Passkey support?

[zuavra]

Hi, I was wondering if Aegis has any plans to support passkeys. For example, going on https://www.passkeys.io/ and using the "Sign in with a passkey" button on a desktop browser you get a QR code popup. Would it be feasible for Aegis to scan that QR code like it does for TOTP codes and act as an authenticator for that passkey going forward? Thank you.

[Granddave]

Hi @zuavra, passkeys uses another form of technology based on asymmetric cryptography which means that the two parties (i.e. the website and the authentication device) has to communicate directly. On a desktop it's usually a browser extension or the underlying OS that is acting as the client through the browser. In the case of Aegis, you make up the communication between the app and the website by reading the generated codes and writing them into the website.

Without speaking on behalf of the maintainers of Aegis, I wouldn't think adding support for passkeys are feasible or desirable, at least due to the technical limitations.

[alexbakker]

There isn't really a good way for Android apps to directly support Passkeys. The implementers of Passkeys in Android have tried very hard to force the OS into the authentication path as a core component.

Android 14 (and up) does allow delegating storage of Passkey private key material to a third-party app: https://developer.android.com/training/sign-in/credential-provider. We could consider implementing support for that in Aegis. The question is whether that should be considered in scope for Aegis, of course.

[naiyerasif]

Passkey support should be more of a password manager's scope rather than Aegis since they can be set as autofill apps on Android and therefore can be used to sign in with Passkeys.

[alexbakker]

Occupying the autofill service slot is not a requirement for an app to be a passkeys credential provider.