pfak
commented
1 year ago Google has implemented Passkeys on their production websites
https://blog.google/technology/safety-security/the-beginning-of-the-end-of-the-password/
Open alensiljak opened 2 years ago
pfak
commented
1 year ago Google has implemented Passkeys on their production websites
https://blog.google/technology/safety-security/the-beginning-of-the-end-of-the-password/
zburgermeiszter
commented
1 year ago @PhilippC is this feature planned in a future version?
cpetry
commented
1 year ago +1
Would like to stay with KeePass if possible!
Kareltje1980
commented
1 year ago This is really getting some traction. There is already some collaboration between other keepass clients on how these should be stored in keepass vaults.
https://github.com/keepassxreboot/keepassxc/pull/8825
I think it would make sense to take a look at this implementation.
boergondier
commented
1 year ago +1
juanhs12
commented
1 year ago The latest beta version of KeepassXC have the possibility of to do import and export passkeys.
The pull request with the WebAuthn was accept today, 26 october 2023.
darkdragon-001
commented
11 months ago The relevant Android documentation seems to be https://developer.android.com/training/sign-in/credential-provider
Pinging @varjolintu who added the support in KeePassXC.
cobexer
commented
9 months ago It looks like this will be backported and released with KeepassXC 2.7.7 just about any time now.
Has there been any development on this so far?
Calmquist
commented
9 months ago Bitwarden appears to be adding it as part of the migration from Xamarin to MAUI: https://github.com/bitwarden/mobile/tree/feature/maui-migration-passkeys . It appears to still be in early development, but it looks like Bitwarden is using the credential provider API.
jhass
commented
9 months ago Latest Firefox on MacOS supports passkeys now, we could store passkeys via Keepass2Android right now via the QR code method.
oxivanisher
commented
7 months ago FYI: As of today, Keepass XC 2.7.7 is officially released and supports passkeys.
Kranzes
commented
7 months ago Please do not use the Google passkey library on android as it does not work without Google Play Services and I want to be able to use my YubiKey for this on my degoogled phone.
hackerd2501
commented
7 months ago @PhilippC Any plans to implement this ?
hackerd2501
commented
7 months ago @PhilippC If I use passkey support on keepassxc, are the keepass databases still compatible between keepassxc and keepass2android, even if you dont implement passkeys ?
Calmquist
commented
7 months ago @PhilippC If I use passkey support on keepassxc, are the keepass databases still compatible between keepassxc and keepass2android, even if you dont implement passkeys ?
I haven't used KeePass2Android, but it shouldn't be a problem. KeePassXC will add some custom fields named KPEXPASSKEY*.
Ironfist69
commented
7 months ago Bump
capi
commented
7 months ago @PhilippC If I use passkey support on keepassxc, are the keepass databases still compatible between keepassxc and keepass2android, even if you dont implement passkeys ?
I haven't used KeePass2Android, but it shouldn't be a problem. KeePassXC will add some custom fields named KPEXPASSKEY*.
Can confirm that files from KeepassXC 2.7.7 providing Passkeys can be read and written by Keepass2Android without the passkeys getting in the way. As pointed out, the Passkey's info is stored as special fields in the entries.
It would be great if Keepass2Android would follow the field names used there and hence become compatible with KeepassXC 2.7.7+.
PhilippC
commented
6 months ago this clearly is one of the hot candidates for the next feature to be implemented. Unfortunately, I haven't had any time to even read the emails related to the app recently so I can't make any promises about this at the moment.
leowankerddd
commented
5 months ago this clearly is one of the hot candidates for the next feature to be implemented. Unfortunately, I haven't had any time to even read the emails related to the app recently so I can't make any promises about this at the moment.
I'll gladly make a donation if it helps push this towards the top of the pile of new features.
I'm using the passkey support in keepassxc on Windows and Linux.
For now, I'm tying passkeys to my phone directly because I can't put them in any Android password manager.
I'm not a programmer, but I am a good beta tester should you ever have a fairly stable beta of your software with passkey I'd be happy to test.
capi
commented
5 months ago Having looked at the keepass2android plugin API, I think that it could be implemented with a plugin, if the missing APIs are still not available from Xamarin. Unfortunately neither do I have much Android development experience nor too much time at the moment, but just as an idea for someone able who'd have time.
