Open t4moxjc7 opened 8 months ago
directentis1
commented
7 months ago It's strange but Bitwarden Addons/Extension stills can hook to save passkeys for microsoft.com. I wonder how can they do that?
Only some sites it's doesn't work, might require security key (like for Amazon AWS, Paypal,...)
lichwala
commented
7 months ago In case of microsoft.com: "Only security keys can be registered." - that is NOT correct. This site works fine with Enpass (software-based passkeys support) password manager. I've stored passkeys for both my microsoft.com accounts in Enpass and then used them successfully to login. I hope KeepassXC can make it too if properly implemented.
varjolintu
commented
7 months ago In case of microsoft.com: "Only security keys can be registered." - that is NOT correct. This site works fine with Enpass (software-based passkeys support) password manager. I've stored passkeys for both my microsoft.com accounts in Enpass and then used them successfully to login. I hope KeepassXC can make it too if properly implemented.
I have managed to create a passkey using KeePassXC with Microsoft's site, and I use it all the time. Just haven't caught the reason why the creation fails 90% of the time.
pamperer562580892423
commented
7 months ago Various people (including myself) have problems with eBay and passkey usage, region-independent as it seems. The following issues are in Bitwarden sites, but I have the exact same experience with KeePassXC 2.7.7 and extension 1.9.0.3 (on Brave, Windows 11): https://github.com/bitwarden/clients/issues/7456 and https://github.com/bitwarden/clients/issues/7785
There, I wrote about my experience in detail.
And so far, nobody seems to have a clue - or at least make it public - of what may be the reason, why the browser extensions don't intercept the passkey request in the log-in process. (to me it seems, the ebay site directly sends the request to the OS - and third-party password managers can't (or at least don't?) intercept the login-request)
pamperer562580892423
commented
7 months ago And an info about Microsoft, what was also disussed here: On another forum, someone posted this: https://techcommunity.microsoft.com/t5/microsoft-entra-blog/what-s-new-in-microsoft-entra/ba-p/3796395
There, the first point after the overview - "Changes to FIDO2 authentication methods and Windows Hello for Business") - states more or less (and if I understand correctly) that for corporate users, only a physical security key / device-bound passkey is possible. (and it seems, for private users there are also synced passkeys possible)
So in a way, both infos are true - and with Microsoft, one maybe has to distinguish between "business" and "private" user, regarding passkeys.
droidmonkey
commented
7 months ago Some sites are, we SUSPECT, doing browser finger printing and denying use of PassKeys based on that information. I believe this to be true for ebay, PayPal, and Microsoft at the least. Microsoft works sometimes which points to some heuristic BS in my opinion.
pamperer562580892423
commented
7 months ago @droidmonkey Ah, thanks for the first clue! So you don't see how you could "catch" that passkey request / improve that, because ebay etc. "block" it from happening (so to speak)? - BTW: In that occasion, I first noticed that (in my case) Windows 11 doesn't offer to "put the request through/back" to e.g. KeePassXC... However, passkeys are still in it's infancy...
droidmonkey
commented
7 months ago Yes, if the browser doesn't call up the callback, we can not intercept it. For a good number of these sites, they only support passkeys on mobile devices and a select few desktop browsers / versions.
lichwala
commented
7 months ago Well, I've just tried ebay.com (on Windows 11 and the latest Chrome) and again - passkey support works perfect in Enpass (software-based passkeys support) password manager. I've created an account on ebay.com, properly stored passkey in Enpass on request and then successfully logged in with passkey from Enpass. That means (if I understand it correctly), unless Enpass is on some whitelist of software-based passkeys solutions, it should be also possible to make the same flow in KeePassXC if implemented correctly.
varjolintu
commented
7 months ago @lichwala I just created a passkey for my eBay account without any problems. Authentication works as expected.
pamperer562580892423
commented
7 months ago @lichwala and @varjolintu Do the passkeys still work, when you close and open the browser or restart the PC?
Because, (only) the first login with passkey, directly after creation of the passkey, worked for me as well. But after browser closing or restart, eBay never again even offers me to use the passkey.
I just tested it again, though with Bitwarden, and two things happen for me:
And this was the same experience for me, as I tried it with KeePassXC a few weeks ago.
So, again, the first login after creation was no problem at all. But after that, it never works again for me.
On what systems and browsers are you? Maybe this has an influence as well, if it works for you and not for me (and others)?
varjolintu
commented
7 months ago @pamperer562580892423 I can reproduce the same: eBay does not offer passkeys login if the browser is restarted. Maybe they are storing that info to a cookie or temporary localStorage during register?
