search

keepassxreboot / keepassxc

KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
https://keepassxc.org/
Other
21.12k stars 1.46k forks source link

Support authenticator requests other than `internal` #10382

Closed luzat closed 6 months ago

luzat commented 7 months ago

Summary

When registering a Passkey with KeePassXC 2.7.7 at coinbase.com, the KeePassXC entry was registered as a security key with them, even though they support Passkeys and security keys (see https://github.com/keepassxreboot/keepassxc/issues/10374#issuecomment-1988153329). First, I don't think that this should have happened.

Second, following that, I was unable to log in, because Coinbase expected a USB or NFC transport for this security key. I had to patch the browser extension to request internal, too. It would be nice to have an advanced option in KeePassXC to respond to USB/NFC requests, too, and act as if it were an external device.

Context

Passkey support seems to be wildly differing across software and mix-ups with external keys/Passkeys seem to be somewhat common. In this case, the Passkey was somehow registered in the wrong category and I was locked out of my account. It would be nice to work around such problems with a more flexible Passkey/WebAuthn implementation by allowing to specify more device parameters in KeePassXC, even though it might not be recommended to enable these options by default.

droidmonkey commented 7 months ago

Security keys and passkeys are wildly different standards. We just need to support responding to a passkey auth request that only "allows" USB and NFC authenticators.

luzat commented 7 months ago

@droidmonkey Yes, that would suffice.

Apart from that, I am a bit confused about the difference, apart from some parameters. FIDO itself says "Any passwordless FIDO credential is a passkey." It's also supposedly FIDO2/WebAuthn, just like many - not all (like FIDO1/U2F-only) - security keys. Yubico does advertise their security keys (at least YubiKey 5) as Passkeys, too.

In my case, I tried to register KeePassXC as a Passkey (selected the Passkey option, not security key option), with Coinbase. Nonetheless, the KeePassXC key got listed as a security key (just like my YubiKey) instead. This seems to indicate that a Passkey flow was used, but there was some error with Coinbase, KeePassXC or the KeePassXC browser extension, which lead to misclassification of KeePassXC as a security key. I am not sure if I should open a separate bug apart from my comment for that issue.

droidmonkey commented 7 months ago

The error is that coinbase doesn't allow "internal" keys for authentication, but happily accepts them for registration.