Passkeys: Improve usability of "Add to existing"

[darkdragon-001]

Summary

First of all thanks a lot for adding this great feature!

It would be nice if one could (additionally) get a filtered list of matching existing entries similar to auto-fill when trying to add a passkey to an existing entry (without passkey so far).

Examples

Could look similar to the dialog when filling in data to a website. Should filter based on URL or additional URL fields.

Context

I have a huge database with a lot of groups.

[droidmonkey]

We decided not to do that. Instead, it must match both username and url of an existing passkey entry for the dialog to offer to update that entry. Otherwise, you choose the "register to existing" and choose the entry you want.

Perhaps that register to existing dialog could include a search box @varjolintu.

[darkdragon-001]

@droidmonkey I tried GitHub and Google and I had to manually choose the group and entry. The username and url fields in the entry are used successfully for password based login. So are you saying it should work but doesn't?

[droidmonkey]

agreed this needs to be improved

[darkdragon-001]

How is the URL compared? Does github.com (passkey relying party) match https://github.com/ (URL field)? Is only the primary URL field considered or are additional URLs also taken into account?

[darkdragon-001]

@droidmonkey @varjolintu could you please elaborate on how the URLs are compared? I have the impression that it doesn't match even though it should.

[varjolintu]

@darkdragon-001 URL field is used for checking access to the passkey entry, but the actual authentication happens against KPEX_PASSKEY_RELYING_PARTY attribute value.

[darkdragon-001]

@varjolintu This issue is about the "Add to existing" functionality, so before a passkey is stored. How is it determined if it suggests an existing entry? In my tests, it never did even though the URLs should match (at least they do for the old password paste).

[varjolintu]

@darkdragon-001 Suggesting an update to an existing entry directly happens only when identical KPEX_PASSKEY_USER_HANDLE is found from an entry.

[darkdragon-001]

@varjolintu So it never happens for an entry where no passkey is registered yet as there is no KPEX_PASSKEY_USER_HANDLE set?

Could we please have it? I have a huge database, so selecting the correct entry is currently quite difficult to navigate the group hierarchy until the correct entry.

[darkdragon-001]

I verified that even though existing "Username" matched future KPEX_PASSKEY_USERNAME and existing "URL" (https://github.com/) matched future KPEX_PASSKEY_RELYING_PARTY (github.com), it did not suggest to add the passkey to this existing entry.

[varjolintu]

I verified that even though existing "Username" matched future KPEX_PASSKEY_USERNAME and existing "URL" (https://github.com/) matched future KPEX_PASSKEY_RELYING_PARTY (github.com), it did not suggest to add the passkey to this existing entry.

As I saidKPEX_PASSKEY_USER_HANDLE is the relevant attribute here.

[darkdragon-001]

Thanks for confirming. Then this issue is a feature request to improve it. Would be great if you would find some time to make this great feature even better!