-
-
Notifications
You must be signed in to change notification settings - Fork 276
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for Passkeys #1421
Comments
https://developers.google.com/identity/passkeys/supported-environments
|
Yes, unfortunately it will take time to implement this feature, and the fact that Google already has its PassKeys private key storage system won't make it any easier to adopt KeePass. |
To be fair, I'm okay with waiting for this to be implemented in KeePass and other 3rd party password managers, as implementation there isn't urgent given that actually using passkeys to sign up for services isn't as widespread just yet. I doubt people can sign up for 100% of their services via passkeys at this time. |
This is really getting some traction. There is already some collaboration between other keepass clients on how these should be stored in keepass vaults. I think it would make sense to take a look at this implementation. |
It seems that a kind of "passkey provider" is needed, in order to use this method. A sync process is required. Major actors involved? Apple, Google, Microsoft, etc. I remain in the 100% offline and syncless world. Bye bye passkey. |
@serrq I am afraid that you might not have a choice in few decades considering that all large tech companies are currently standardizing it. Google even made it a default login option and they encourage users to use it [1]. Quote from that article:
I am also a bit concerned about the sync process requirement and the flexibility of passkeys. |
I forgot to say also trustless. You need to trust in your sync provider. And leaderless: no single point must to have a prominent role from mountain to valley. And here everything seems centralized and dependent on a leader. Again. |
@serrq you know, the issue I find with passkeys flexibility is that its implementation is up to the browser or the OS. There is no underlying universal support as it is with password/passphrase/pin code. If you look at the Device Support page you might notice the problem (e.g. Apple ID, Google account requirement). Passkeys create a monopoly on authentication service unless the browser or ideally the OS provides an open standard API for 3rd party credential managers. Otherwise there is just no way you can authenticate. Fortunately as it was already mentioned here Google seems to plan on providing such API. |
@life00 It also needs to understand if these APIs will be open source. However, I don’t really have the problem, since I will avoid the passkeys. I’m not convinced. Not even the mathematical link behind it. Will we find out in 30 years' time that a quantum computer can calculate the private key from the public key? Asses available? Many. |
@serrq I definitely agree with you and I personally would prefer to avoid passkeys for the same reasons. I do not want to be so dependent on any proprietary service and there might be a threat of QCs in the long term. But again as said already. We might just not have a choice considering the current trend of moving to passkeys. What if GitHub will force everyone to use passkeys like they did with 2FA? The only hope is that passkeys will be reasonably open to allow 3rd party clients. |
@life00 Who will force you to do something is simply saying: «you will have no other god that me.» An assertion, but also an own goal. The clever will look elsewhere, the fools will let themselves be caught in the big net. |
What is a long term QC? I am not a developer and not even English native. |
This is getting too philosophical. Please focus the posts here to the implementation of the feature. |
@alensiljak sure, I just wanted to point out that the implementation of this feature is important and it will inevitably be needed. |
In the link you provided, the row for third party passkey providers is the relevant one. Both Apple and Google seem to support this, and Microsoft (Windows) is already planning it. I don't see a Google account or Apple ID requirement there. On Android it's available from version 14, which has just been released. I am waiting to test it out as soon as a Keepass client or Bitwarden ships with the passkey support. Linux's passkey support is poor at the moment, but AFAIU some browsers on Linux can use third party managers to login, but cannot generate passkeys because typically it's the OS that generates them and then stores them immediately onto a TPM, and also passes this to a password manager/sync provider which should store/transmit it encrypted only. According to the spec, the keys should never leave the device unencrypted. Linux supports hardware authentication devices (I think these are called device specific keys than passkeys), but they have very limited capacity in terms of number of keys, and doesn't support sync. The mechanism of sync between providers is currently left unspecified by the standard. I think I have read syncing passkeys between Apple and Google account is possible but can't verify this for sure. If sync isn't possible you will need to login to every service you use and generate a new passkey once you login on the device that doesn't have the passkey using cross device authentication (assuming the website allows you to create new passkeys). This is why I have been waiting till Android 14 to start using passkeys, so that I can store my passkeys in a third party manager rather than place my bets with Google immediately.
