Skip to content

Passkeys: Set BE and BS flags to true#13042

Merged
phoerious merged 3 commits into
keepassxreboot:developfrom
varjolintu:fix/passkeys_set_be_flag_to_true
Mar 8, 2026
Merged

Passkeys: Set BE and BS flags to true#13042
phoerious merged 3 commits into
keepassxreboot:developfrom
varjolintu:fix/passkeys_set_be_flag_to_true

Conversation

@varjolintu

@varjolintu varjolintu commented Feb 7, 2026

Copy link
Copy Markdown
Member

To ensure compatibility with other password managers, the BE (backup eligibility) and BS (backup state) flags must be set to true. The relevant specification: https://www.w3.org/TR/webauthn-3/#backup-eligible

With new passkeys, new attributes KPEX_PASSKEY_FLAG_BE and KPEX_PASSKEY_FLAG_BS are written to entry attributes (with default values). During authentication, if those attributes are found, the values set are respected. Otherwise default values are used.

There's a chance that some passkeys will be invalidated after this fix. We should provide a warning to users in a blog post etc. When KeePassXC version including this change is released.

Testing strategy

Automatic tests updated.

Type of change

  • ✅ Bug fix (non-breaking change that fixes an issue)
@varjolintu varjolintu added this to the v2.7.12 milestone Feb 7, 2026
@varjolintu varjolintu added feature: Passkeys pr: bugfix Pull request fixes a bug labels Feb 7, 2026
@phoerious

Copy link
Copy Markdown
Member

Can't we store the flag inside KeePassXC? For new passkeys, we default to true, but when we use existing passkeys, we use whichever value is stored or false if there isn't any.

@varjolintu

Copy link
Copy Markdown
Member Author

Can't we store the flag inside KeePassXC? For new passkeys, we default to true, but when we use existing passkeys, we use whichever value is stored or false if there isn't any.

I'll try if that's possible to do. And I missed setting the default flag in BrowserPasskeys::buildAuthenticatorData().

@droidmonkey

Copy link
Copy Markdown
Member

Only problem with that is if other clients are not storing the flags then we would still flip flop the BE flag.

@phoerious

Copy link
Copy Markdown
Member

True, but since there's no official spec, everyone does kind of their own thing anyway.

@varjolintu

Copy link
Copy Markdown
Member Author

The only way to get this to work is to store the flags as a new attribute during register, as phoerious already suggested.

@phoerious

Copy link
Copy Markdown
Member

Since KeePassium is already doing that, I think that's the way to go. Wasn't aware of this issue (or forgot about it): keepassium/KeePassium#444

@varjolintu

Copy link
Copy Markdown
Member Author

Since KeePassium is already doing that, I think that's the way to go. Wasn't aware of this issue (or forgot about it): keepassium/KeePassium#444

I agree. We need to set BS flag true as well. I'm making the changes today.

@phoerious

Copy link
Copy Markdown
Member

If we default to true if it's not set, we could offer users a fallback if authentication fails.

@varjolintu varjolintu changed the title Passkeys: Set BE flag to true Passkeys: Set BE and BS flags to true Feb 10, 2026
@varjolintu

Copy link
Copy Markdown
Member Author

If we default to true if it's not set, we could offer users a fallback if authentication fails.

Made the core changes. Not sure how we should offer the possible fallback. The popup dialog could have an option "Ignore backup flags" but that will probably confuse a lot of users. Adding attributes manually with false values is also a bit cumbersome.

@phoerious

Copy link
Copy Markdown
Member

I guess it's fine, you can manually add those entries if needed. We should mention that in the changelog.

