ente auth passkeys not in password managers...?

[golemusu]

Ente auth has passkey feature which seems pretty handy but until now it seems to be only app which I have that saves passkey somewhere else than password manager (google password manager, bitwarden, etc..). Is this some security decision/feature or unintended side effect?

If you want to see all of your passkeys in a list it makes it harder if some passkeys are not visible on same list. Also if you want to cloud sync passkeys it makes life harder. But if there is security reasoning for this then I can understand better.

[4rombusiness]

That's actually really important. Passkey feature is only useful when it's integrated in OS and when the OS is fully aware that 'Ente Auth' can handle Passkey API queries.

[tastyspacedragon]

Agreed.
A Passkey isn't a passkey unless it is both FIDO2 and discoverable. If it isn't discoverable, it isn't a passkey, its just FIDO2.

[golemusu]

What makes things weird that if you save ente "passkey" in iPhone it is visible in Apple Passwords. If you save one in android it is visible nowhere.

It appears that in IOS it becomes discoverable passkey (and thus true passkey?), but in android it becomes non-discovered?

I wonder how this happens, WebAuthn API has residentKey variable with 3 values, required (discoverable), preferred, discouraged (2FA). "preferred" is hybrid, could Ente maybe be using that...?

Or does Apple have some magic that it can list even non-discoverable passkeys and sync them to new devices?

If it is not discoverable in android there might be actually a pretty big risk here of losing access to Ente.

If I've not understood incorrectly a non-discoverable credential is erased during factory reset of device. Thus if you have set one in your phone and you don't have another one anywhere else and you reset your phone you could lose permanently access to Ente.

discoverable (D) and non-discoverable (ND) credentials have different security implications. With ND you can be sure (AFAIK) that the credential will never leave that device and it will erase in factory reset. With D they (typically) are cloud synced and you could delete it from password manager end.

I really don't know what is better as Ente is at top or close to top of trust chain where circular dependencies could also create risks of getting locked out of your accounts.

Nevertheless if it is non-discoverable credential this should be clearly visible and distinguished from discoverable credential.

Here are some change suggestions to the UI, what are your opinions...?

hamburgerMenu - security - Passkey --> hamburgerMenu - security - 2FA
Add passkey --> Add FIDO2 factor
"Passkeys are modern and secure..." --> "FIDO2 are modern and secure...."

Non-Discoverable FIDO2:
KEYICON --> KEYICON^ND

Non-Discoverable FIDO2:
KEYICON --> KEYICON^D OR KEYICON^PKEY