[BUG] Failed to load freshly created passkey, nothing found

[pylapp]

Preliminaries I have ensured that:

• [x] I am running the latest version of Strongbox on the App Store by searching for Strongbox and clicking into it to see the Update button (or not)
• [x] I have performed a full restart of my device no matter how annoying that is

Versions

On iOS (please complete the following information):

• Device: iPhone 14 Pro
• OS: iOS 17.3.1

Strongbox Version

• Version: Pro 1.59.3

Describe the bug It seems a freshly created passkey cannot be found in my database ; the relying party is defined in the database but the web app calling the key and triggering the key finding did not succeed in getting the key at that relying party.

To Reproduce Steps to reproduce the behavior:

1. Create a new passkey (GitHub at github.com, on macOS Sonoma 14.3.1 and Firefox and Firefox 123.0)
2. Use the iPhone described above to add the passkey by flashing the QrCode
3. Later go to GitHub sign-in form and choose signing solution with passkey
4. Strongbox is then called in the iPhone to load the key after QrCode flash
5. But it displays an error message saying no key can be found at github.com (the relying party) even if I have a key with this relying party (the key is stored in an entry for my GitHub account with other credentials not only the key details)

Expected behavior The passkey at the given relying party must be used to complete the signing process.

Screenshots & Recordings Not possible to make on the fly screenshots because it closes the sheet saying the key cannot be found.

Additional context If needed I can try to provide more details about this bug and my setup (first time using a passkey). True with another web browser.

[pylapp]

Tried with another device to log in GitHub, but still the same issue:

• I go to GitHub signing form
• I choose the passkey authentication solution
• Then I choose to use a device camera
• With the device containing the Strongbox app I flash the QrCode
• The attached error appears even if I have a key with the "github.com" relying party ; maybe it must be also the entry name?

Below is the error I got

Below is an extract of the passkey in the entry dedicated to GitHub in my Strongbox

[pylapp]

@strongbox-mark If you need more details about this issue feel free to contact me, I'll try to do my best 😅

[strongbox-mark]

Hi @pylapp - can you reproduce this issue with a freshly create new local device database?

[pylapp]

First things first: thank you a lot for your quick answer 🤩

Then as suggested I created a new database stored on my device (and not in a file). After having deleted the previous passkey, I defined a new one in this new local in-device database. It works like a charm!

What do you suggest?

[strongbox-mark]

Yeah, that's very strange. I haven't actually used the camera for creating Passkeys before! I usually use the built in integration, but it's funny that it works on new database, indicating something weird with your existing database.

Could you send your debug info to support@strongboxsafe.com?

Can you create a Passkey using Strongbox on macOS? i.e. not using the QR Code/Camera. Does that work with your existing database?

[pylapp]

It seems I cannot create a passkey with Strongbox on macOS because the enrolment process (same GitHub website and Firefow browser on macOS) does not provide such solutions (only iCloud, stuff with camera and hardwayre stick).

How can I send to the email address you shared the debug info? I did not suceed in getting such files.

[pylapp]

Interesting, I tried another way and it failed.

On an iPhone, if I use a freshly new database based on a file it works. If I use a freshly local storage solution, tied to the device, it works.

But the thirds case I just tried failed exactly like the initial issue: if the passwords database is synced to iCloud, it fails and cannot get the passkey with the related party needed.

Maybe the case where the database is synced in iCloud is the buggy case 🤨

@strongbox-mark If you explain how I can get the debug logs feel free to explain me and I'll share it by email like suggested.

[pylapp]

@strongbox-mark I digged deeper and here are some conclusions of mine:

• I tried to add the passkey in a dedicated entry in a base synced to iCloud: it worked after several trials
• I tried to add another passkey in an existing entry (so same scenario as the issue): it worked once but other trials failed Note this updated entry is defined in a kpbx database synced to ICloud.

So it seems to be quite... random. Or only working once and never after. Didn't see any diff betweens entries (except of course details of the passkey). 100% success with local device file.

[strongbox-mark]

Hi @pylapp - I think what's happening here is that you are creating the Passkey successfully on your iPhone but then trying to use that passkey on macOS.

The problem is is that the Passkey has not synced via iCloud yet, so you need to check that the changes have come across to your mac via iCloud. You can check this by checking the Modified timestamp on macOS (you can see this also in your iCloud Strongbox folder on your Mac). Check it matches the timestamp on your iPhone on Strongbox home screen.

Unfortunately iCloud is terrible for Sync and we can't recommend it. Do you have access to any other cloud drive? e.g. OneDrive, Dropbox, Google Drive? The larger your file the worse iCloud is, so sometimes a brand new small database syncs fine but an older larger existing file doesn't. We don't have control over the sync with iCloud unfortunately.

Another thing to note is that actually you can create a passkey on your Mac, but you need to make sure that Strongbox is enabled under:

System Settings > Passwords > Password Options > Use Passwords and Passkeys

and turn off "iCloud Keychain".

Then you won't need to use an iPhone and QR Code and sync back to Mac. Then you should be offered to create in Strongbox although there is still and issue with Chrome and Firefox whereby they still use the term "iCloud Keychain" when they really should use the term "System Passkey Provider" or similar. Google is actually supposedly fixing this soon.

[pylapp]

Sorry I didn't understand 😅 About macOS my use case is only the use of a web browser with GitHub asking a passkey located in my phone ; Stronbox is not installed on my Mac. It seems the issue is kind of inability to get the passkey in an existing old database in the phone 🤔

[strongbox-mark]

Oh, I'm sorry I didn't get that you were doing everything on your iPhone, ok... Interesting.

It does seem like it's got to be something to do with iCloud, since as you say, Local Device based databases seem to work. I'd like another data point. Do you have access to OneDrive, Dropbox or Google Drive? I wonder if we create a database there and try that does it work? You can tap + > Create New Database > [OneDrive|Dropbox|Google Drive] and select a folder to add a database there.

It's very strange, this should just work, but it seems like the AutoFill QuickType database which is an Apple system database that holds info like: "Strongbox can provide Passkey X for Relying Party Y" is somehow out of sync or not updated properly.

Also, you can send Debug info from the Settings screen, tap "Contact Support" and it'll generate an email for you, or on the About screen there's a copy button.

[pylapp]

Ok thank you for all these details and the speed of your answers. I will make some tests and if it failed again I will provide you details.

[pylapp]

Tests

Database on Google Drive

• Created a new database synced to my Google account using Google Drive
• Added a passkey (same computer, same OS, same web browser, same web site, same accout) to this base
• Authentication succeeded each times (3 trials out of 3)

Existing database and updating an entry

• Using a current database synced to iCloud
• Added a passkey (same computer, same OS, same web browser, same web site, same accout) to this base in an existing entry
• Authentication succeeded 4 times (4 trials out of 5)
• But the 5th time, after closing my Strongbox app (swipe to kill), it did not find the key related to "github.com"

I just sent you and email with the debug details as required.