KeePassium icon indicating copy to clipboard operation
KeePassium copied to clipboard
verified publisher icon keepassium

Passkey registration via QR code fails

Open keepassium opened this issue 1 year ago • 4 comments

Description Creating a passkey with another device (via QR code) fails with no passcode in KeePassium and an error message on the target device.

How to reproduce Steps to reproduce the behavior:

  1. In Chrome, open https://passkeys-debugger.io, set "Authenticator Attachment" to "Cross-platform" and click "Start Passkey Creation"
  2. Chrome will show a QR code, scan it with iPhone's camera
  3. Follow the passkey creation steps
  4. Observe the error on the website:

    The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client."

Expected behavior Passkey should be successfully registered.

Environment:

  • Device: iPhone
  • OS: iOS 18
  • App Version: 2.0.158

Additional context

https://github.com/keepassium/KeePassium/issues/297#issuecomment-2538942511 [thanks, jasperweiss] https://github.com/keepassium/KeePassium/issues/297#issuecomment-2547970200 [thanks, danielwagn3r]

keepassium avatar Dec 17 '24 11:12 keepassium

I've to update my previous comment. Creation of the passkey doesn't fail always. I've seen a passkey created via QR-code now, too. But the error message on the website (Auth0 in my case) stays the same.

My environment: Desktop: Windows 10/11 + Chrome 131 Phone: iOS 18.2 KeePassium: v2.0.158

danielwagn3r avatar Dec 17 '24 11:12 danielwagn3r

Interestingly, when I try to add a key using a QR code on that site, the key is added successfully in KeePassium, but the browser flashes back

My environment: Desktop: Windows 11 Edge 131.0.2903.99 | Chrome 131.0.6778.140 | Chrome 131.0.6778.205 Phone: iOS 18.2 KeePassium:v2.0.158 | KeePassium Pro: v2.0.158

litcc avatar Dec 19 '24 03:12 litcc

I had the same issue on my end, after a lot of back and forward, I noticed that Chrome for Mac takes into consideration the order of keys inside the attestation object. Unlike Safari and other browsers, even unlike Chrome for iOS.

That said, if you don't pass the exact order, Chrome will reject your passkey registration.

CBOR dict.encode() does not retain any specific order, so you might have success or not. To fix the problem you should change cborEncodePublicKey and cborEncodeAttestation inside Passkey.swift, remove the dictionaries, create the array and append the keys yourself.

It's working 100% after that change, with all browsers.

btereso-sa avatar May 21 '25 19:05 btereso-sa

@btereso-sa , this is awesome, thank you so much for the insight!

Update: yep, preserving the order of keys fixed it.

keepassium avatar May 21 '25 21:05 keepassium

Fix released in v2.4. Big thanks to @btereso-sa for the solution 👍

keepassium avatar Nov 03 '25 16:11 keepassium