Kunzisoft
No longer able to access on-device passkeys when KeePassDX is set as sign-in service
Checks
- [x] I have read the Wiki, searched the open issues, and still think this is a new bug.
Explain the problem clearly and succinctly:
Hello
I have passkeys stored on-device only (without synchronisation) and use KeePassDX to store passwords. This worked well until KeePassDX introduced support for passkeys. Now, if i want to log in somewhere with a passkey, KeePassDX opens and i can no longer access my on-device passkeys.
The only workaround is to change in Android's settings, under "Passwords, passkeys and accounts" the "Preferred service" from "KeePassDX" to "None" and, after logging in, back to "KeePassDX". However, this is very cumbersome.
I don't know if this this is a problem that KeePassDX can solve or if this is a problem of Android. In the first case, I would greatly appreciate it if you could add an option to disable passkeys in KeePassDX.
Describe what you expected to happen:
No response
KeePassDX version:
4.2.4
Build:
Free
Database version:
No response
File provider (content:// URI)
No response
Android version:
16
Android device:
Google Pixel 7a
Additional context:
No response
It depends on your device configuration. The Autofill and Passkeys services have been merged into the same API. On some systems, it is possible to set up secondary credential provider services to use Passkeys with other services by clicking on "other methods," but this is not available on all systems. In any case, I am trying to create a new version so that Autofill is as well integrated as Passkey. Unfortunately, I cannot code service choices.
I do have one question, though: what do you see as the advantage of using your system's passkeys over those of KeePassDX?
It depends on your device configuration. The Autofill and Passkeys services have been merged into the same API. On some systems, it is possible to set up secondary credential provider services to use Passkeys with other services by clicking on "other methods," but this is not available on all systems. In any case, I am trying to create a new version so that Autofill is as well integrated as Passkey. Unfortunately, I cannot code service choices.
Thank you very much for your quick reply and explanation!
I'm using a Pixel 7a phone, which allows me to set "Google" as an "additional service". But even with "Google" activated, KeePassDX opens every time i try to sign in with a passkey. Only choosing "none" as the "preferred service" allows me to log in with my on-device passkeys.
I do have one question, though: what do you see as the advantage of using your system's passkeys over those of KeePassDX?
Firstly, because this is the only way passkeys have worked until recently, which is why i set up my passkeys this way. It would take me much time to change everything. Secondly, and more important to me, having local-only passkeys on a secure part of my devices is a lot safer than syncing them across devices over the internet.
Secondly, and more important to me, having local-only passkeys on a secure part of my devices is a lot safer than syncing them across devices over the internet.
Doesn't Google actually sync passkeys across devices? KeePassDX does NOT sync your encrypted database anywhere and I have no reason to believe that the encryption of the passkey in a secure element is any better than that of my KeePass database. In fact, such chips have been riddled with vulnerabilities and backdoors that I wouldn't consider its security more credible than "Trust me, bro".
Doesn't Google actually sync passkeys across devices?
If "Google" isn't set as "Preferred service" in the Settings under "Passwords, passkeys and accounts", passkeys are stored on the device only.
KeePassDX does NOT sync your encrypted database anywhere ...
I'm syncing the .kdbx database myself.
... and I have no reason to believe that the encryption of the passkey in a secure element is any better than that of my KeePass database. In fact, such chips have been riddled with vulnerabilities and backdoors that I wouldn't consider its security more credible than "Trust me, bro".
Is this also true for security keys? If so, i'll consider saving my passkeys in the .kdbx database.
Is this also true for security keys? If so, i'll consider saving my passkeys in the .kdbx database.
I have a similar problem, but instead of on-device passkeys, I cannot select USB security key if I have KeePassDX as autofill service.
Can you choose a key in such case? From your comment I think you're using a security key as well.
Is this also true for security keys? If so, i'll consider saving my passkeys in the .kdbx database.
Last year a vulnerability in Yubikeys was discovered: https://www.yubico.com/support/security-advisories/ysa-2024-03/
Apparently this attack requires equipment for 11k USD. That is a drop in the bucket if you're using it to secure your CryptoWallet with a 100 BTC. Many attacks on security hardware seem theoretical but I would consider most attack on software encryption based just as theoretical if you apply best practices. That's just my opinion and only time will tell.
I have a similar problem, but instead of on-device passkeys, I cannot select USB security key if I have KeePassDX as autofill service.
Same problem here on a Pixel 8 Pro with GrapheneOS, but with a YubiKey with NFC functionality.
Based on https://github.com/Kunzisoft/KeePassDX/issues/1421#issuecomment-3452768570, I installed HW Fido2 Provider from the IzzyOnDroid repos and enabled it as an "additional service." Slightly annoying workaround, but I can live with it until the KeePassDX issue gets fixed.
What you are asking is for the system to be able to provide several credential providers to the user at the same time so that they can choose the one they want. However, this choice should be made at the OS level. KeePassDX should not be responsible for other authentication methods by adding code that simply acts as a pass-through. After that, there may be parameters to send to the credential provider API, but I don't know what they are. https://developer.android.com/identity/sign-in/credential-provider
Based on https://github.com/Kunzisoft/KeePassDX/issues/1421#issuecomment-3452768570, I installed HW Fido2 Provider from the IzzyOnDroid repos and enabled it as an "additional service." Slightly annoying workaround, but I can live with it until the KeePassDX issue gets fixed.
I think it's the right solution. I'll test it to find out what bothers you about its behavior.
I tested it with my device and have no problem selecting another service to use Passkeys from another application on the fly. https://github.com/Kunzisoft/KeePassDX/issues/2310#issuecomment-3656110416