keepass2android
keepass2android copied to clipboard
PhilippC
Support for Passkeys
Is it worth (already) tracking the implementation progress of Passkeys and the possibility for Keepass2Android to act as the storage and the key generator? I guess it is only the brainstorming and research stage at this point.
Some background information:
- https://fidoalliance.org/passkeys/
- https://developers.google.com/identity/passkeys
- https://android-developers.googleblog.com/2022/10/bringing-passkeys-to-android-and-chrome.html
- https://developers.google.com/identity/passkeys/supported-environments
- https://www.passkeys.io/
with emphasis on
Note: In the future, Android users will be able to use third-party credential management apps to store their passkeys.
Google has implemented Passkeys on their production websites
https://blog.google/technology/safety-security/the-beginning-of-the-end-of-the-password/
This is really getting some traction. There is already some collaboration between other keepass clients on how these should be stored in keepass vaults.
https://github.com/keepassxreboot/keepassxc/pull/8825
I think it would make sense to take a look at this implementation.
The latest beta version of KeepassXC have the possibility of to do import and export passkeys.
The pull request with the WebAuthn was accept today, 26 october 2023.
https://snapshot.keepassxc.org/latest/
https://github.com/keepassxreboot/keepassxc/pull/8825
The relevant Android documentation seems to be https://developer.android.com/training/sign-in/credential-provider
Pinging @varjolintu who added the support in KeePassXC.
It looks like this will be backported and released with KeepassXC 2.7.7 just about any time now.
Has there been any development on this so far?
Bitwarden appears to be adding it as part of the migration from Xamarin to MAUI: https://github.com/bitwarden/mobile/tree/feature/maui-migration-passkeys . It appears to still be in early development, but it looks like Bitwarden is using the credential provider API.
Latest Firefox on MacOS supports passkeys now, we could store passkeys via Keepass2Android right now via the QR code method.
FYI: As of today, Keepass XC 2.7.7 is officially released and supports passkeys.
Please do not use the Google passkey library on android as it does not work without Google Play Services and I want to be able to use my YubiKey for this on my degoogled phone.
@PhilippC If I use passkey support on keepassxc, are the keepass databases still compatible between keepassxc and keepass2android, even if you dont implement passkeys ?
@PhilippC If I use passkey support on keepassxc, are the keepass databases still compatible between keepassxc and keepass2android, even if you dont implement passkeys ?
I haven't used KeePass2Android, but it shouldn't be a problem. KeePassXC will add some custom fields named KPEX_PASSKEY_*.
@PhilippC If I use passkey support on keepassxc, are the keepass databases still compatible between keepassxc and keepass2android, even if you dont implement passkeys ?
I haven't used KeePass2Android, but it shouldn't be a problem. KeePassXC will add some custom fields named KPEX_PASSKEY_*.
Can confirm that files from KeepassXC 2.7.7 providing Passkeys can be read and written by Keepass2Android without the passkeys getting in the way. As pointed out, the Passkey's info is stored as special fields in the entries.
It would be great if Keepass2Android would follow the field names used there and hence become compatible with KeepassXC 2.7.7+.
this clearly is one of the hot candidates for the next feature to be implemented. Unfortunately, I haven't had any time to even read the emails related to the app recently so I can't make any promises about this at the moment.
this clearly is one of the hot candidates for the next feature to be implemented. Unfortunately, I haven't had any time to even read the emails related to the app recently so I can't make any promises about this at the moment.
I'll gladly make a donation if it helps push this towards the top of the pile of new features.
I'm using the passkey support in keepassxc on Windows and Linux.
For now, I'm tying passkeys to my phone directly because I can't put them in any Android password manager.
I'm not a programmer, but I am a good beta tester should you ever have a fairly stable beta of your software with passkey I'd be happy to test.
Having looked at the keepass2android plugin API, I think that it could be implemented with a plugin, if the missing APIs are still not available from Xamarin. Unfortunately neither do I have much Android development experience nor too much time at the moment, but just as an idea for someone able who'd have time.
I started to investigate how this could be implemented and tested.
Unfortunately, I didn't find good ways to test (and use) any implementation (I don't have one yet). Can anybody help here?
- it is clear that using Passkeys on Android requires Android 14. I have Android 14.
- In order to test the workflow, you need a password manager app supporting Passkeys. I tried Dashlane, Keyguard and Bitwarden. Only Keyguard seemed to work for me.
- the app requesting the passkey needs to support the Credentials Manager API. I tried Firefox, Chrome and Chrome Canary. While all of those support passkeys, none of them worked with any of the aforementioned password manager apps. (I did enable them in the Android settings for password/passkeys.). Only with Dashlane's Demo App (https://github.com/Dashlane/android-passkey-example) I was able to get the workflow going, but only with Keyguard and not Dashlane or Bitwarden.
I think this whole feature will only be useful if this workflow works with the major Android browsers. Can somebody test this a bit more and maybe help me understand better what's required here?
I havent tried with any passkey apps on android, but Im pretty sure both google accounts and github(the app) will prompt for a passkey if you have it on your account.
As far as I remember, KeePassXC browser extension supports PassKeys. I'm not sure what is required on Android, unfortunately.
Seems like this is still in development in Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1862132
For bitwarden, seems it works for some people, but it needs their beta app: https://www.reddit.com/r/Bitwarden/comments/1ccwhsz/passkeys_live_on_android_app/
@PhilippC did you have a look at https://www.passkeys.io/ it seems a good starting point. On Samsung devices the default password manager should be compatible with passkeys https://www.samsung.com/uk/apps/samsung-pass/ . From there I guess you will have to test with multiple browser Chrome or FF (but from my point of view it seems to be still a bit buggy). Hope this can help you.
Thank you for your hard work
I tried out Bitwarden, seems I can only add a GitHub passkey using Samsung internet 😅 Chrome never prompts for Bitwarden when adding the passkey.
After it's added, it can be used in both Chrome and Samsung.
@ishamf For chrome there is a flag in chrome://flags to set Passkey support to Enabled for Bitwarden to work and you cannot have any passkeys in google password manager AFAIK
you cannot have any passkeys in google password manager AFAIK
Thanks, this might be it, I have a bunch of test passkeys there.
@Ch4s3r thanks a lot for the hint! That is very helpful! With Bitwarden 2024.4.2 I can then see the workflow in action. That should be a very good starting point!
I have been able to use passkeys on GrapheneOS and Vanadium with Proton Pass. I originally needed to set the web-authentication-android-credential-management flag to "Enabled for Google Password Manager and 3rd party passkeys", but that flag seems to have been removed and made default since I first tested it.