beemdevelopment / Aegis

A free, secure and open source app for Android to manage your 2-step verification tokens.
https://getaegis.app
GNU General Public License v3.0
9.15k stars 387 forks source link

Passkey support? #1281

Open zuavra opened 8 months ago

zuavra commented 8 months ago

Hi, I was wondering if Aegis has any plans to support passkeys. For example, going on https://www.passkeys.io/ and using the "Sign in with a passkey" button on a desktop browser you get a QR code popup. Would it be feasible for Aegis to scan that QR code like it does for TOTP codes and act as an authenticator for that passkey going forward? Thank you.

Granddave commented 8 months ago

Hi @zuavra, passkeys uses another form of technology based on asymmetric cryptography which means that the two parties (i.e. the website and the authentication device) has to communicate directly. On a desktop it's usually a browser extension or the underlying OS that is acting as the client through the browser. In the case of Aegis, you make up the communication between the app and the website by reading the generated codes and writing them into the website.

Without speaking on behalf of the maintainers of Aegis, I wouldn't think adding support for passkeys are feasible or desirable, at least due to the technical limitations.

alexbakker commented 8 months ago

There isn't really a good way for Android apps to directly support Passkeys. The implementers of Passkeys in Android have tried very hard to force the OS into the authentication path as a core component.

Android 14 (and up) does allow delegating storage of Passkey private key material to a third-party app: https://developer.android.com/training/sign-in/credential-provider. We could consider implementing support for that in Aegis. The question is whether that should be considered in scope for Aegis, of course.

naiyerasif commented 8 months ago

Passkey support should be more of a password manager's scope rather than Aegis since they can be set as autofill apps on Android and therefore can be used to sign in with Passkeys.

alexbakker commented 7 months ago

Occupying the autofill service slot is not a requirement for an app to be a passkeys credential provider.