.com/identity/passkeys/supported-environments

Note: Starting from Android 14, users will be able to opt to use third-party credential management apps to store their passkeys.

https://developer.android.com/training/sign-in/passkeys

@J-Jamet
Copy link
Member

J-Jamet commented Sep 10, 2023

Yes, unfortunately it will take time to implement this feature, and the fact that Google already has its PassKeys private key storage system won't make it any easier to adopt KeePass.

@matchboxbananasynergy
Copy link

Yes, unfortunately it will take time to implement this feature, and the fact that Google already has its PassKeys private key storage system won't make it any easier to adopt KeePass.

To be fair, I'm okay with waiting for this to be implemented in KeePass and other 3rd party password managers, as implementation there isn't urgent given that actually using passkeys to sign up for services isn't as widespread just yet. I doubt people can sign up for 100% of their services via passkeys at this time.

@Kareltje1980
Copy link

This is really getting some traction. There is already some collaboration between other keepass clients on how these should be stored in keepass vaults.

keepassxreboot/keepassxc#8825

I think it would make sense to take a look at this implementation.

@serrq
Copy link

serrq commented Oct 11, 2023

It seems that a kind of "passkey provider" is needed, in order to use this method. A sync process is required. Major actors involved? Apple, Google, Microsoft, etc.

I remain in the 100% offline and syncless world. Bye bye passkey.

@life00
Copy link

life00 commented Oct 13, 2023

It seems that a kind of "passkey provider" is needed, in order to use this method. A sync process is required. Major actors involved? Apple, Google, Microsoft, etc.

I remain in the 100% offline and syncless world. Bye bye passkey.

@serrq I am afraid that you might not have a choice in few decades considering that all large tech companies are currently standardizing it. Google even made it a default login option and they encourage users to use it [1].

Quote from that article:

In the meantime, we’ll continue encouraging the industry to make the pivot to passkeys—making passwords a rarity, and eventually obsolete.

I am also a bit concerned about the sync process requirement and the flexibility of passkeys.

[1] https://www.wired.com/story/google-passkey-default/

@serrq
Copy link

serrq commented Oct 13, 2023

I forgot to say also trustless. You need to trust in your sync provider. And leaderless: no single point must to have a prominent role from mountain to valley.

And here everything seems centralized and dependent on a leader. Again.

@life00
Copy link

life00 commented Oct 13, 2023

@serrq you know, the issue I find with passkeys flexibility is that its implementation is up to the browser or the OS. There is no underlying universal support as it is with password/passphrase/pin code. If you look at the Device Support page you might notice the problem (e.g. Apple ID, Google account requirement).

Passkeys create a monopoly on authentication service unless the browser or ideally the OS provides an open standard API for 3rd party credential managers. Otherwise there is just no way you can authenticate.

Fortunately as it was already mentioned here Google seems to plan on providing such API.

@serrq
Copy link

serrq commented Oct 13, 2023

@life00 It also needs to understand if these APIs will be open source. However, I don’t really have the problem, since I will avoid the passkeys.

I’m not convinced. Not even the mathematical link behind it. Will we find out in 30 years' time that a quantum computer can calculate the private key from the public key?

Asses available? Many.

@life00
Copy link

life00 commented Oct 13, 2023

@serrq I definitely agree with you and I personally would prefer to avoid passkeys for the same reasons. I do not want to be so dependent on any proprietary service and there might be a threat of QCs in the long term.

But again as said already. We might just not have a choice considering the current trend of moving to passkeys.

What if GitHub will force everyone to use passkeys like they did with 2FA?
You'll likely switch from GitHub, but what if this happens with more services?

The only hope is that passkeys will be reasonably open to allow 3rd party clients.

@serrq
Copy link

serrq commented Oct 13, 2023

@life00 Who will force you to do something is simply saying: «you will have no other god that me.»

An assertion, but also an own goal. The clever will look elsewhere, the fools will let themselves be caught in the big net.

