[Feature] Store fido2 keys in KWallet

owl-from-hogvarts · September 14, 2024, 8:22am

Add support for FIDO2 (aka Passkey) storage in KWallet.

Reason

Github now requires two factor auth for some accounts. The 2fa (two factor auth) can be replaced with Passkey. Passkeys may be stored either on a current device or on the separate security device like USB key or a phone.

As of now, chromium does not allow me to store passkeys locally on my machine. It presents me with single option to use my phone to store the key. Chromium does support local passkey storage on MacOS and windows.

KWallet seems like a good place to introduce support for passkeys. This is already a password manager. So storing passkeys perfectly fits into KWallet purpose.

I wonder, if KDE could provide support for local passkey storage via KWallet? I mean I slightly doubt, that KWallet is absolutely the best place to store passkeys. On the other hand, I could not imagine any other better place.

Digging on the Internet hadn’t yielded any useful result on how can I store passkeys locally as of now.

Implementation considerations

KDE may employ the approach used by keepassxc. It has desktop application running with encrypted database for keys. KeepassXC has Browser Integration extension. The extension provides passkey local storage capability to a browser. The extension connects to a running KeepassXC instance to store or retrieve passkeys when a browser asks it to do so.

To mitigate a need to have a browser extension, KDE may collaborate with FreeDesktop org to update Secret Service DBUS specification. The update would include support for passkey related endpoints. Such collaboration would widen passkey support on Linux by a lot. That is not only KWallet would be able to operate on passkeys, but Gnome Keyring and other implementation of Security Service too.

Additional info

Operating System: Arch Linux
KDE Plasma Version: 6.1.4
KDE Frameworks Version: 6.5.0
Qt Version: 6.7.2
Kernel Version: 6.10.9-arch1-1 (64-bit)

P.S. While my system supports TPM 2 I am strongly against using it. I believe there should be a purely software way to store these keys with good security means

Derek_Broughton · March 9, 2025, 9:10pm

I have two questions:

What’s the reason for your opposition to TPM 2? I’m not sure whether it’s good or bad, but if you’re “strongly against” it, I figure you know more than I do!
Is this related to #17614 (I think it must be).