Closed luzat closed 6 months ago
Security keys and passkeys are wildly different standards. We just need to support responding to a passkey auth request that only "allows" USB and NFC authenticators.
@droidmonkey Yes, that would suffice.
Apart from that, I am a bit confused about the difference, apart from some parameters. FIDO itself says "Any passwordless FIDO credential is a passkey." It's also supposedly FIDO2/WebAuthn, just like many - not all (like FIDO1/U2F-only) - security keys. Yubico does advertise their security keys (at least YubiKey 5) as Passkeys, too.
In my case, I tried to register KeePassXC as a Passkey (selected the Passkey option, not security key option), with Coinbase. Nonetheless, the KeePassXC key got listed as a security key (just like my YubiKey) instead. This seems to indicate that a Passkey flow was used, but there was some error with Coinbase, KeePassXC or the KeePassXC browser extension, which lead to misclassification of KeePassXC as a security key. I am not sure if I should open a separate bug apart from my comment for that issue.
The error is that coinbase doesn't allow "internal" keys for authentication, but happily accepts them for registration.
Summary
When registering a Passkey with KeePassXC 2.7.7 at coinbase.com, the KeePassXC entry was registered as a security key with them, even though they support Passkeys and security keys (see https://github.com/keepassxreboot/keepassxc/issues/10374#issuecomment-1988153329). First, I don't think that this should have happened.
Second, following that, I was unable to log in, because Coinbase expected a USB or NFC transport for this security key. I had to patch the browser extension to request
internal
, too. It would be nice to have an advanced option in KeePassXC to respond to USB/NFC requests, too, and act as if it were an external device.Context
Passkey support seems to be wildly differing across software and mix-ups with external keys/Passkeys seem to be somewhat common. In this case, the Passkey was somehow registered in the wrong category and I was locked out of my account. It would be nice to work around such problems with a more flexible Passkey/WebAuthn implementation by allowing to specify more device parameters in KeePassXC, even though it might not be recommended to enable these options by default.