PhilippC
commented
5 months ago I started to investigate how this could be implemented and tested.
Unfortunately, I didn't find good ways to test (and use) any implementation (I don't have one yet). Can anybody help here?
I think this whole feature will only be useful if this workflow works with the major Android browsers. Can somebody test this a bit more and maybe help me understand better what's required here?
starsoccer
commented
5 months ago I havent tried with any passkey apps on android, but Im pretty sure both google accounts and github(the app) will prompt for a passkey if you have it on your account.
alensiljak
commented
5 months ago As far as I remember, KeePassXC browser extension supports PassKeys. I'm not sure what is required on Android, unfortunately.
ishamf
commented
5 months ago Seems like this is still in development in Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1862132
For bitwarden, seems it works for some people, but it needs their beta app: https://www.reddit.com/r/Bitwarden/comments/1ccwhsz/passkeys_live_on_android_app/
9pr19
commented
5 months ago @PhilippC did you have a look at https://www.passkeys.io/ it seems a good starting point. On Samsung devices the default password manager should be compatible with passkeys https://www.samsung.com/uk/apps/samsung-pass/ . From there I guess you will have to test with multiple browser Chrome or FF (but from my point of view it seems to be still a bit buggy). Hope this can help you.
Thank you for your hard work
ishamf
commented
5 months ago I tried out Bitwarden, seems I can only add a GitHub passkey using Samsung internet 😅 Chrome never prompts for Bitwarden when adding the passkey.
After it's added, it can be used in both Chrome and Samsung.
Ch4s3r
commented
5 months ago @ishamf For chrome there is a flag in chrome://flags to set Passkey support to Enabled for Bitwarden to work and you cannot have any passkeys in google password manager AFAIK
ishamf
commented
5 months ago you cannot have any passkeys in google password manager AFAIK
Thanks, this might be it, I have a bunch of test passkeys there.
PhilippC
commented
5 months ago @Ch4s3r thanks a lot for the hint! That is very helpful! With Bitwarden 2024.4.2 I can then see the workflow in action. That should be a very good starting point!
Calmquist
commented
5 months ago I have been able to use passkeys on GrapheneOS and Vanadium with Proton Pass. I originally needed to set the web-authentication-android-credential-management flag to "Enabled for Google Password Manager and 3rd party passkeys", but that flag seems to have been removed and made default since I first tested it.
kevinlucasilva
commented
5 months ago @PhilippC, I would like to share a discussion that is taking place within the Bitwarden community about Passkeys:
https://community.bitwarden.com/t/passkeys-support-for-mobile-apps
Take a look at this discussion (if you haven't seen it already), as development on Bitwarden is a little more advanced, and with some issues.
Anyway, I hope they can bring this feature, because the app would be even better than it already is.
THX.
SnoopAir
commented
3 months ago Some time has past since the last comment on this feature. Is there any update timeline one when this cool feature will be available? Without it, for me moving forward to using passkeys is a nogo :(
frankmill
commented
2 months ago @SnoopAir
That's exactly how I see it.
Horst12345
commented
1 month ago +1 and Push: I really want to increase the security for my login accounts with passkeys. So for me it absolutly relevent that passkeys are implementet in Keepass2Android.
So please follow up @PhilippC
deltragon
commented
1 month ago I feel the need to point out that the best way to get Passkeys implemented isn't to spam this issue, but it's to either help out as requested in https://github.com/PhilippC/keepass2android/issues/2099#issuecomment-2110501145, or donate. The fact that there's a need here has been demonstrated enough, and pinging the author (and everyone subscribed to this issue) isn't gonna help.
CueHD
commented
1 month ago I think this whole feature will only be useful if this workflow works with the major Android browsers.