@serrq
Copy link

serrq commented Oct 13, 2023

What is a long term QC? I am not a developer and not even English native.

@alensiljak
Copy link
Author

alensiljak commented Oct 13, 2023

This is getting too philosophical. Please focus the posts here on the implementation of the feature.

@life00
Copy link

life00 commented Oct 13, 2023

@alensiljak sure, I just wanted to point out that the implementation of this feature is important and it will inevitably be needed.

@andromedasun
Copy link

andromedasun commented Oct 22, 2023

@serrq you know, the issue I find with passkeys flexibility is that its implementation is up to the browser or the OS. There is no underlying universal support as it is with password/passphrase/pin code. If you look at the Device Support page you might notice the problem (e.g. Apple ID, Google account requirement).

Passkeys create a monopoly on authentication service unless the browser or ideally the OS provides an open standard API for 3rd party credential managers. Otherwise there is just no way you can authenticate.

In the link you provided, the row for third party passkey providers is the relevant one. Both Apple and Google seem to support this, and Microsoft (Windows) is already planning it. I don't see a Google account or Apple ID requirement there.

On Android it's available from version 14, which has just been released. I am waiting to test it out as soon as a Keepass client or Bitwarden ships with the passkey support.

Linux's passkey support is poor at the moment, but AFAIU some browsers on Linux can use third party managers to login, but cannot generate passkeys because typically it's the OS that generates them and then stores them immediately onto a TPM, and also passes this to a password manager/sync provider which should store/transmit it encrypted only. According to the spec, the keys should never leave the device unencrypted.

Linux supports hardware authentication devices (I think these are called device specific keys than passkeys), but they have very limited capacity in terms of number of keys, and doesn't support sync.

The mechanism of sync between providers is currently left unspecified by the standard. I think I have read syncing passkeys between Apple and Google account is possible but can't verify this for sure. If sync isn't possible you will need to login to every service you use and generate a new passkey once you login on the device that doesn't have the passkey using cross device authentication (assuming the website allows you to create new passkeys). This is why I have been waiting till Android 14 to start using passkeys, so that I can store my passkeys in a third party manager rather than place my bets with Google immediately.

and there might be a threat of QCs in the long term.

There maybe worse things to worry about if Quantum Computing becomes relevant to passkeys because the global digital infrastructure including SSL/HTTPS communication depends on public/private key cryptography anyway and your passwords would then be no better than if they were sent as plaintext.

I think there is research being done to mitigate the threat of QC in the long term, some of which is already promising. I don't know if protection against QC from these techniques depends on no one having found a technique to crack them by modeling it as a QC problem yet, but I guess it's a different question outside the scope of this thread.

@serrq
Copy link

serrq commented Oct 22, 2023

I hope that the encryption algorithm is out of the PassKey spec, so that newest and more performing one comes in the future will be easy to implement in a kind of key renegotiation.

@mas1701
Copy link

mas1701 commented Oct 28, 2023

Just found this issue on KeePassDX when searching for Keepass for Android w/ Passkeys support.

Things I'd like to point out:

  • current KeePassXC v2.8.0 snapshot has just added working Passkeys implementation on the PC, official v2.8.0 release should follow very soon
  • I'm currently using that KeePassXC version and I'm using it with Nextcloud's WebAuthn/Passkey option (I got my snapshot version from one of the devs)
  • I also tried Nextcloud's WebAuthn/Passkey option on my Samsung Galaxy Note 20 5G Ultra and it works out of the box, I registered with Nextcloud using the Samsung Browser and they logged in using Brave for Android with that same identity.

Hope this information is useful for you.

@allanabiud
Copy link

Quick question, does support for third party passkey managers like password managers on Android only work with Android 14 and no other version?

@mas1701
Copy link

mas1701 commented Nov 3, 2023

Quick question, does support for third party passkey managers like password managers on Android only work with Android 14 and no other version?

