Feature Request: Support for Hardware Security Keys (YubiKey/FIDO2) in Vault UnlockingΒ #620
Description
Please agree to the following
- I have searched existing issues for duplicates
- I agree to follow this project's Code of Conduct
Summary
Passwordless unlock by Passkey, Hardware Security Keys
Motivation
id like to request support for hardware security keys (e.g., YubiKey) as an authentication method for unlocking vaults on Android, replacing or supplementing password/PIN/biometrics.
Preferred implementation: FIDO2 with PRF extension.
Use Android's WebAuthn API (Android 14+) to register a resident credential on a FIDO2 device. For unlocking, derive the vault's symmetric key from the PRF output: pass a fixed salt via getAssertion with prf:eval extension, then expand the 32-byte result to AES-256 key using HKDF. All operations local, no network required. Allows multiple keys for backup.
Considered Alternatives
Simpler alternative:** HMAC-SHA1 challenge-response.
User configures shared secret on the key. App sends random challenge via NFC/USB, verifies response, derives unlocking key. Can be implemented with yubikit-android library.
Optional: OpenPGP integration via OpenKeychain for asymmetric encryption of the master key.
This would enable passwordless unlocking with high security.
Any plans for similar features?
Thanks.
Anything else?
WebAuthn PRF Extension: https://w3c.github.io/webauthn/#prf-extension
YubiKey FIDO2 Documentation: https://developers.yubico.com/WebAuthn/
YubiKey Challenge-Response: https://developers.yubico.com/yubikey-manager/Challenge-Response_Configuration.html
yubikit-android: https://github.com/Yubico/yubikit-android