Android apps are beginning to accept passkeys for authentication. One example is the Fastmail app. I'm not sure if it goes through the Android system webview or not.
ieugen
commented
1 month ago I tried KeepassXC passkey with Firefox 128 on Github and it worked. Would be great to have it working on Android via keepassxc. Seems like Firefox Android 128 will work with Passkeys
This explains the status of Passkeys on different version of Android ( ~ minute 6) : https://developer.android.com/courses/pathways/passkeys
Also decided to sponsor the project to support this feature :)
PetrVladimirov
commented
1 month ago An additional use-case for android apps: Australian ubank is moving its entirely customer base to passkeys with no exceptions.
Do all ubank customers need to use passkeys to log into their ubank app? Yes. Since May 2024, all new customers are already logging into their ubank app using passkeys. From 23 July 2024, existing customers can enrol a passkey via their security settings.
We aim to have all customers using passkeys as their app log in method by November 2024.
ICEMANno1
commented
1 month ago I think this whole feature will only be useful if this workflow works with the major Android browsers. Can somebody test this a bit more and maybe help me understand better what's required here?
I'm not an Android developer or an passkey expert. But from this documentation I understood
If I can help in any other way, please always feel free to ask e.g. specific questions about passkeys, websuthn, credentials manager I can try to research, understand and answer 🤞😅. Thanks for all your great work so far!
anttiharju
commented
2 weeks ago Made a donation to support this feature :)
Strongbox (KeePass for macOS / iOS / iPadOS) already supports passkeys. I hope that keepass2android's implementation will be compatible with the passkeys created by it; their blog post on passkeys may be interesting https://strongbox.reamaze.com/kb/faqs/use-passkeys-with-strongbox:
A Note on KeePass Interoperability and other Database Formats
Not all KeePass apps currently support passkeys. Your passkey data is viewable and can be recovered by opening your database with another KeePass app, but many of these apps will not allow you to create and save new passkeys, or to authenticate with your existing passkeys. Unfortunately, for technical reasons, we cannot support passkeys on KeePass 1 or Password Safe format databases. We recommend migrating to a standard KeePass 2 format database, which should be very straightforward and will provide you with a host of other improvements. Drop us a line if you need some help with that.
capi
commented
2 weeks ago @anttiharju It seems that Strongbox follows the way that KeepassXC does it in the desktop version (which would make sense "they" supported it first and other implementations following this would be the best for portability). KeepassXC also does store them as custom fields with the same IDs:
rmueller83
commented
2 weeks ago For portability, there was just a new standard announced: https://fidoalliance.org/specifications-credential-exchange-specifications/ https://blog.1password.com/fido-alliance-import-export-passkeys-draft-specs/
capi
commented
2 weeks ago @rmueller83 This standards seem related to how to exchange passkeys between credential providers, not so much as for when sharing a kdbx file between different implementations (i.e. because using it on multiple platforms).
anttiharju
commented
2 weeks ago @capi happened to come across this blog post from strongbox today. There they mention
Support for passkeys is coming soon to some major KeePass clients like KeePassXC, with whom we’ve worked to ensure compatibility. We’re hoping other KeePass clients can take advantage of our trail breaking here.
rbdzyx
commented
6 days ago I think this whole feature will only be useful if this workflow works with the major Android browsers. Can somebody test this a bit more and maybe help me understand better what's required here?
Not sure if you still want a reply to this, but...
I tried Chrome and Brave on Android 14 (Pixel) and they both support creating and authenticating passkeys. Nothing needs to be enabled. You can store passkeys in Google password manager or Bitwarden for example. You have to enabled it in Settings/Passwords and accounts. You can test passkeys using https://webauthn.io/ https://www.passkeys.io/
I have Keepass2Android Offline as my primary selected password manager on Android under Settings/Passwords and accounts. Bitwarden is also listed there but disabled, and Google (Google Password Manager, Google Play and Google Wallet) is enabled. I get prompted to select which Google account available on the phone to store the passkey under.
It doesn't offer Bitwarden as expected on Android, but it does on WIndows PC where I have the Bitwarden add-on for Chrome.
Is it worth (already) tracking the implementation progress of Passkeys and the possibility for Keepass2Android to act as the storage and the key generator? I guess it is only the brainstorming and research stage at this point.
Some background information:
with emphasis on