Yes, this seems to be the case. At least as long as you use the Android integrated authentication APIs. But I'm an IT admin, not a software developer. It's far from being my area of expertise.

KeePassXC does JS injection on the PC, not sure if that method would be feasable on Android though.

I'm also testing another solution (on PC), which emulates a USB security token als a virtual USB device. Early version and seems a bit buggy. Was able to add this to my Nextcloud account for testing (the identity information was stored locally by this software), but could not log in afterwards with this tool.

But with Google and others pushing towards Passkeys, I expect a lot more development to happen in this area soon.

@greensheeps greensheeps mentioned this issue Dec 27, 2023
@Calmquist
Copy link

KeepassXC appears to be in the process of back porting passkey support to 2.7.7: keepassxreboot/keepassxc#10189

Bitwarden appears to be adding it as part of the migration from Xamarin to MAUI: https://github.com/bitwarden/mobile/tree/feature/maui-migration-passkeys . It appears to still be in early development, but it looks like Bitwarden is using the credential provider API.

@Kranzes
Copy link

Kranzes commented Mar 11, 2024

PassKey support has just been added to KeePassXC 2.7.7 so I think it would be nice to have support for PassKeys on KeePassDX too. One super important thing I have got to request is to not use Google's API for passkeys on android, it doesn't work on a degoogled phone and barely works with MicroG. Nextcloud uses a different WebAuthn library I believe that does actually work on a degoogled device, please consider using it or if there is a better and newer library use that instead, anything but the Google one that forces you to use Google Play Services.

Google are attempting to kill security keys on degoogled phones by moving everything towards their own implementation

@hj-collab
Copy link

@hj-collab My implemention is compatible with KeePassXC. Regarding strongbox I don't know.

Strongbox implementation is compatible with KeePassXC. It's nice to see all clients being compatible with each other. Thank you for the work!

@GonzRon
Copy link

GonzRon commented Oct 24, 2024

Hi all, I just shared my current code including an APK on my fork. It is based on the develop branch and enables to create, update and use passkeys. Some small issues are still open (see readme.md). Check it out, if you like. For feedback, I enabled the discussions on my repo.

@cali-95
My dude, you oneshotted this feature. Worked the first time I tried it. Thank you! Been waiting for this! Excellent work!

@J-Jamet J-Jamet removed this from 5.0.0 Nov 18, 2024
@J-Jamet J-Jamet added this to 4.1.0 Nov 18, 2024
@J-Jamet J-Jamet moved this to Todo in 4.1.0 Nov 18, 2024
@J-Jamet J-Jamet removed this from 4.1.0 Nov 18, 2024
@J-Jamet J-Jamet added this to 4.2.0 Nov 18, 2024
@J-Jamet J-Jamet moved this to Todo in 4.2.0 Nov 18, 2024
@ionum
Copy link

ionum commented Nov 20, 2024

@cali-95: Great job! Nice piece of code

Using your version of KeePassDX primary with Firefox, i noticed the following:

  1. After confirming the usage of a passkey in KeePassDX-app, Android (14) is not returning to Firefox (this works with Brave). I'm not sure whether this is a Firefox- or KeePassDX-problem.
  2. Passkey is not working for the first time, when the KeePasssDX-db isn't already opened (both Brave and Firefox). If i reinitate the passkey-process (by clicking "login by passkey" in the browser) it shows "OperationError: A request is already pending". Then, reloading the login-page does the trick.

But once again: Great job!

@J-Jamet
Copy link
Member

J-Jamet commented Nov 20, 2024

Agree. I looked at your code, @cali-95 and created a branch on this repo from the latest version 4.1.0.
All the key reading and registration implementation logic is implemented, it's a very good based. I've started coding on it.
There are some things to tweak, like going through the application's login activities to resolve the workflow bugs indicated (this can be a bit time-consuming), cleanly updating the minimal versions to API 19, reorganize models and check overall compatibility, but I'm pretty confident.

