KeePassXC added Passkeys support

This release delivers the official implementation of Passkeys for KeePassXC! This feature is a year in the making and uses the existing browser integration service to both store and use Passkeys for authentication.


Does this mean it will only work with their browser extension installed?

1 Like

I still not really understand passkeys.

So passkeys are passwords stored in a database that don’t need copy pasting and you can just insert them with a click of a button?

How is it any more secure than a Password generator?

How is it different than a hardware key? (Is it just a software defined hardware-key in practice?)

Is it just a web standard so that all companies can use it and adopt?

@jonah @dngray @ph00lt0

This may be of interest to you: Passwordless Future: A Comprehensive Passkeys FAQ | Bitwarden Resources

1 Like

I change my question,

Is there any use case left for password IF everyone adopts passkey?

Maybe for password manager? Otherwise, I don’t think so…

It uses the same FIDO2 standard. The only difference is the branding of it and possibly where you store them. You can store passkeys just fine on a hardware key or TPM. Where it becomes interesting is when storing them in the cloud because that means that it’s not bound to the hardware and not stored in a secure chip. I would not recommend that at this point for important accounts. Besides that also makes it that you have only one entry using that cloud provider and that is quite an availability risk IMO.

The ‘only’ thing that is more secure about passkeys vs generated passwords (both are generated secrets) is that passkeys authenticate the requestor too. I won’t go in all details (you can search for that), but to keep it simple, it does so by sending a challenge (public key cryptography) to website requesting your passkey. Only if the result of that matches the expected it will continue. Using passkeys is therefore is phishing resistant, which is a great deal. Everyone will one day fall for a sophisticated phishing attack, so passkeys are not just amazing UX improvement but also a massive security improvement, and not just for the less skilled user.

Conclusion is: yes use passkeys. YubiKeys are by far the best way to do this, no I wouldn’t be scared to use the build in TPM either, that really is quite good. Probably you don’t want to use cloud based (synced) passkeys.

1 Like

Probably not, but that’s going to take so many years we will probably never see that day. So many legacy systems will still be there.

Also think about Wi-Fi networks, how will you share the access? There are more things than just the internet as in websites and apps where we use passwords too.

(BTW I love these questions :slight_smile: keep them going)

1 Like

If I use a passkey with a site from a TPM inside my phone, does TOTP 2FA on top of that makes sense?

No. As mentioned in the bitwarden FAQ I linked earlier

TOTP from a second phone*

I’m no expert in these things, but to me it seems that while it would provide additional security, it also is a bit excessive and inconvenient.

Tested KeePassXC Passkey, receiving Origin and RP ID do not match. Unable to use Passkey.