Feature request: security key emulation

[t4moxjc7]

Summary

Some sites support security keys, but not passkeys (or not even TOTP). It would be good to use this functionality via KeePassXC. Relevant proof of concept that I found: https://github.com/danstiner/rust-u2f

Examples

N/A

Context

N/A

[t4moxjc7]

Is it worth listing sites that have security key options that don't work with KeePassXC in this issue? Or is the mechanism not actually related to passkeys, even if some sites present it under the same option?

[droidmonkey]

Security keys are unrelated to passkeys. Fido U2F is a different, but related, standard to WebAuthn (the foundation to Passkeys). It is also only applicable as a second factor of authentication and cannot replace username and password like passkeys can. https://rublon.com/blog/u2f-vs-webauthn-whats-the-difference/

[droidmonkey]

Reading through the rust implementation, I am fairly certain we would never implement this feature. KeePassXC will not masquerade as a HID device and U2F is a dead standard at this point with Passkeys.

[luzat]

@droidmonkey This may be related to https://github.com/keepassxreboot/keepassxc/issues/10382. I think most sites nowadays are actually using FIDO2/WebAuthn, not FIDO U2F (browsers have mostly removed their support for that), for security key support. Security key support in that sense would mainly involve some more flexible parameters, like specifying the allowed transports and authenticator type (attachment, resident?).

This is obviously only about browser support, not all use cases that a security key could be used for (and it's unclear what the intention of @t4moxjc7 was, but I assume he meant websites).

[droidmonkey]

This request was about FIDO U2F only

[t4moxjc7]

@luzat I'm not sure, but I understand it, that sort of authentication does trigger the KeePassXC prompt, so it should be covered by issue https://github.com/keepassxreboot/keepassxc/issues/10374