keepassxc/docs/topics/Passkeys.adoc

= KeePassXC – Passkeys
include::.sharedheader[]
:imagesdir: ../images

// tag::content[]
== Passkeys

Passkeys are a secure way for replacing passwords that is supported by all major browser vendors and an increasing number of websites. For more information on what passkeys are and how they work, please go to the FIDO Alliance's documentation: https://fidoalliance.org/passkeys/

=== Browser Passkey Support

KeePassXC supports passkeys directly through the Browser Integration service. Passkeys are only supported with the use of the KeePassXC Browser Extension and a properly connected database. To enable passkey support on the extension, you must check the _Enable Passkeys_ option in the extension settings page.

.Enable Passkey Support in the KeePassXC Browser Extension
image::passkeys_enable_from_extension.png[,75%]

Optionally, you can disable falling back to the built-in passkey support from your browser and operating system. If left enabled, the extension will show the default passkey dialogs if KeePassXC cannot handle the request or the request is canceled.

=== Create a New Passkey

Creating a new passkey and authenticating with it is a simple process. This workflow will be demonstrated using GitHub as an example site. Please note that GitHub allows two use cases for passkeys, one for 2FA only and the other for replacement of username and password entirely. We will be configuring the latter use case in this example.

After navigating to GitHub's _Settings_ -> _Password and authentication_, there is a separate section shown for passkeys.

.GitHub's Passkey Registration
image::passkeys_github_1.png[]

After clicking the _Add a passkey_ button, the user is redirected to another page showing the actual configuration option.

.Configure Passwordless Authentication
image::passkeys_github_2.png[,50%]

Clicking the _Add passkey_ button now shows the following popup dialog for the user, asking confirmation for creating a new passkey.

.Passkey Registration Confirmation Dialog
image::passkeys_register_dialog.png[,30%]

After the passkey has been registered, a new entry is created to the database under _KeePassXC-Browser Passwords_ with _(passkey)_  added to the entry title. The entry holds additional attributes that are used for authenticating the passkey.

After registration, GitHub will ask a name for the passkey. This is only relevant for the server.

.GitHub's Passkey Nickname
image::passkeys_github_3.png[,50%]

Now the passkey should be shown on the GitHub's passkey section.

.Registered Passkeys on GitHub
image::passkeys_github_4.png[]

=== Login With a Passkey

The passkey created in the previous section can now be used to login to GitHub. Instead of logging in with normal credentials, choose _Sign in with a passkey_ at the bottom of GitHub's login page.

.GitHub's login page with a Passkey option
image::passkeys_github_5.png[,50%]

After clicking the button, KeePassXC-Browser detects the passkeys authentication and KeePassXC shows the following dialog for confirmation.

.Passkey authentication confirmation dialog
image::passkeys_authentication_dialog.png[,50%]

After confirmation user is now authenticated and logged into GitHub.

// tag::advanced[]
=== Advanced Usage

==== Multiple Passkeys for a Site

Multiple passkeys can be created for a single site. When registering a new passkey with a different username, KeePassXC shows an option to register a new passkey or update the previous one. Updating a passkey will override the existing entry, so this option should be only used when actually needed.

.Passkey authentication confirmation dialog
image::passkeys_update_dialog.png[,50%]

==== Exporting Passkeys

All passkeys in a database can be viewed and accessed from the _Database_ -> _Passkeys..._ menu item. The page shows both _Import_ and _Export_ buttons for passkeys.

.Passkeys Overview
image::passkeys_all_passkeys.png[]

After selecting one or more entries, the following dialog is shown. One or multiple passkeys can be selected for export from the previously selected list of entries.

.Passkeys Export Dialog
image::passkeys_export_dialog.png[,65%]

Exported passkeys are stored in JSON format using the `.passkey` file extension. The file includes all relevant information for importing a passkey to another database or saving a backup. 

WARNING: The exported passkey file is unencrypted and should be securely stored.

==== Importing Passkeys

An exported passkey can be imported directly to a database or to an entry. To import directly, use the _Database_ -> _Import Passkey_ menu item.
When right-clicking an entry, a separate menu item for _Import Passkey_ is shown. This is useful if user wants to import a previously created passkey to an existing entry.

.Import Passkey to an Entry
image::passkeys_import_passkey_to_entry.png[,50%]

After selecting a passkey file to import, a separate dialog is shown where you can select which database, group, and entry to target. By default, the group is set to _Imported Passkeys_. The default action is to create a new entry that contains the imported passkey.

.Passkey import dialog
image::passkeys_import_dialog.png[,65%]

// end::advanced[]
// end::content[]