@Vinay1a1
Copy link

Vinay1a1 commented Nov 23, 2024

@cali-95 the passkey support is working in Chromium browsers but it's broken in firefox. Can you please check that. Passkey creation in apps is not working either.

@cali-95
Copy link

cali-95 commented Nov 27, 2024

Thanks for all the feedback. To analyze the bugs I need more infomation like the website, log files and if possible the keepass file. You are welcome to open an issue on my repo with all the infomation you are comfortable sharing.

@Arbel-arad
Copy link

@cali-95 the passkey support is working in Chromium browsers but it's broken in firefox. Can you please check that. Passkey creation in apps is not working either.

looks like passkey support in firefox for android is just broken, i tried with other apps and hardware FIDO2 tokens and none of them work.

@Vinay1a1
Copy link

Vinay1a1 commented Dec 4, 2024

@cali-95 the passkey support is working in Chromium browsers but it's broken in firefox. Can you please check that. Passkey creation in apps is not working either.

looks like passkey support in firefox for android is just broken, i tried with other apps and hardware FIDO2 tokens and none of them work.

Github passkeys saved in google password manager work fine for me.

Passkey support in apps will be broken ig. Because it is not even supported in bitwarden.

@Diapolo10
Copy link

@cali-95 the passkey support is working in Chromium browsers but it's broken in firefox. Can you please check that. Passkey creation in apps is not working either.

looks like passkey support in firefox for android is just broken, i tried with other apps and hardware FIDO2 tokens and none of them work.

Github passkeys saved in google password manager work fine for me.

Passkey support in apps will be broken ig. Because it is not even supported in bitwarden.

To my knowledge the root of the problem is that Firefox for Android currently does not implement the PRF extension for Webauthn, which many passkey services like Bitwarden require to function. But any that don't require it should work.

That said, based on this thread said extension seems to be supported in Firefox version 132 and above, so perhaps I simply have no idea what I'm talking about.

@Arbel-arad
Copy link

for reference, i was testing on android 15 (grapheneOS) with firefox 133 and 134.
bitwarden, dashlane, physical keys (atkey.pro, onlykey, yubikey 5 NFC).
they work fine in chromium 131 but not firefox, at least for me.

@Arbel-arad
Copy link

i updated to 135 nightly, it finally shows the passkey UI but still doesn't work

Screenshot_20241204-112711.png

@ionum
Copy link

ionum commented Dec 6, 2024

I can confirm that creation of passkeys (with KeePassDX) is actually neither possible with Firefox (v133.0) or Brave (v1.73.91) on LineageOS 21 (Android 14 APA2.240905.003).

Furthermore i'm no longer able to login with Brave. I noticed a strange behaviour (both login with passkey and creation of passkeys). If my keepass-db isn't open, I get to the open-dialog. If the db is opened, nothing happens.

Firefox login is still working with previously created passkeys and known flaws see my previous comment.

I updated Firefox, Brave and Android a couple days ago, so everything could cause this regression.

@arfshl
Copy link

arfshl commented Dec 13, 2024

@cali-95 It's work on webauthn.io but crashed on Google, any workaround?

Browser: Brave 1.73.97
Android: 14 OneUI 6.1

@Stellashade
Copy link

I keep getting locked out of my database. My password is corrext. How can I recover my data?

@Arbel-arad
Copy link

I keep getting locked out of my database. My password is corrext. How can I recover my data?

does this have anything to do with passkey support?
if your vault started having issues recently maybe try opening an older version...

@ccoenen
Copy link

ccoenen commented Jan 22, 2025

I keep getting locked out of my database. My password is corrext. How can I recover my data?

Hi, welcome to GitHub. It is usually a good idea to create a new issue for each separate problem. But these issues are normally focused on bugs in the software, not requests for support. This particular thing here is about supporting a new way to unlock a database, not about general support.