There maybe worse things to worry about if Quantum Computing becomes relevant to passkeys because the global digital infrastructure including SSL/HTTPS communication depends on public/private key cryptography anyway and your passwords would then be no better than if they were sent as plaintext. I think there is research being done to mitigate the threat of QC in the long term, some of which is already promising. I don't know if protection against QC from these techniques depends on no one having found a technique to crack them by modeling it as a QC problem yet, but I guess it's a different question outside the scope of this thread. |
I hope that the encryption algorithm is out of the PassKey spec, so that newest and more performing one comes in the future will be easy to implement in a kind of key renegotiation. |
Just found this issue on KeePassDX when searching for Keepass for Android w/ Passkeys support. Things I'd like to point out:
Hope this information is useful for you. |
Quick question, does support for third party passkey managers like password managers on Android only work with Android 14 and no other version? |
Yes, this seems to be the case. At least as long as you use the Android integrated authentication APIs. But I'm an IT admin, not a software developer. It's far from being my area of expertise. KeePassXC does JS injection on the PC, not sure if that method would be feasable on Android though. I'm also testing another solution (on PC), which emulates a USB security token als a virtual USB device. Early version and seems a bit buggy. Was able to add this to my Nextcloud account for testing (the identity information was stored locally by this software), but could not log in afterwards with this tool. But with Google and others pushing towards Passkeys, I expect a lot more development to happen in this area soon. |
KeepassXC appears to be in the process of back porting passkey support to 2.7.7: keepassxreboot/keepassxc#10189 Bitwarden appears to be adding it as part of the migration from Xamarin to MAUI: https://github.com/bitwarden/mobile/tree/feature/maui-migration-passkeys . It appears to still be in early development, but it looks like Bitwarden is using the credential provider API. |
PassKey support has just been added to KeePassXC 2.7.7 so I think it would be nice to have support for PassKeys on KeePassDX too. One super important thing I have got to request is to not use Google's API for passkeys on android, it doesn't work on a degoogled phone and barely works with MicroG. Nextcloud uses a different WebAuthn library I believe that does actually work on a degoogled device, please consider using it or if there is a better and newer library use that instead, anything but the Google one that forces you to use Google Play Services. Google are attempting to kill security keys on degoogled phones by moving everything towards their own implementation |
I believe Chromium depends on Google Play Services for FIDO2 support. In that case, one would need to use another browser that does support FIDO2 without Google or have some other application that can "spoof" Google Play Services. Such an application would require elevated privileges. I am not sure there is anything KeePassDX can do about that. |
This feature requires a great deal of study and time. I'm aware that the functionality is already present on KeePassXC and many requests are being made for KeePassDX. Thank you @cali-95 for your work in this first implementation. It's really appreciated, I'll study your code. |
Sorry no joy. I tried from both an up-to-date Pixel Tablet running GrapheneOS (Android 14) and Pixel Fold. I uninstalled the F-Droid KeePassDX and installed your APK. The app crashed on start-up. I tried a few ways to download, in case there was an unreported download error and several installation sources. I also tried disabling Hardened memory allocator, but since the app is debuggable, it would not let me turn that off. I was able to turn off Native code debugging, but that didn't make any difference. I set the flags in Vanadium according to the 1Password instructions and tried it with and without Passwords, passkeys & autofill set to KeePassDX I'll try to post the stack trace in your repo so we don't spam this issue. Maybe folks with pure Android devices will have better luck. |
I could not figure out how to create an issue on your repository, so here are the links to the error logs: |
Until official support/merger here @cali-95 can you please create a separate discussion with "My passkeys support experiments" or some similar heading? |
I know why, there's a TAG issue in the call for services with PendingIntent, that's why I said we shouldn't go too fast. We need to do all the migration steps to API 34 before anything else so that it's compatible with Android 14. I'm taking care of that in a dedicated branch, and I'll make another branch based on it to manage Passkey. |
I've finished migrating API 34 to branch develop. There may still be a few bugs to fix but it'll be a good basis for implementing the credential manager. |
Note (mainly for testing) : Firefox for Android added support for it in version 128 (july 2024)
https://www.mozilla.org/en-US/firefox/android/128.0/releasenotes/ |
Is now a released feature |
Does this mean we can hope for a working implementation in the near future?
|
Yes, I just have to prioritize and as I'm working on other projects at the same time it's not easy. I plan to release an intermediate version that upgrades the API to check that there are no regressions, and then integrate the first implementation of PassKeys. I'm aware that a lot of people want this feature, myself included, and I've even bought a test phone just for it. |
Thank you! |
Hi all, I just shared my current code including an APK on my fork. It is based on the develop branch and enables to create, update and use passkeys. Some small issues are still open (see readme.md). Check it out, if you like. For feedback, I enabled the discussions on my repo. |
@cali-95 I am yet to test your implementation but does it retain passkey compatibility with other clients like Strongbox, KeePassXC? https://strongboxsafe.com/updates/passkeys/ |
@hj-collab My implemention is compatible with KeePassXC. Regarding strongbox I don't know. |
Strongbox implementation is compatible with KeePassXC. It's nice to see all clients being compatible with each other. Thank you for the work! |
@cali-95 |
@cali-95: Great job! Nice piece of code Using your version of KeePassDX primary with Firefox, i noticed the following:
But once again: Great job! |
Agree. I looked at your code, @cali-95 and created a branch on this repo from the latest version 4.1.0. |
@cali-95 the passkey support is working in Chromium browsers but it's broken in firefox. Can you please check that. Passkey creation in apps is not working either. |
Wondering if it is time to resurrect the request for passkeys support. The initial support has come to Android and it may soon be possible to have 3rd-party apps managing passkeys on devices. I'd like my passkeys stored in .kdbx files, along with other sensitive data.
At this point, this is a brainstorming and research stage. Also, this could be related to some other issues involving FIDO standards.
The end-result is to have KeePassDX as the storage and a key generator for Passkeys on Android.
Background info:
Add Android Credential provider :
Emphasis on the statement from Google:
The text was updated successfully, but these errors were encountered: