KeePassXC Passkeys: Analysis of Sign-Ups and Logins
Exploring KeePassXC's passkey support: Our analysis covers user experience, cross-device sync, and areas for improvement in KeePassXC & KeePass's passkeys.
Vincent
Created: November 21, 2023
Updated: March 25, 2026
Looking for a dev-focused passkey reference? Download our Passkeys Cheat Sheet. Trusted by dev teams at Ally, Stanford CS & more.
- Passkey fallback mechanism: When the KeePassXC modal is closed or canceled, the browser's native passkey modal activates seamlessly. This behavior was not observed in other password managers tested.
- Cross-device sync: KeePassXC passkeys sync via cloud storage (tested with Microsoft OneDrive) across macOS, Linux and Windows, mirroring existing password synchronization workflows.
- Conditional UI gap: KeePassXC lacks Conditional UI support, preventing usernameless login and requiring more clicks than competitors like 1Password or Dashlane.
- AAGUID placeholder issue: KeePassXC assigns a placeholder AAGUID (01020304-0506-0708-0102-030405060708) with no attestation, blocking relying parties from confirming passkey authenticity or optimizing UX accordingly.
1. Introduction: KeePassXC Passkeys#
KeePassXC developers recently announced their latest advancement: Help us test passkeys! We've just integrated passkey support in our next release branch. You can download a snapshot build and test it now. Support in our browser extension is already live." This significant update marks a pivotal moment in password management and user authentication.
2. Requirements for KeePassXCs Passkey-Supported Version#
KeePassXC is known for its native clients across various platforms and continuous development. This includes comprehensive documentation and multilingual support. Its features are consistent across macOS, Linux, and Windows, with databases (.kdbx) easily transferable across these platforms via cloud services.
3. Our Testing Experience with KeePassXC Passkeys#
We conducted a test using the snapshot build-235884 and examined passkey signup and login functionalities on passkeys.eu. Our focus was also on passkey synchronization across devices, successfully creating and using a passkey across Windows 11 23H2 and Windows 10 21H2 devices with Chrome 119.
4. Highlights of KeePassXC Passkeys#
- Passkey Fallback Mechanism: When the KeePassXC passkey modal is closed or canceled, the browsers / devices default passkey modal jumps in seamlessly.
- Cross-Platform Support and Syncing: Syncing via your favorite cloud storage (in our test we used Microsoft OneDrive) enables easy cross-device use of passkeys which works the same way as currently available password synchronization.
- Modal Timer: A countdown timer indicates the passkey modal's availability duration.
5. Areas for Improvement#
- Lack of Conditional UI: KeePassXC misses out on one of the key benefits of passkey technology - seamless, usernameless login. Other password managers have done better here minimizing the amount of clicks the user need to do to login.
- No Attestation: Without attestation, it's challenging for relying parties to confirm a passkey's authenticity within KeePassXC, potentially impacting user experience. Other password managers disclose the AAGUID in a meaningful way, so that relying parties can optimize the UX accordingly. Currently, when creating a new passkey and storing it in KeePassXC the AAGUID is set to 01020304-0506-0708-0102-030405060708 which might be a placeholder but passkeys.dev does not hold any more information (yet).
- Handling Pre-existing Passkeys: Issues arise with pre-existing passkeys in different ecosystems and then turning KeePassXCs browser extension on to handle all sorts of passkey authentication, leading to infinite loading issues without clear user guidance (in case KeePassXCs passkey fallback is not turned on).
KeePassXC, still in its snapshot build phase, may not offer the same level of UI/UX sophistication as some commercial counterparts (e.g. 1Password or Dashlane), but its rather technical audience generally appreciates the current offerings.
6. User Interface Snapshots#
6.1 Managing Passkeys#
Accessing all stored passkeys in KeePassXC works by clicking on Database > Passkeys which provides the following overview of all passkeys:
In the browser extension (here KeePassXC Chrome extension), theres a new section for passkeys:
6.2 Creating A New Passkey#
When creating a new passkey, KeePassXC presents a modal allowing users to create a new account or update an existing passkey. Creating a new passkey adds an entry to the list of existing ones.
6.3 Error Handling#
If a user attempts to reuse a username during a passkey creation, an error message appears in the browser's top-right corner, indicating the issue.
6.4 Logging in with a Passkey#
The login modal demonstrates KeePassXC's fallback mechanism (a feature we havent seen so far in other password managers). If canceled, the devices / browser's passkey capabilities are leveraged. This feature also activates if a user manually deletes a local passkey in the manager.
Passkey fallback switched off:
Passkey (private key) deleted in password manager:
6.5 Error Messages and Fallback Options#
Disabling the fallback option triggers an error message, ensuring users are aware of the current passkey status.
7. What about KeePass Passkeys?#
KeePass' passkeys roll out is expected soon as well. We keep you posted about any upcoming developments for KeePass in the area of passkeys.
8. Conclusion: KeePassXC Passkeys#
KeePassXC's integration of passkeys is a significant step forward, showcasing notable strengths in cross-platform synchronization and passkey fallback options. However, areas like Conditional UI and attestation could be optimized for a more seamless user experience. As KeePassXC evolves towards full passkey support in its stable version, its impact on user authentication remains promising.
For those who want to stay up-to-date around all things about passkeys, join our passkeys community on Slack or subscribe to our passkeys Substack for more in-depth analyses and updates, e.g. on KeePassXCs passkeys capabilities.
Frequently Asked Questions#
What happens in KeePassXC if I cancel the passkey modal or delete a stored passkey?#
KeePassXC includes a fallback mechanism that automatically invokes the browser or device's native passkey capabilities when the KeePassXC modal is dismissed or a passkey is manually deleted. However, if the fallback option is disabled in settings, an error message is shown instead, leaving the user without a login path.
How do KeePassXC passkeys work across multiple devices?#
KeePassXC passkeys are stored in a .kdbx database file that can be synced across devices using any cloud storage provider, such as Microsoft OneDrive. This approach was tested across Windows 11 23H2 and Windows 10 21H2 with Chrome 119 and worked the same way as standard password synchronization in KeePassXC.
Why does KeePassXC's passkey implementation lack attestation and what does that mean for my app?#
KeePassXC currently does not provide attestation and sets a placeholder AAGUID, which means relying parties cannot verify the authenticator type or tailor the user experience based on the credential source. Other password managers disclose a meaningful AAGUID, allowing relying parties to optimize registration and login flows accordingly.
Is KeePassXC's passkey support ready for production use?#
At the time of this analysis, KeePassXC passkey support was available only in a snapshot build, not a stable release. Known gaps include missing Conditional UI, no attestation and potential infinite loading issues when the extension intercepts pre-existing passkeys from other ecosystems without fallback enabled.
Share this article
Related Articles
Table of Contents