keepassxreboot / keepassxc-browser

KeePassXC Browser Extension
GNU General Public License v3.0
1.78k stars 188 forks source link

Enable "Passkeys" Web Authentication in browser extensions by default #2377

Open Progman2002 opened 2 weeks ago

Progman2002 commented 2 weeks ago

Summary

When you install the browser extension the Passkeys Web Authentication feature is disabled by default. This feature should be enabled by default.

Examples

The "Passkeys" related settings when installing the KeyPassXC extension in the browser:

passKeysSettings

Here the setting should be enabled by default.

Context

I have an existing database with (only) passkeys and wanted to use them on a new OS and browser. So I installed the KeyPassXC extension in my browser (Firefox and because it didn't work, Edge as well...). I successfully "connected" the KeyPassXC extension with the actual KeyPassXC application/database, as seen in the screenshot here:

connected When I browse a website with passkey login support I even see an icon in the login username field and an auto fill feature popup from KeyPassXC to enter my username from my database. This let me believe that everything is successfully connected and working between my browser and KeyPassXC application (and open database).

However, when I press the "Login via Passkey" button to try to login via passkeys, I always get a default "Windows security" dialog asking me to insert my USB security token stick.

defaultDialog

This is not the dialog I'm expecting, I don't even have such an USB security token stick. So I checked online for several issues of the same kind from other users and do checks like "Is my browser version up-to-date?", "Is keypassxc-proxy.exe running?", "Is the setting security.webauth.credential_management enabled/disabled?" or "is the KeyPassXC application running?". But "nothing works", even though everything is working (it looks like that).

Finally, at some point I checked the settings of the browser extension and notice that the feature for using passkeys is disabled by default. Additionally, the feature "Enable passkeys fallback" is enabled by default, which IMO doesn't make sense when the "Enable passkeys" setting itself is disabled. So, after enabling the "Enable passkeys" setting, everything works as it should. I get a confirm dialog from KeyPassXC to login via my stored passkey.

That's why the setting "Enable passkeys" should be enabled by default.

droidmonkey commented 2 weeks ago

@varjolintu i think we should ask in the popup if the user wants to enable passkeys the first X times it is shown. Or something like that.

varjolintu commented 2 weeks ago

This feature is something I'd like not be enabled by default because it injects a script to every web page. That's something users might not be expecting. We could add a info message to the popup though.

The fallback option checkbox should be disabled if the passkeys option is not checked.