Adds basic WebAuthn support to KeePassXC. Currently it uses the default Elliptic Curve key (EC2, ES256 signature, P-256 curve), 2048-bit RSA key, and basic registration/authentication with User Verification enabled and the default none Attestation. Optional extensions credProps and uvm are supported in the registration phase. Timeouts are respected, and a new confirmation dialog is added for them.


Qt’s CBOR libraries requires at least Qt 5.12, and for that reason a new CMake configuration parameter WITH_XC_BROWSER_WEBAUTHN is added.

At registration phase a new credential is stored to KeePassXC with the following information:

  • Generated private key for the credential is stored as attachment with the name “webauthn.pem”. Can be exported and imported normally.
  • Generated User ID is stored as the entry password.
  • Username and URL fields are set normally.

Authentication phase:

  • Supports all User Verification options. Single entry with discouraged is returned immediately.
  • Stored credentials are retrieved only when the webauthn.pem key file is present. User ID and URL domain must also match.

What is not working / is missing / won’t be implemented:

  • Some extensions are still missing (authentication doesn’t support them at all, yet).
  • Support for Resident Key.
  • Support for triggering unlock from extension.
  • Support for root certificates.
  • Support for PIN/TouchID when authenticating.

What is not tested:

  • Support for Passkeys (in theory some sites should work, needs at least Chrome 108 for testing it).
  • Exporting credentials and private key to other password manager and testing that it works (does any of them support this kind of feature yet?).

What needs to be discussed:

  • How to actually import and export full credentials? Now the process is semi-manual because only the private key attachment can be used. There is no standard way to proceed with this.

Related extension PR for the feature: keepassxreboot/keepassxc-browser#1786


Documentation: https://w3c.github.io/webauthn/

Fixes #1870.

Screenshots

Register new credentials:


1_webauthn_register


Authenticate existing:


2_webauthn_authenticate

Testing strategy

Automated tests are written with a valid data captured from a real registration and authentication.


The following sites can be also used for testing the feature:

Type of change

  • New feature (change that adds functionality)

Read More