Feature Request: Support for Hardware Security Keys (YubiKey/FIDO2) in Vault Unlocking #407
Description
What is changing?
id like to request support for hardware security keys (e.g., YubiKey) as an authentication method for unlocking vaults on Android, replacing or supplementing password/PIN/biometrics.
How will this impact users?
More secure ways to unlock encrypted storage.
Preferred implementation: FIDO2 with PRF extension.
Use Android's WebAuthn API (Android 14+) to register a resident credential on a FIDO2 device. For unlocking, derive the vault's symmetric key from the PRF output: pass a fixed salt via getAssertion with prf:eval extension, then expand the 32-byte result to AES-256 key using HKDF. All operations local, no network required. Allows multiple keys for backup.
Simpler alternative: HMAC-SHA1 challenge-response.
User configures shared secret on the key. App sends random challenge via NFC/USB, verifies response, derives unlocking key. Can be implemented with yubikit-android library.
Optional: OpenPGP integration via OpenKeychain for asymmetric encryption of the master key.
This would enable passwordless unlocking with high security.
Any plans for similar features?
Thanks.
WebAuthn PRF Extension: https://w3c.github.io/webauthn/#prf-extension
YubiKey FIDO2 Documentation: https://developers.yubico.com/WebAuthn/
YubiKey Challenge-Response: https://developers.yubico.com/yubikey-manager/Challenge-Response_Configuration.html
yubikit-android: https://github.com/Yubico/yubikit-android