Overview
Support WebAuthn Passkeys for quick unlock and as a passkey authenticator.
Feature A: Quick Unlock with Passkey
Replace typing master password with a passkey tap (YubiKey / Face ID / fingerprint).
How it works:
- First setup: user enters master password + registers a passkey
- Passkey's PRF output encrypts the master password, stored locally
- Next time: tap passkey → PRF retrieves encrypted master password → auto-unlock
- Same security as typing the password, just faster
KDBX format unchanged — fully compatible with KeePass/KeePassXC.
Feature B: Store Website Passkeys
The browser extension acts as a passkey authenticator, storing credentials in KDBX.
Flow:
- User registers a passkey on a website → extension intercepts
navigator.credentials.create()
- Extension generates keypair, stores private key as a KDBX entry field
- User logs in → extension intercepts
navigator.credentials.get()
- Extension signs the challenge with stored private key, returns assertion
Technical Details
- WebAuthn PRF extension for key derivation
- KDBX4
KdbxCredentials challenge-response pattern
- Works with Touch ID, Face ID, Windows Hello, YubiKey
- Android PWA + Chrome/Edge desktop
References
Priority
Phase 2 — after Phase 1 foundation is complete.
Overview
Support WebAuthn Passkeys for quick unlock and as a passkey authenticator.
Feature A: Quick Unlock with Passkey
Replace typing master password with a passkey tap (YubiKey / Face ID / fingerprint).
How it works:
KDBX format unchanged — fully compatible with KeePass/KeePassXC.
Feature B: Store Website Passkeys
The browser extension acts as a passkey authenticator, storing credentials in KDBX.
Flow:
navigator.credentials.create()navigator.credentials.get()Technical Details
KdbxCredentialschallenge-response patternReferences
Priority
Phase 2 — after Phase 1 foundation is complete.