I created my eBay passkey with the latest Firefox on macOS.
pamperer562580892423
commented
7 months ago @varjolintu The thought of a cookie or something occurred to me as well.
And then, not a comprehensive test, but as of now it seems to be pretty much platform independent. (I am on Windows 11 Home with Brave)
varjolintu
commented
7 months ago It would be preferred that sites do not restrict passkeys use in any way. It just breaks 3rd party password managers. And the browsers will (should) return and error if there are compatibility issues anyways.
pamperer562580892423
commented
7 months ago Yes, I agree.
But just a thought: Instead of waiting for a passkey request from the browser, would it be possible to initiate the passkey-login proactively (meaning, initiating the passkey login from KeePassXC or the browser extension, instead of initiating it on the website in the browser)?
PS: Of course it is not possible now - but could something like that be implemented? Not for eBay alone, but, as you wrote, to maybe "circumvent" third-party password manager restrictions in the future as well? (of course, this would only work, if at least passkey creation successes - like it does with eBay now...)
PPS: I mean, the domain is bound to the passkey. I don't know if a "passkey request" technically could be initiated from the browser/password manager to the WebAuthn API or whatever, at that to-the-passkey-bound-domain? But maybe this is not possible, and not in the WebAuthn specs / the process doesn't work that way around?
varjolintu
commented
7 months ago @pamperer562580892423 Triggering a request would mean submitting a login form anyway, because the first request always comes from the server side.
juvannx
commented
6 months ago With Microsoft I managed to create a Passkey and login normally.
@varjolintu I tested today on firefox and brave, I can't create a passkey. It seems the site only supports USB tokens.
varjolintu
commented
6 months ago With Microsoft I managed to create a Passkey and login normally.
@varjolintu I tested today on firefox and brave, I can't create a passkey. It seems the site only supports USB tokens.
Microsoft just announced that they will support passkeys with all consumer accounts, but it seems on desktop it's restricted to Windows. I'm not surprised if it still doesn't work correctly.
directentis1
commented
6 months ago With Microsoft I managed to create a Passkey and login normally.
@varjolintu I tested today on firefox and brave, I can't create a passkey. It seems the site only supports USB tokens.
Microsoft just announced that they will support passkeys with all consumer accounts, but it seems on desktop it's restricted to Windows. I'm not surprised if it still doesn't work correctly.
I tested with Bitwarden (Firefox, Linux) and it always works regardless how many times I tried. I guess there's some kind of filter here.
varjolintu
commented
6 months ago With Microsoft I managed to create a Passkey and login normally.
@varjolintu I tested today on firefox and brave, I can't create a passkey. It seems the site only supports USB tokens.
Microsoft just announced that they will support passkeys with all consumer accounts, but it seems on desktop it's restricted to Windows. I'm not surprised if it still doesn't work correctly.
I tested with Bitwarden (Firefox, Linux) and it always works regardless how many times I tried. I guess there's some kind of filter here.
Good to know. I need to figure out why our extension does not receive the requests.
EDIT: Just retested this, and I could create a new passkey every time, plus signin also worked. Tested with Firefox (macOS). Extension version 1.9.0.3, which is not the latest. 1.9.0.4 was just released but not yet updated to the stores.
droidmonkey
commented
6 months ago Microsoft often does slow rolling releases. Always good to give a solid week after an announcement from them.
Ollipop030
commented
6 months ago Can´t create MS passkeys. It should be already rolled out here in germany, but the extension windows just doesn´t show up. I can only create passkeys for USB devices. Keepass 2.7.8., extension 1.9.0.4 with brave browser.
dionorgua
commented
6 months ago I've just tried to use Passkeys instead of hardware Yubikey dongle. I was able to enroll KeepassXC as 'biometric' authenticator. But unfortunately keepassxc-browser prints "No logins found" error.
Could it be because I'm getting just 'rpId' property instead of 'rp' dict?
Object { challenge: "BDPZL-EDITED3", enterpriseAttestationPossible: false, extensions: undefined, rpId: "pingone.eu", timeout: 120000, userVerification: "required", allowCredentials: (1) […] }
allowCredentials: Array [ {…} ]
0: Object { id: "EDITED1-EDITED2", transports: (1) […], type: "public-key" }
id: "EDITED1-EDITED2"
transports: Array [ "internal" ]
type: "public-key"
<prototype>: Object { shadowSelector: shadowSelector(value), shadowSelectorAll: shadowSelectorAll(value)
, … }
length: 1
<prototype>: Array []
challenge: "BDPZL-EDITED3"
enterpriseAttestationPossible: false
extensions: undefined
rpId: "pingone.eu"
timeout: 120000
userVerification: "required"@dionorgua Does this happen on register or authentication phase?
dionorgua
commented
6 months ago @varjolintu sorry for being not clear. It's authentication phase. So I was able to 'enroll' passkey. PingId UI shows it as 'Biometric' authentication. Also I can confirm that I can register and authenticate at https://demo.yubico.com/ so most likely my setup is good.
