KeePassXC Passkeys: Analysis of Sign-Ups and Logins

1. Introduction: KeePassXC Passkeys

2. Requirements for KeePassXCs Passkey-Supported Version

3. Our Testing Experience with KeePassXC Passkeys

4. Highlights of KeePassXC Passkeys

5. Areas for Improvement

6. User Interface Snapshots

    6.1 Managing Passkeys

    6.2 Creating A New Passkey

    6.3 Error Handling

    6.4 Logging in with a Passkey

    6.5 Error Messages and Fallback Options

7. What about KeePass Passkeys?

8. Conclusion: KeePassXC Passkeys

1. Introduction: KeePassXC Passkeys

KeePassXC developers recently announced their latest advancement: Help us test passkeys! We've just integrated passkey support in our next release branch. You can download a snapshot build and test it now. Support in our browser extension is already live." This significant update marks a pivotal moment in password management and user authentication.

2. Requirements for KeePassXCs Passkey-Supported Version

KeePassXC is known for its native clients across various platforms and continuous development. This includes comprehensive documentation and multilingual support. Its features are consistent across macOS, Linux, and Windows, with databases (.kdbx) easily transferable across these platforms via cloud services.

3. Our Testing Experience with KeePassXC Passkeys

We conducted a test using the snapshot build-235884 and examined passkey signup and login functionalities on passkeys.eu. Our focus was also on passkey synchronization across devices, successfully creating and using a passkey across Windows 11 23H2 and Windows 10 21H2 devices with Chrome 119.

4. Highlights of KeePassXC Passkeys

• Passkey Fallback Mechanism: When the KeePassXC passkey modal is closed or canceled, the browsers / devices default passkey modal jumps in seamlessly.
• Cross-Platform Support and Syncing: Syncing via your favorite cloud storage (in our test we used Microsoft OneDrive) enables easy cross-device use of passkeys which works the same way as currently available password synchronization.
• Modal Timer: A countdown timer indicates the passkey modal's availability duration.

5. Areas for Improvement

• Lack of Conditional UI: KeePassXC misses out on one of the key benefits of passkey technology - seamless, usernameless login. Other password managers have done better here minimizing the amount of clicks the user need to do to login.
• No Attestation: Without attestation, it's challenging for relying parties to confirm a passkey's authenticity within KeePassXC, potentially impacting user experience. Other password managers disclose the AAGUID in a meaningful way, so that relying parties can optimize the UX accordingly. Currently, when creating a new passkey and storing it in KeePassXC the AAGUID is set to 01020304-0506-0708-0102-030405060708 which might be a placeholder but passkeys.dev does not hold any more information (yet).
• Handling Pre-existing Passkeys: Issues arise with pre-existing passkeys in different ecosystems and then turning KeePassXCs browser extension on to handle all sorts of passkey authentication, leading to infinite loading issues without clear user guidance (in case KeePassXCs passkey fallback is not turned on).

KeePassXC, still in its snapshot build phase, may not offer the same level of UI/UX sophistication as some commercial counterparts (e.g. 1Password or Dashlane), but its rather technical audience generally appreciates the current offerings.

6. User Interface Snapshots

6.1 Managing Passkeys

Accessing all stored passkeys in KeePassXC works by clicking on Database > Passkeys which provides the following overview of all passkeys:

In the browser extension (here KeePassXC Chrome extension), theres a new section for passkeys:

6.2 Creating A New Passkey

When creating a new passkey, KeePassXC presents a modal allowing users to create a new account or update an existing passkey. Creating a new passkey adds an entry to the list of existing ones.

6.3 Error Handling

If a user attempts to reuse a username during a passkey creation, an error message appears in the browser's top-right corner, indicating the issue.

6.4 Logging in with a Passkey

The login modal demonstrates KeePassXC's fallback mechanism (a feature we havent seen so far in other password managers). If canceled, the devices / browser's passkey capabilities are leveraged. This feature also activates if a user manually deletes a local passkey in the manager.

Passkey fallback switched off:

Passkey (private key) deleted in password manager:

6.5 Error Messages and Fallback Options

Disabling the fallback option triggers an error message, ensuring users are aware of the current passkey status.

7. What about KeePass Passkeys?

KeePass' passkeys roll out is expected soon as well. We keep you posted about any upcoming developments for KeePass in the area of passkeys.

8. Conclusion: KeePassXC Passkeys

KeePassXC's integration of passkeys is a significant step forward, showcasing notable strengths in cross-platform synchronization and passkey fallback options. However, areas like Conditional UI and attestation could be optimized for a more seamless user experience. As KeePassXC evolves towards full passkey support in its stable version, its impact on user authentication remains promising.

For those who want to stay up-to-date around all things about passkeys, join our passkeys community on Slack or subscribe to our passkeys Substack for more in-depth analyses and updates, e.g. on KeePassXCs passkeys capabilities.