Skip to content

feat(passkey): passkey provider, passkey login and WebAuthn MFA (extension)#279

Open
brkfun wants to merge 1 commit into
passbolt:masterfrom
brkfun:feature/passkey-provider
Open

feat(passkey): passkey provider, passkey login and WebAuthn MFA (extension)#279
brkfun wants to merge 1 commit into
passbolt:masterfrom
brkfun:feature/passkey-provider

Conversation

@brkfun

@brkfun brkfun commented Jul 5, 2026

Copy link
Copy Markdown

Part of a coordinated set of 3 pull requests — passbolt_api, passbolt_styleguide and
passbolt_browser_extension — that together add first-class passkey / WebAuthn support to Passbolt,
one of the most frequently requested capabilities from the community. The three features are:

  1. Passkey provider — Passbolt acts as a WebAuthn authenticator for third-party websites
    (Dashlane / 1Password / Bitwarden style). Passkeys are created and stored inside the encrypted
    vault as a passkey resource type, offered inline via autofill (conditional mediation), and unlocked
    with the master passphrase or an optional PIN.
  2. Passkey login (passwordless) — a user can enrol a passkey to sign in to Passbolt without typing
    their passphrase. The passphrase keeps working as a fallback (a lost passkey never locks anyone
    out). Split-kit design: the client half never leaves the browser profile, the server half is only
    released after a valid assertion.
  3. Passkey as MFA — FIDO2 security keys as a second factor, alongside the existing
    TOTP / Yubikey / Duo providers.

The three repos must be deployed together. This PR is the browser extension.


This pull request is a (multiple allowed):

  • bug fix
  • change of existing behavior
  • new feature

Checklist

  • User stories are present (given, when, then format)
  • Unit tests are passing
  • Selenium tests are passing
  • Check style is not triggering new error or warning

What you did

Browser-extension implementation of the three passkey features above.

Passkey provider (Passbolt as a WebAuthn authenticator for third-party sites):

  • A MAIN-world page script overriding navigator.credentials.create()/get(), coexisting with the
    platform authenticator (delegates back on decline / cancel, Dashlane-style).
  • A software FIDO2 authenticator (WebCrypto, ES256) that signs assertions from vault-stored passkeys.
  • An in-page ceremony rendered like the quickaccess panel (theme-aware side panel), with a window
    fallback when a site CSP blocks the extension frame; searchable resource picker; passphrase / PIN
    unlock.
  • Autofill: on conditional mediation, our passkeys are offered inline when the user focuses the
    login field, racing the native autofill; whichever the user picks wins.

Passkey login (passwordless): controllers + events to enrol / sign-in, the split passphrase kit
(client half in IndexedDB per profile, server half from the API after a valid assertion) and a local
PIN service.

Passkey MFA: WebAuthn setup / verify wiring for the MFA provider.

User stories

  • Given a third-party site calling navigator.credentials.create, when the user confirms in the
    Passbolt ceremony, then a passkey is stored in the vault and returned to the site.
  • Given a site the user has a passkey for, when they focus the login field, then Passbolt
    offers that passkey inline; when the site narrows the request by username, then only the
    matching passkey is offered.
  • Given a profile with an enrolled passkey, when the user clicks "Sign in with a passkey",
    then the passphrase is recovered from the kit and GPGAuth completes — without typing it.

Tests

7 new Jest suites (66 tests) — the fido2 get controller (allowCredentials filtering), the passkey
enrol / login controllers, the passkey + fido2 event handlers, the PIN service and the passkey API
client. eslint src --max-warnings 0 clean.

…nsion)

Browser-extension implementation of three coordinated passkey features (see the passbolt_api and
passbolt_styleguide counterparts). Passkey / WebAuthn support is a long-standing community request.

- Passkey provider (Passbolt as a WebAuthn authenticator for third-party sites): a MAIN-world page
  script overriding navigator.credentials.create()/get() and coexisting with the platform authenticator
  (delegates back on decline/cancel), a WebCrypto FIDO2 software authenticator (ES256) signing
  assertions from vault-stored passkeys, a quickaccess-style in-page ceremony (theme-aware side panel,
  with a window fallback when a site CSP blocks the frame), and inline autofill on conditional mediation.
- Passkey login (passwordless): enrol/sign-in controllers + events and the split passphrase kit
  (client half in IndexedDB per profile, server half released by the API after a valid assertion) plus a
  local PIN service.
- Passkey MFA: WebAuthn setup/verify wiring for the MFA provider.

Includes 66 Jest tests; passes eslint (src --max-warnings 0).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant