Passkeys - Kunzisoft/KeePassDX GitHub Wiki

What is Passkeys?

Passkeys are a passwordless sign-in method using cryptographic key pairs stored on your devices to log into websites and apps more securely and easily. KeePassDX allows you to create and use Passkeys since version 4.2.0, it allows you to use this authentication system securely completely offline.

Why Passkeys ?

This authentication method should be preferred against password filling because :

  • It's more secure, Passkeys are bound to the website or app they were created for. You can't be tricked into using your passkey on a fake site, unlike passwords. The website/app only stores your public key. If their server is breached, attackers don't get your actual credential (the private key, which stays on your database). With passwords, a breached database often means stolen password hashes. Each passkey is cryptographically strong and unique per site, eliminating problems of weak or reused passwords.
  • It offers a better user experience, logging in is typically as easy as opening your KeePass database and there is no problem with form recognition.

Set-up

The service that manages passkeys is only available on Android version 14 (API 34) and above, so make sure you have a device with a compatible ROM.

  1. Activate KeePassDX Credential Provider / Autofill:
  • Click on Settings → Form filling → Credential provider service
  1. Select KeePassDX in the Passwords, Preferred service for passwords, passkeys & autofill menu on your device.

Once selected, the Credential provider service toggle is now on, it switches back to off if another Credential provider / Autofill service in the system is selected.

  1. A dialog box may ask you if you are sure to trust the app:

KeePassDX is open source, so you just need to check the points that matter to you in the source code and validate if you agree.

Create a Passkey entry

KeePassDX makes it easy to create Passkey credentials by saving them in an entry in your database. Of course, the service you want to connect to must offer Passkey creation and usage.

  1. When the service prompts you to create a Passkey, for example with a dedicated button, a dialog box appears.

  2. Click on the main button to start the creation. If an error message appears, refer to the Errors section.

  3. KeePassDX launches in Registration Mode (Passkeys), open your database if it is not already open.

  4. Click the + button and Add Entry to add a new passkey entry.

  5. Verify that the title is correct and press the validate button. Note: It is not recommended to modify the other fields as they contain information that will enable the cryptographic passkey challenges to be performed correctly.

  6. Press the confirmed button, your passkey for this service has been created.

Use a Passkey entry

  1. Click the Passkey login button for your service.
  • If your database is already open and there is only one passkey entry for this service, then the connection is established without any further action.
  • If your database is already open and there are multiple passkeys entries for this service, one of the keys will be chosen at random in the main button. However, you can select the one you want by clicking Sign-in options.
  • If your database is closed, clicking on the main button will allow you to open it.

  1. Click on the main button to start the usage workflow. If an error message appears, refer to the Errors section.

  2. KeePassDX launches in Selection Mode (Passkeys), open your database.

  3. Select the entry corresponding to your service.

  • If there is only one passkey entry in your database, the authentication is made automatically
  • If there are multiple passkeys entries in your database, simply select the one you want to use manually.

Errors

  • Origin is not being returned as the calling app did notmatch the privileged allowlist indicates that you are attempting to use an unrecognized browser in privileged applications. Therefore, it cannot provide a correct web origin.

This can happen if, for example, you try to use the Chrome browser, which is not open source, with KeePassDX Libre. If you trust the browser application to delegate Passkeys authentication tasks, then you can add it as a privileged custom application in Setting → Form filling → Passkeys settings → Privileged apps.

  • Out of time simply indicates that the time for creating or using the Passkey has expired. You must therefore repeat the procedure by closing and reopening the dialog box.