@phoerious phoerious added the pr:backport-pending Pull request to be backported label Feb 11, 2026
@varjolintu
varjolintu force-pushed the fix/passkeys_set_be_flag_to_true branch from 2aa53d7 to 8fcb29f Compare February 16, 2026 14:30
@droidmonkey
droidmonkey force-pushed the fix/passkeys_set_be_flag_to_true branch from 8fcb29f to f64a5e2 Compare March 7, 2026 03:37
@phoerious
phoerious force-pushed the fix/passkeys_set_be_flag_to_true branch from f64a5e2 to ea46b87 Compare March 8, 2026 11:03
@phoerious phoerious mentioned this pull request Mar 8, 2026
20 tasks
@phoerious
phoerious merged commit 1ce2ce9 into keepassxreboot:develop Mar 8, 2026
12 checks passed
@phoerious phoerious added pr: backported Pull request backported to previous release and removed pr:backport-pending Pull request to be backported labels Mar 8, 2026
@varjolintu
varjolintu deleted the fix/passkeys_set_be_flag_to_true branch March 8, 2026 13:07
phoerious pushed a commit that referenced this pull request Mar 8, 2026
Passkeys: Set BE flag to true

---------

Co-authored-by: varjolintu <sami.vanttinen@ahmala.org>
pull Bot pushed a commit to Andyworldclub/keepassxc that referenced this pull request Mar 8, 2026
Passkeys: Set BE flag to true

---------

Co-authored-by: varjolintu <sami.vanttinen@ahmala.org>
pull Bot pushed a commit to byxy77/keepassxc that referenced this pull request Mar 8, 2026
Passkeys: Set BE flag to true

---------

Co-authored-by: varjolintu <sami.vanttinen@ahmala.org>
@CzBiX

CzBiX commented Mar 9, 2026

Copy link
Copy Markdown

@varjolintu The current check expects true, but both KeePassDX and KeePassium use 1. We need to align this behavior or add compatibility for both.

@phoerious

phoerious commented Mar 9, 2026

Copy link
Copy Markdown
Member

Uh, this is annoying. I check the KeePassDX source code and "1" seems to be indeed the value they use, but String.toBoolean() would also convert "true" to true. https://github.com/Kunzisoft/KeePassDX/blob/60fea86e69ed9eeaaad2d163e68f4adfc3d1029d/database/src/main/java/com/kunzisoft/keepass/database/element/security/ProtectedString.kt#L78

This is where the conversion happens in KeePassium. I'm not entire sure, but this might also recognise "true". https://github.com/keepassium/KeePassium/blob/4dc000da761217d1f8fab7ac40c4195d7b2ff37b/KeePassiumLib/KeePassiumLib/db/passkey/Passkey.swift#L104

@keepassium could you shed light on this?

@droidmonkey

Copy link
Copy Markdown
Member

Not too late to use "1" instead of true

@varjolintu

Copy link
Copy Markdown
Member Author

Not too late to use "1" instead of true

Changed from "true" to "1". #13122

@keepassium

Copy link
Copy Markdown

@keepassium could you shed light on this?

It does expect a "1" and won't parse "true". The rationale was the relevant part of the specs refers to flags as numeric values.

@phoerious

phoerious commented Mar 9, 2026

Copy link
Copy Markdown
Member

Ok, thanks! We'll default to "1" also, but accept "true" as well.

phoerious pushed a commit that referenced this pull request Mar 10, 2026
Passkeys: Set BE flag to true

---------

Co-authored-by: varjolintu <sami.vanttinen@ahmala.org>
@physkets

Copy link
Copy Markdown

The notes of the latest release state that it MAY BREAK EXISTING PASSKEYS. What does that mean? Reading the comments here or those in the corresponding issue do not really clarify. The blog post states:

Important note about the new passkey flags: Previously, the BE and BS flags were hard-coded to false. We now default to true and store the values with the entry for new passkeys. This may break existing passkeys for which the flags were not stored, since the values are considered immutable. To fix this, users can add the following two string attributes to an entry (under “Advanced”): KPEX_PASSKEY_FLAG_BE=0 and KPEX_PASSKEY_FLAG_BS=0 to restore the previous behaviour.

Does that mean that these attributes are set to 1 even for existing passkeys?
I just tested my stored passkeys from Google and passkeys.io, and both of them continued to work.

@droidmonkey

droidmonkey commented Mar 15, 2026

Copy link
Copy Markdown
Member

keyword: MAY

We have no idea, because its on the server side to decide to accept or reject the passkey if the BE flag changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

feature: Passkeys high priority 🚨 pr: backported Pull request backported to previous release pr: bugfix Pull request fixes a bug

6 participants