Passkey Backup Eligibility flag is always set to true

[droidmonkey]

Description
Howdy, KeePassXC lead developer here. We recently got a bug report that highlighted a deficiency in our passkey implementation. Looks like we both hard code the value of Backup Eligibility (BE) but do it differently. I noticed in your code that your authentication data is always set to true for all flags based on some bit logic:

KeePassium/KeePassiumLib/KeePassiumLib/db/passkey/Passkey.swift

Lines 286 to 290 in 4e24164

	let flags = AuthDataFlags.at
	| AuthDataFlags.uv
	| AuthDataFlags.up
	| AuthDataFlags.be
	| AuthDataFlags.bs

We need to introduce a new parameter in the advanced attributes to store the value of the Backup Eligibility, OR, we need to agree on which value to send to relying parties. This will cause problems if we all of a sudden switch this up on users as shown in the parent issue that started all this: pocket-id/pocket-id#397

How to reproduce
Steps to reproduce the behavior:

1. Create passkey in either KeePassXC or KeePassium
2. Try to use the passkey on a site being strict about BE with the other app
3. Login will fail

Expected behavior
We should have consistency with our BE flag by declaring its state at time of creation and storing that declaration.

[keepassium]

Hi @droidmonkey , thank you for reaching out.

I did not quite remember the rationale behind this flag combination, so the following is reconstructed from commit history and my notes.

In the initial commits, neither BE nor BS were present in that code. At the time, passkey registration either worked only on some sites or not at all. After some digging, I found the cause in the system log and added BE | BS along with this note to self:

Backup State (BS) flag is used off-label here.
There is no guarantee that the passkey was already saved and synced,
so by the specification BS flag SHOULD NOT be used.
But without it, iOS rejects the passkey and logs "AuthData is missing a required flag".

Basically, the BS flag was forced by Apple. After that, I believe the inclusion of BE was motivated by Table 2 of the specification. It describes BE=0 and BS=1 as "This combination is not allowed".

We need to introduce a new parameter in the advanced attributes to store the value of the Backup Eligibility, OR, we need to agree on which value to send to relying parties.

Maybe both? We can agree (subject to system's constraints) AND store shared assumptions in a new parameter. Moreover, maybe we could go a step beyond the Backup Eligibility and store the whole flags byte? This would:

• Make the assumptions explicit (for other apps, and in case the assumptions would transform over time)
• Simplify transition of existing passkeys (use the new parameter if present, otherwise follow original assumptions).
• If some app cannot respect stored flags combination for whatever reason, it would at least inform the user the passkey won't work.

I will need a couple of days to check whether iOS allows other combinations of BE and BS. It is possible that KeePassium won't have much flexibility here. Passkey registrations (and assertions) go through iOS' AutoFill framework and it has an opinionated validator…

[droidmonkey]

I am totally fine with hard coding BE to true and BS to true. Those are both technically accurate for keepass databases (especially those that are backed up). Will need to add a failsafe in the configuration to allow people to revert back to the old settings I suppose.

I like your idea of sticking to the original settings if no authentication flag state is defined. I don't like the authenticator data flags, they combine dynamic data like UV/UP and static data like BE/BS

[Bastian]

I will need a couple of days to check whether iOS allows other combinations of BE and BS.

@keepassium, have you had a chance to look into it?

[dim2kk]

struggling with the same issue here, just started using passkeys and don't really want to go to some other client or turn to "official" keychains because of that

[savely-krasovsky]

The problem could be easily observed on a demo instance of Pocket-ID which uses go-webauthn which strictly checks BE flag inconsistencies between creation and use: https://demo.pocket-id.org/start-demo

[keepassium]

I will need a couple of days weeks months (checks calendar) half a year to check whether iOS allows other combinations of BE and BS.

Yeah… Sorry about that.

The answer is: iOS does insist on both BE and BS to be set, both for registrations and assertions. All other combinations fail with a generic "NotAllowedError" in webauthn.me's debugger and a much more informative hint in Console.app (system log):

com.apple.AuthenticationServices Returned credential failed validation: Error Domain=com.apple.AuthenticationServicesCore.AuthorizationError Code=14 "AuthData is missing a required flag." UserInfo={NSLocalizedFailureReason=AuthData is missing a required flag.}

BE	BS	iOS outcome
0	0	"Required flag missing"
0	1	(forbidden combination)
1	0	"Required flag missing"
1	1	Works

If we are all fine with storing these two flags (not the whole byte) explicitly for new registrations, I guess we just need to decide how to represent them. Maybe something along the lines of KPEX_PASSKEY_FLAG_BE / KPEX_PASSKEY_FLAG_BS with either 0 or 1 as values?

P.S. Also pinging Jérémy @J-Jamet, since KeePassDX defaults to BE=1 and BS=0 (but allows end-user customization).

[J-Jamet]

If we set all BE to 1 and BS to 1 by default , that's fine with me. As you said, I added settings directly into the Android app so that users can change the Backup Eligibility and Backup State on the fly to temporarily resolve the issue.
If we define these fields per entry for specific configurations, they should not be mandatory custom fields for older entries. Otherwise, the label is consistent with what already exists, so that's fine with me.