EDIT: I've tested only a few sites and it works. Where it doesn't work is PingId authenticator
PS. it's KeepassXC 2.7.8 and KeepassXC-browser 1.9.0.3
lapo-luchini
commented
6 months ago playstation.com and gitlab.com works for me, with Firefox and KeePassXC 2.7.8.
directentis1
commented
6 months ago Me too, with Paypal's passkeys.
Gusti-broesmeli
commented
6 months ago I may have found another website where creating a passkey using KeePassXC does not work. Website: binance.com Browser: Brave KeePassXC-Browser-Version: 1.9.0.5 KeePassXC-Version: 2.7.8
Passkey Action: Create KeepassXC error: No logins found
Can anyone confirm or deny whether my assumption seems correct?
kevinlucasilva
commented
6 months ago Really, I didn't get to register the Microsoft's passkey with KeePassXC.
I'm using Librewolf and Ungoogled Chromium and tested in Chrome, and it didn't work, because ask me for a security key.
linuxtopia
commented
6 months ago For Bitwarden Vault;
Settings > Security > Two-step login > WebAuthn
option works with KeepassXC passkey. I can authenticate as 2FA option if this helps, the devs please check and compare with Login passkey issues.
bugshunter673
commented
5 months ago Hello! Would it be possible to consider emulating a USB device? I believe this could resolve the Uncaught TypeError issue related to getPublicKeyAlgorithm and the AuthenticatorAttestationResponse interface and other errors.
What are your thoughts on this approach?
const response = Object.create(AuthenticatorAttestationResponse.prototype);
response.getPublicKeyAlgorithm();
// Uncaught TypeError: 'getPublicKeyAlgorithm' called on an object that does not implement interface AuthenticatorAttestationResponse.Example of USB emulation: https://github.com/psanford/tpm-fido/blob/main/fidohid/fidohid.go#L212
varjolintu
commented
5 months ago @bugshunter673 I already have the getPublicKeyAlgorithm() ready but getPublicKey() still needs a bit tuning. But at least I'm adding the first one to 1.9.1.
bugshunter673
commented
5 months ago @varjolintu Apologies, I didn't notice your pull request ...
NoahDar
commented
5 months ago Seems no matter what I do can't get Microsoft Office 365 to trigger this. From what I understand Corporate users are forced to use real USB / NFC security keys. I will try creating a personal Microsoft account and see what happens.
Also for some stupid reason ebay under security settings on my account the passkey option is never listed. I even checked the two factor auth area. Nadda. Weird.
All other accounts it's working perfectly including Bank of America. I do have few USB hardware security keys including Yubico for testing at work but I prefer KeePassXC as the database is sync'd to my self hosted nextcloud server. Happy with this setup.
KeePassXC - 2.7.9 KeePassXC-Browser - 1.9.0.5 Operating system: Linux x86_64 Browser: Chrome/Chromium 126.0.0.0
Fraetor
commented
5 months ago Pixiv (https://accounts.pixiv.net/passkeys) is another site that does not work yet.
| Versions |
|---|
| Firefox 127.0 (64-bit) |
| Fedora Linux 40 (x86_64) |
| Keepass 2.7.8 |
| KeePassXC-Browser 1.9.0.5 |
It reports "You cannot create a passkey on this device/browser." when you try to register, though this seems to be based on User Agent sniffing. When faking Chrome's user agent registration is allowed, but fails with the following error:
The passkey was created in KeePassXC, but Pixiv fails on the registration ("An error occurred. Please reload the page and try again.").
wichtounet
commented
5 months ago Before, I was able to create and use a passkey on accounts.google.com but it does not work anymore. I have upgraded Keepass and Google Chrome to the latest versions but it did not change anything.
The only thing I see is "no logins found" even though my passkey is present in the database and the URL appears to be correct.
