Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

KeepassXC passkey integration has less precedence, than browser internal one #2335

Open
Grundik opened this issue Sep 8, 2024 · 5 comments
Labels

Comments

@Grundik
Copy link

Grundik commented Sep 8, 2024

Expected Behavior

Keepass plugin should have a precedence over browser internal passkey mechanisms. When site asks for passkey on its loading, keepass should catch it first, and then fallback to browser in case of missed credentials.

Current Behavior

Internal browser passkey mechanisms have precedence, if page asks for passkey immediately after load: only after browser popup closed, and passkey request reinitiated (without page reload), keepass can do its thing.

On some sites "try again" link reloads the page, making keepass passkeys inaccessible, since it in this case it never has a chance. For example: microsoft.com.

Possible Solution

If it is possible, keepass browser plugin should initialize its mechanisms earlier, to take precedence over browser.

Steps to Reproduce (for bugs)

  1. try to add passkey to microsoft.com account (https://account.live.com/proofs/Manage/additional -> Add a new way to sign in or verify -> Face, fingerprint, PIN, or security key);
  2. fail to add it, since keepass cant ask for passkey: passkey adding page opens, browser opens QR-code window, and on popup close page redirects to an error. No way to "try again" without page reloading.

Debug info

KeePassXC - 2.7.9 (flatpak)
KeePassXC-Browser - 1.9.3
Operating system: Linux x86_64
Browser: Chrome/Chromium 128.0.0.0 (flatpak ungoogled chromium)

@varjolintu
Copy link
Member

varjolintu commented Sep 8, 2024

This is a difficult one. The extension already injects the passkeys script immediately to the tab. If the site itself triggers some script before that which calls the browser's own passkeys implementation, there might be no way to prevent it.

But, AFAIK there are few different options when to trigger content scripts, and currently the default value is to wait for the page content to be loaded. For passkeys the script could be modified to be loaded much earlier. Gotta investigate it.

@Grundik
Copy link
Author

Grundik commented Sep 8, 2024

It could be easier to reproduce with gitlab, if you have own instance: you can try to add passkey to your account, and try to enter admin mode. Second factor authentication asked at the page loading, so keepass misses it too. But gitlab has "try again" button, which works without page reloading, so second try would work fine.

@varjolintu
Copy link
Member

varjolintu commented Sep 14, 2024

I did some testing with this. Moved the passkeys inject function to a separate script so it's immediately loaded at document_start. With Firefox this worked great. With Microsoft site there was no problems creating a new passkey, and it was the same with GitLab. Chrome however did not work any better, and creating a passkey for Microsoft failed every time. GitLab still required the "try again" method with GitLab when using Chrome.

Gotta investigate this further.

EDIT: Keeping track this as well: https://github.com/tc39/proposal-arraybuffer-base64. It could help a lot when implemented.

@benbucksch
Copy link

Keepass plugin should have a precedence over browser internal passkey mechanisms

This depends on your circumstances. Usecase: Start with KeePassXC, then gradually switch over to a hardware key. Or wanting to use both the hardware key and KeePassXc for the same site, i.e. as alternative keys. So, I think there should be a setting - on a global level (always prefer one over the other), on a domain level, and on a case by case level (choose every time).

@Grundik
Copy link
Author

Grundik commented Oct 25, 2024

KeepassXC can fallback to hardware key, there are already option for that: "Enable passkeys fallback". There are no need to modify browser extension for that: if you want to use hardware key for some site, then just hide/delete key entry in KeepassXC, or hit "cancel" button on keepass auth request. Its already working like that.

Problem is: hardware keys cant fallback to keepass ones, and this issue is about it.

@varjolintu varjolintu removed the bug label Nov 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants