Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support authenticator requests other than internal #10382

Closed
luzat opened this issue Mar 11, 2024 · 3 comments · Fixed by #10402
Closed

Support authenticator requests other than internal #10382

luzat opened this issue Mar 11, 2024 · 3 comments · Fixed by #10402
Labels
feature: Passkeys new feature

Comments

@luzat
Copy link
Contributor

luzat commented Mar 11, 2024

Summary

When registering a Passkey with KeePassXC 2.7.7 at coinbase.com, the KeePassXC entry was registered as a security key with them, even though they support Passkeys and security keys (see #10374 (comment)). First, I don't think that this should have happened.

Second, following that, I was unable to log in, because Coinbase expected a USB or NFC transport for this security key. I had to patch the browser extension to request internal, too. It would be nice to have an advanced option in KeePassXC to respond to USB/NFC requests, too, and act as if it were an external device.

Context

Passkey support seems to be wildly differing across software and mix-ups with external keys/Passkeys seem to be somewhat common. In this case, the Passkey was somehow registered in the wrong category and I was locked out of my account. It would be nice to work around such problems with a more flexible Passkey/WebAuthn implementation by allowing to specify more device parameters in KeePassXC, even though it might not be recommended to enable these options by default.
@droidmonkey
Copy link
Member

Security keys and passkeys are wildly different standards. We just need to support responding to a passkey auth request that only "allows" USB and NFC authenticators.

@droidmonkey droidmonkey changed the title Support usage as an external security key Support authenticator requests other than internal Mar 11, 2024
@luzat
Copy link
Contributor Author

luzat commented Mar 11, 2024
edited
Loading

@droidmonkey Yes, that would suffice.

Apart from that, I am a bit confused about the difference, apart from some parameters. FIDO itself says "Any passwordless FIDO credential is a passkey." It's also supposedly FIDO2/WebAuthn, just like many - not all (like FIDO1/U2F-only) - security keys. Yubico does advertise their security keys (at least YubiKey 5) as Passkeys, too.

In my case, I tried to register KeePassXC as a Passkey (selected the Passkey option, not security key option), with Coinbase. Nonetheless, the KeePassXC key got listed as a security key (just like my YubiKey) instead. This seems to indicate that a Passkey flow was used, but there was some error with Coinbase, KeePassXC or the KeePassXC browser extension, which lead to misclassification of KeePassXC as a security key. I am not sure if I should open a separate bug apart from my comment for that issue.

@luzat luzat mentioned this issue Mar 11, 2024
Closed
@droidmonkey
Copy link
Member

The error is that coinbase doesn't allow "internal" keys for authentication, but happily accepts them for registration.

@varjolintu varjolintu mentioned this issue Mar 12, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature: Passkeys new feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Passkeys: Allow nfc and usb transports varjolintu/keepassxc
2 participants
@luzat @droidmonkey