Edit: It's even weirder because I have multiple Google accounts and another one works with the passkey, but not the first one :(
varjolintu
commented
5 months ago @wichtounet That sounds a bit weird. Do you have multiple passkeys defined under the problematic account? I think the creation should fail for every account if there's a systematic problem. You can enable debug logging from the browser and see if the public keys created have some differences. It could help narrow down the issue. (Do not paste them here without omitting important data)
wichtounet
commented
5 months ago @varjolintu I have two passkeys, each for a different email. I have looked into the debug messages. One thing I have noticed is that for the passkey that works, one of the challenges is matching KPEY_PASSKEY_CREDENTIAL_ID. For the passkey that does not work, nones of the challenges is matching this value. Should I regenerate the passkey that does not work?
varjolintu
commented
5 months ago @wichtounet That's worth trying.
wichtounet
commented
5 months ago @varjolintu Updating the passkey did the trick! I must have done something dumb to break it. Thanks!
uprprc777
commented
3 months ago I had no issues creating a passkey and logging into my PlayStation account. However, I decided to remove the passkey and stopped using it because PlayStation disables other login methods, including your password, when a passkey is enabled. This limitation doesn’t make any sense to me.
PAStheLoD
commented
1 month ago One more Microsoft/Live.com doesn't work datapoint.
I got prompted from Skype's web version to try to enroll, the URL even had passkey in it, anyway ... on both Firefox and Brave I only get the macOS (Sonoma 14.6) native prompt. (On Brave when I cancel the native prompt Brave offers to save the passkey in a few places: iCloud Keychain, phone/tablet, brave profile, USB security key.)
varjolintu
commented
2 weeks ago Update on X / Twitter: Passkeys are only supported with Android and iOS. The security key option triggers the browser level dialog instead.
qrhfz
commented
2 weeks ago creating passkey in dynadot.com does not work. after entry is added to keepassxc's database. the website does nothing.
varjolintu
commented
2 weeks ago creating passkey in dynadot.com does not work. after entry is added to keepassxc's database. the website does nothing.
Enable Debug Logging in the extension and see if there are any error messages in the console.
qrhfz
commented
1 week ago @varjolintu
here's the log for dynadot.com
[Debug passkeys.js:89] KeePassXC-Browser - Passkey request
{
"attestation": "direct",
"authenticatorSelection": {
"residentKey": "discouraged"
},
"challenge": "6QVBhms1J1zhwWSvsDhYDAO0dsL7r2kRHun2_xM-j9U",
"extensions": {
"credProps": true
},
"pubKeyCredParams": [
{
"type": "public-key",
"alg": -7
},
{
"type": "public-key",
"alg": -8
},
{
"type": "public-key",
"alg": -257
}
],
"rp": {
"name": "Dynadot Webauthn",
"id": "www.dynadot.com"
},
"timeout": 30000,
"excludeCredentials": [],
"user": {
"displayName": "***",
"id": "*********",
"name": "***"
}
}
[Debug keepassxc-browser.js:924] KeePassXC-Browser - Passkey response global.js:139:13
{
"authenticatorAttachment": "platform",
"id": "T4fT57DS64Zrmd3zIf9Uwrp7kC_WSJv__tSm3Khh_5E",
"response": {
"attestationObject": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVi0Smc0Ix4O3MOLxlztr8IMh2SVIwlsN49QZN5JyOMzelnFAAAAAP2xQbJdhEQ-ijVGmMIFpQIAIE-H0-ew0uuGa5nd8yH_VMK6e5Av1kib__7UptyoYf-RpQECAyYgASFYIMOCNjTqiZpgciYoXnDglxfkd31WzA6iDgOLfjKvwvIvIlgg2EGDUEpHNx-N47REK5H0nE86KWUsH41cPyVvDvtF4QehaWNyZWRQcm9wc6Ficmv1",
"authenticatorData": "Smc0Ix4O3MOLxlztr8IMh2SVIwlsN49QZN5JyOMzelmFAAAAAKFpY3JlZFByb3BzoWJya_U",
"clientDataJSON": "eyJjaGFsbGVuZ2UiOiI2UVZCaG1zMUoxemh3V1N2c0RoWURBTzBkc0w3cjJrUkh1bjJfeE0tajlVIiwiY3Jvc3NPcmlnaW4iOmZhbHNlLCJvcmlnaW4iOiJodHRwczovL3d3dy5keW5hZG90LmNvbSIsInR5cGUiOiJ3ZWJhdXRobi5jcmVhdGUifQ",
"clientExtensionResults": {
"credProps": {
"rk": true
}
},
"publicKeyAlgorithm": -7
},
"type": "public-key"
}
Uncaught (in promise) SyntaxError: JSON.parse: unexpected end of data at line 1 column 1 of the JSON data
Not working
Restrictions
Instructions
Enable Debug Logging from the extension settings and see if the Web Developer / JavaScript console has any error messages. That is helpful for detecting possible errors.