Support for Passkeys

[alensiljak]

Wondering if it is time to resurrect the request for passkeys support. The initial support has come to Android and it may soon be possible to have 3rd-party apps managing passkeys on devices. I'd like my passkeys stored in .kdbx files, along with other sensitive data. At this point, this is a brainstorming and research stage. Also, this could be related to some other issues involving FIDO standards.

The end-result is to have KeePassDX as the storage and a key generator for Passkeys on Android.

Background info:

• https://fidoalliance.org/passkeys/
• https://developer.apple.com/passkeys/
• https://developers.google.com/identity/passkeys
• https://android-developers.googleblog.com/2022/10/bringing-passkeys-to-android-and-chrome.html
• https://developers.google.com/identity/passkeys/supported-environments
• https://www.passkeys.io/

Add Android Credential provider :

• https://developer.android.com/training/sign-in/credential-provider

Emphasis on the statement from Google:

Note: In the future, Android users will be able to use third-party credential management apps to store their passkeys.

[Calmquist]

Having said that, there was a fair bit of discussion further back in the thread expressing the hope that any implementation would not depend on Google Credentials libraries, which are poorly supported in many ALT-ROMS, DeGoogled devices, or in the case of GrapheneOS, deliberately excluded, or optionally sandboxed. There were even postings about 1Password having implemented and open sourced their own credential library. Since your Credential Provider addendum mentioned mentioned 1Password, I figured you had used that library and I should be good to test it.

I believe Chromium depends on Google Play Services for FIDO2 support. In that case, one would need to use another browser that does support FIDO2 without Google or have some other application that can "spoof" Google Play Services. Such an application would require elevated privileges. I am not sure there is anything KeePassDX can do about that.

[J-Jamet]

This feature requires a great deal of study and time. I'm aware that the functionality is already present on KeePassXC and many requests are being made for KeePassDX. Many of you are impatient, but we need to take the time to implement the feature properly. There are platform constraints that require the use of Android 14 for the Credential Manager.

Thank you @cali-95 for your work in this first implementation. It's really appreciated, I'll study your code.

[mcrocker]

@cali-95:

I will try again later this afternoon with a newer GrapheneOS device. 🤞

Sorry no joy. I tried from both an up-to-date Pixel Tablet running GrapheneOS (Android 14) and Pixel Fold. I uninstalled the F-Droid KeePassDX and installed your APK. The app crashed on start-up.

I tried a few ways to download, in case there was an unreported download error and several installation sources. I also tried disabling Hardened memory allocator, but since the app is debuggable, it would not let me turn that off. I was able to turn off Native code debugging, but that didn't make any difference.

I set the flags in Vanadium according to the 1Password instructions and tried it with and without Passwords, passkeys & autofill set to KeePassDX

I'll try to post the stack trace in your repo so we don't spam this issue.

Maybe folks with pure Android devices will have better luck.

[mcrocker]

@cali-95:

I'll try to post the stack trace in your repo so we don't spam this issue.

I could not figure out how to create an issue on your repository, so here are the links to the error logs:

• CrashLog2024-06-23.txt,
• VanadiumCrashLog2024-06-23.txt

[shuvashish76]

I pushlish my current version at https://github.com/cali-95/KeePassDX/releases/tag/v0.1.0 and I am open for feedback.

Until official support/merger here @cali-95 can you please create a separate discussion with "My passkeys support experiments" or some similar heading?

[J-Jamet]

Sorry no joy. I tried from both an up-to-date Pixel Tablet running GrapheneOS (Android 14) and Pixel Fold. I uninstalled the F-Droid KeePassDX and installed your APK. The app crashed on start-up.

I know why, there's a TAG issue in the call for services with PendingIntent, that's why I said we shouldn't go too fast. We need to do all the migration steps to API 34 before anything else so that it's compatible with Android 14. I'm taking care of that in a dedicated branch, and I'll make another branch based on it to manage Passkey.

[J-Jamet]

I've finished migrating API 34 to branch develop. There may still be a few bugs to fix but it'll be a good basis for implementing the credential manager.