-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: passkey support #330
Comments
Potentially keen. Can you provide a bit more info on the kind of workflow you're suggesting? |
Ok, it was a bit long I needed time to manage and write it IntroPasskey is actually webauthn, so lets first recap how it works There is a web api called webauthn, which is for managing different authentication methods, one of those methods is public-key, which is what we need to cover, browser get the webauthn function call from websites and uses CTAP(or an API from OS which calls it) to connect to the security devices. So we have two options here:
First way is more complex but future proof, second way is easier so I suggest starting with the second way. What to do
How can I help
Process
Good First Steps to Start
Well thats it, you probably have lots of question and I'm sure I did not write this very well, so let me know what you need to know more and tell me from where we can start :) |
Hi @tavrez! We had a few internal discussions about it, but never ended up posting here a reply, sorry about that! Would we like to explore idea this further?Absolutely! Should we make an extension for
|
Glad to hear back from you! |
Hi! I just wanted to point out that the folks at KeePassXC have already implemented WebAuthn/PassKey support and there's issue keepassxreboot/keepassxc#1870 and PR keepassxreboot/keepassxc-browser#1786 that give very interesting insights on how they did it. The monkey patching in Browserpass could be similar. |
This is not what passkeys were meant for... they are supposed to be protected by hardware and non-exportable - and if the keys are escrowed (non-device-bound passkeys), they are escrowed on a HSM farm like Apple and Google have in their datacenters for this purpose, and private keys only ever transit any links when you create or recover them - and since they are on HSMs even on the provider's end, your weak phone PIN or human memorized password is protected by a limit of ~10 tries. The route KeePassXC and now potentially Browserpass are going is very different. Any time it's used, the private key gets decrypted and loaded into RAM memory and used to perform a cryptographic operation (sign an assertion) in the main CPU. This is a far cry from only existing outside TPM/HSM at the moment of backup or restore to a cloud account, in terms of the strength of the guarantee that it has not been copied even if you clicked on malware. Passkeys are supposed to be idiot-proof, and TPM or some other form of smartcard-like technology is necessary to prevent the taking of a permanent copy of credentials if a user has fallen for a scam or malware at any past point. Producing things that claim, in talking to relying parties, to be "passkeys" and do not actually offer the guarantees passkeys offer, is poisoning the ecosystem. When someone gets their Pass private key compromised and later learns the attackers made off with a persistent copy of all their Passkeys (which are supposed to be immune to such things) it scares people and companies away from passkeys. |
@WIcheese You make valid points. Ultimately though, it's up to the user how they wish to handle their own security situation. Remember that browserpass does not target laypeople; it's very specifically a pgp-based credential manager. Similar arguments apply to TOTP, which we also support. Remember also that many browserpass users are in fact using a hardware token for decryption; the assertion that the private key is sitting in system memory is not necessarily accurate. |
I am aware of this; I personally use a YubiKey with touch required for each decryption. However, pass or browserpass isn't going to manage the YubiKey's FIDO2 function and enroll passkeys directly with the YubiKey, nor will the OpenPGP function store a separate key per Passkey or sign FIDO2/WebAuthn assertions on-key... that would defeat the purposes of using a password manager (such as overcoming the limit on the number of discoverable credentials, or ensuring that you can recover when you lose your YubiKey as long as you have an airgapped backup of your GPG key). So even though the keys to your entire pass repository may not exist in memory at any time, when you use a Passkey (which in itself is a public/private key pair), the private key of that specific Passkey is going to have to be in memory. Your software implementation of FIDO2/WebAuthn, not backed by TPM, is going to be signing the assertion. That passkey is 100% as copyable/exportable as a regular password. In an ideal world I agree, users should have the option to take that risk. However, many developers want to use Passkeys for their products because they are more "idiot-proof" (phishing resistant, and resistant to persistence / credential export). They prefer it over TOTP because you CAN'T back up the QR code in some insecure place. WebAuthn and attestation are supposed to provide certain assurances to the relying party. |
Does this apply to all browsers? Some provide API's for extensions to be passkey handlers: |
How you secure your key depends on your pgp program and not on pass.
How can you prov this claim? Given that many users of pass use a smartcard the private isn't in memory but is stored on the smartcard, you can extract keys from smartcards.
As others said given the nature of pass or this extension muss is given to the choice of the user to decide how secure they want their credentials to be. Since pass can use smarcards the credentials I also want to add that pass gives the user better control to manage their credentials between applications than any builtin browser or solution of a closed source operating system can ever give. |
Yes, but remember that the PGP key isn't the only one we're talking about here; the private key for the passkey would be managed by Browserpass. @WIcheese is correct in their assertions about that part of it. In particular, note this part:
Because Browserpass would by necessity be handling the key material for the passkey. The very existence of the functionality necessarily implies having the private key for the passkey somewhere that Browserpass can get at it, which means it is sitting in RAM somewhere.
Yes. As per TOTP secrets.
For the PGP key, yes. For other keys (e..g passkey private, TOTP secret etc), no.
No. You may prefer Browserpass, but that does not automatically make it superior. As with any field, picking the correct tool for the job matters. Browserpass fits a few very specific niches, but there are many areas in which it is not, in fact, the option which "gives the user better control to manage their credentials". |
Using Pass as passkey provider is a huge win, if you are interested, we can start creating a specific format for storing passkeys inside Pass files and use them with this extension. What do you think?
The text was updated successfully, but these errors were encountered: