Skip to content

Zig-Sec/PassKeeZ

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

246 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Screenshot from 2025-04-15 11-16-56

Donate using Liberapay

PassKeeZ is a Passkey (FIDO2) compatible authenticator for Linux based on keylib.

To get started, please visit the Wiki. The video below shows the full installation via the installer script.

Installing PassKeeZ Video

The project currently supports only Linux due to the absence of a standardized API for interprocess communication (IPC) between the client and authenticator. As a workaround, platform authenticators on Linux act as virtual USB HID devices utilizing uhid. However, extending this functionality to other platforms remains unexplored as I haven't had the opportunity to investigate the equivalent mechanisms elsewhere.

Browser Supported? Tested version Notes
Cromium 119.0.6045.159 (Official Build) Arch Linux (64-bit)
Brave Version 1.62.153 Chromium: 121.0.6167.85 (Official Build) (64-bit)
Firefox 122.0 (64-bit)
Opera version: 105.0.4970.16 chromium: 119.0.6045.159

Note

All tests were conducted using passkey for Github.

Important

Browsers running in sandboxed environments might not be able to communicate with the authenticator out of the box (e.g. when installing browsers with the Ubuntu App Center).

Features

  • Works with all services that support Passkeys.
  • Store your Passkeys (just a private key + related data) in a local, encrypted database.
  • Constant sign-counter, i.e. you can safely sync your credentials/passkeys between devices.

Important

With the release of version 0.5.0, PassKeeZ uses the KDBX format for storing credentials. The advantage of using KDBX is that you can manage your passkeys using KeePass or KeePassXC (PassKeeZ uses the same format for storing passkeys as KeePassXC). If you run into issues please open an issue.

Applications like password managers (a FIDO2 authenticator is just a fancy password manager that implements the CTAP2 spec) have to make a trade-off between confidentiality and availability. By supporting KDBX4, PassKeeZ is in a sweet-spot between those two aspects (this is of course my opinion). Users stay in full control over their credentials and can use existing applications like KeePass(XC) to manage credentials. Furthermore, we abstract away from the OS, i.e., even if someone has access to the device and can unlock it, the data stored within KDBX is still confidential (unless you use the same password for both your KDBX4 file and the user account). This is also the reason why PassKeeZ won't support biometrics. As biometrics are not suitable for deriving deterministic values (keys, seeds, etc.) one has to store the actual secret for "unlocking" the KDBX file somewhere indefinitely. This adds just unnecessary complexity.

Getting Started

To get started please visit the wiki.

Database Management

  • KDBX: You can manage your .kdbx database with KeePassXC or KeePass.
    • We recommend making regular backups of your KDBX database.

File synchronization

You can synchronize your database files using a service like Syncthing between your devices. This allows you to use the same Passkeys to login to your accounts on multiple devices.

Syncthing

Please see the Getting Started guide on how to setup Syncthing on your device. Make sure you also setup Syncthing to startup automatically, to prevent a situation where your databases are out of sync.

Contributing

Currently this application and the surrounding infrastructure is only maintained by me. One exception is the graphics library dvui I use for the frontend (zigenity).

If you find a bug or want to help out, feel free to either open a issue for one of the mentioned projects or write me a mail.

All contributions are welcome! Including:

  • Bug fixes
  • Documentation
  • New features
  • Support for other systems (linux distros, OSs, ...)
  • ...

QA

Should I use PassKeeZ?

This is totally up to you and probably depends on what you want to achieve.

If you're primarily interested in secure passkey-based authentication on the web and want to stay in control over your credentials, you could consider using PassKeeZ. PassKeeZ offers from my point of view a better user experience compared to KeePassXC, as one doesn't have to install additional browser plugins, while being compatible with all KeePass password managers, i.e., you can use PassKeeZ for passkey-based authentication and keep managing your credentials with your most favourite KDBX capable password manager (e.g., KeePass, KeePassXC, ...).

What is this project about?

FIDO2 stands as a dedicated authentication protocol crafted for diverse authentication needs. Whether employed as a standalone method, supplanting traditional password-based authentication, or as an additional layer of security, FIDO2 serves both purposes. The FIDO Alliance has actively advocated for the widespread adoption of this protocol for several years, with 2023 witnessing a substantial surge in its adoption. However, it's crucial to note that FIDO2 introduces a heightened level of complexity in comparison to conventional passwords. Notably, the use of roaming authenticators, such as YubiKey, can be a cost-intensive aspect.

Upon initiating the keylib project in October 2022, my primary objective was to develop a library empowering individuals to transform their own hardware, such as ESP32, into a functional authenticator. I believe I've achieved this goal successfully. However, during this process, I also recognized the evolving trend favoring hybrid/platform authenticators with discoverable credentials, now commonly marketed as Passkeys.

While traditional authenticators like YubiKeys provide robust protection against various attacks, they come with notable drawbacks. Their high cost, limited update/patching capabilities, and restricted storage for discoverable credentials (for instance, my YubiKey 5 supports around 25 credentials) underscore these challenges. Additionally, the inability to back up data, although enhancing confidentiality, poses availability concerns. The official solution offered for this predicament is surprisingly simple: "buy a second one."

Conversely, platform authenticators present a more flexible and cost-effective alternative. Unlike traditional counterparts, they can undergo regular updates and patches, akin to any software component. Furthermore, these authenticators permit the backup and secure sharing of credentials, leveraging an encrypted database within this project.

One key advantage lies in their cost-effectiveness, eliminating the need for additional hardware. When implemented with precision, platform authenticators can attain a commendable level of security, providing a compelling alternative to their more expensive counterparts.

The primary objective of this project is to furnish an alternative, keeping in mind that the term "alternative" is subjective, to existing commercial Passkey implementations.

What is FIDO2/ Passkey? Please read the QA of the [keylib](https://codeberg.org/r4gus/keylib) project.