For general support, I would probably recommend starting a "discussion" over here: https://github.com/Kunzisoft/KeePassDX/discussions

I fear that there might not be a good answer. Going back to an older backup of your password file (in case the current file got damaged) or going back to an older version of KeePassDX or trying one of the many compatible programs (in case the file is good but the program somehow is at fault) are your only real options here.

I would also ask someone on the project to mark these posts as off-topic (including mine, of course!) to get the discussion back to the original topic of this issue.

@ionum
Copy link

ionum commented Jan 23, 2025

Firefox 134 and Android 15 works with WebAuthn.io if you set "Discoverable Credential" to "required" in options. Otherwise Google Passkey is kicking in.

@Vinay1a1
Copy link

Firefox 134 and Android 15 works with WebAuthn.io if you set "Discoverable Credential" to "required" in options. Otherwise Google Passkey is kicking in.

Turn off google password manager in settings.

@LnLcFlx
Copy link

LnLcFlx commented Jan 23, 2025

Firefox 134 and Android 15 works with WebAuthn.io if you set "Discoverable Credential" to "required" in options. Otherwise Google Passkey is kicking in.

In KPDX options?

@Arbel-arad
Copy link

Firefox 134 and Android 15 works with WebAuthn.io if you set "Discoverable Credential" to "required" in options. Otherwise Google Passkey is kicking in.

In KPDX options?

that would be on the website (webauthn.io) most others don't let you choose

@Stellashade
Copy link

Stellashade commented Jan 24, 2025 via email

@Diapolo10
Copy link

Hi,

Thanks for responding to my email. After losing two databases in KeepassDX on my pixel that's operating Grapheneos, I setup KeepassXC on my Linux Mint laptop. After importing my Google passwords I made a copy of the kdbx database and sent it to my phone. This worked. Right now I'm using signal to keep my passwordds synchronized, unless you can suggest a better way.

Im using Vanadium 132.0.6834.79 on my phone. I'm not familiar with how to set up WebAuthn.io or if I need it as I'm setting up a yubikey. I only have Firefox on my laptop.

Im not sure why the database disappeared. Once I get done setting up the yubikey I'll look at WebaAuthn

Thanks so much for your help.
Kat

Sent from Proton Mail Android

-------- Original Message --------
On 1/23/25 9:39 AM, ionum wrote:

Firefox 134 and Android 15 works with WebAuthn.io if you set "Discoverable Credential" to "required" in options. Otherwise Google Passkey is kicking in.


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you commented.Message ID: @.***>

I don't really think this is on-topic, but as far as database synchronization goes I'd suggest giving Syncthing a shot. It's FOSS, and I really like it for this purpose.

@Arbel-arad
Copy link

Firefox 134 and Android 15 works with WebAuthn.io if you set "Discoverable Credential" to "required" in options. Otherwise Google Passkey is kicking in.

i tested this as well, it's also true on other password managers, even though google passwords is disabled.
it will override every other service on the default discoverability mode.

@ionum
Copy link

ionum commented Jan 24, 2025

Firefox 134 and Android 15 works with WebAuthn.io if you set "Discoverable Credential" to "required" in options. Otherwise Google Passkey is kicking in.

In KPDX options?

that would be on the website (webauthn.io) most others don't let you choose

No option in KPDX. But with webauth.io you can test which combinations of registration settings which work with KPDX. Generally the website decides which typ of local passkey (Discoverable credentials/User Verification/Attestation) is allowed. Maybe KPDX does not register itself for all passkey-options on android.

if i register google passwordmanager as default pw-manager in android options (android >= 14) webautn.io works with every setting. If i register KPDX as default, some settings are working. with KPDX-non-working settings the passkey register-request is sent to google passwordmanager (presumably fallback)
if i disable Google passwordmanager, then the KPDX-non-working settings fail.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: In Progress
Development

No branches or pull requests