Project Name: Nydia Passkey Holder – Chapter 3: Where Nydia Unlocks the Power of Touch
Project Lead: Oleh N.
Project Description
Nydia’s evolution unfolds in three acts:
2024 — Nydia launched as a decentralized passkey authenticator.
Chrome and Firefox gained seamless passkey storage and sync backed by the Sia network, removing vendor-ecosystem lock-in between browsers and their cloud services and shifting credentials from corporate servers to user-owned infrastructure.
2025 — If the first act was an escape, the second is a gathering of allies. Safari arrives, and passkeys flow across Chrome, Firefox, and Safari — powered by Sia.
Nydia also implemented support for the EdDSA (Ed25519) signature algorithm for passkeys, going further than what is currently available in most browser-extension authenticators. While most remain limited to ECDSA (ES256) and RSA (RS256), Ed25519 offers superior performance, smaller key sizes, and enhanced security.
Another critically important feature has been implemented: the onboarding process generates a unique 12-word BIP39 recovery phrase to encrypt passkeys before storing them on the Sia network.
This combination of decentralized storage and cutting-edge cryptography makes Nydia not just another authenticator, but a glimpse into the future of authentication.
2026 — Android has joined the group chat.
With this research and development initiative, Nydia brings passkey ownership to Android with a credential provider backed by the Sia network.
The Android Credential Provider Service lets third-party authenticators plug directly into Android’s native sign-in UI and present passkeys alongside platform options with no app switching. For the first time on Android, users can choose their passkey storage provider while keeping a fully integrated, one-tap experience. With Nydia, user-owned credentials feel as natural as the defaults, pairing control with ease of use.
Two key features distinguish Nydia’s Android release: borderless, cross-device QR sign-in and verifiable, tamper-evident registration provenance.
For universal accessibility, Nydia implements QR-based cross-device passkey sign-in, allowing users to sign in on a desktop or laptop by scanning a QR code with their Android phone. This FIDO2/WebAuthn-aligned passwordless flow generates the passkey assertion on the phone, while the desktop browser completes authentication — without storing or transferring keys to the client device, enabling secure use on shared computers, public workstations, and borrowed devices.
For registration provenance, Nydia implements Self Attestation — an attestation type that uses the packed attestation statement format, where each passkey proves the authenticity of the registration data and key possession by producing an attestation signature over that data with the private key generated during the registration ceremony. This creates a tamper-evident cryptographic binding between the registration parameters and the resulting credential, ensuring the server can verify, using the corresponding public key, that this credential originates from the user’s authenticator. This enhances auditability of registration, from challenge through credential creation. For Nydia, self attestation delivers verifiable passkey registration while preserving Nydia’s commitment to user privacy — each credential carries a self-signature as its own proof of authenticity.
Who benefits from your project?
Users: Android users gain full control over their passkey storage — choosing where credentials are stored and by whom. Beyond personal devices, QR-based cross-device authentication extends Nydia’s reach to anyone who needs secure access on untrusted hardware — whether signing in at a library computer, a colleague’s workstation, or a hotel business center. Passkeys remain accessible everywhere, without ever leaving the phone.
Developers: Nydia provides open-source building blocks for creating authentication applications:
-
Android Credential Provider Service scaffold — an implementation of Android’s Credential Provider API that serves as the integration layer between Android and third-party credential providers.
-
Nydia-Core — a FIDO2/CTAP2 authenticator library with support for Ed25519, ES256, RS256, and self attestation.
Together, these components turn a single application into a reusable toolkit.
How does the project serve the Foundation’s mission of user-owned data?
With Android support, Nydia brings passkey ownership to mobile devices.
Your keys. Your network. No vendor lock-in.
Who is the target user for your project?
Anyone who uses passkeys and wants portable credential recovery under their own control and secure QR-based authentication on untrusted hardware, without being locked into a single device, platform, or vendor.
Project Goals & Milestones
Note: For planning purposes, the timeline is based on a June 1, 2026 start date.
Milestone #1 (Due by 25 June 2026)
Create CredentialProviderService skeleton for Android 14.
- Make provider visible in Android system credential picker.
- Handle Credential Manager requests for
createCredentialandgetCredential. - Parse and display
PublicKeyCredentialCreationOptionsin the UI. - Parse and display
PublicKeyCredentialRequestOptionsin the UI. - Publish project on GitHub with clear build instructions.
- Create a demo video demonstrating provider in action.
Milestone #2 (Due by 25 July 2026)
Implement passkey creation across WebAuthn playgrounds and pilot apps with support for Ed25519, ES256, and RS256 signature algorithms.
- Implement passkey creation with support for Ed25519, ES256, and RS256.
- Implement a CBOR encoder for attestation objects and COSE keys.
- Implement authenticator data flags per the WebAuthn specification.
- Return authenticator attachment as part of the
PublicKeyCredential. - Support the credProps registration extension and return
rkin client extension results. - Implement transport hints for credentials.
- Implement self attestation support for passkey registration.
- Create a demo video demonstrating successful passkey registration.
Milestone #3 (Due by 25 August 2026)
Implement passkey authentication (assertion).
- Generate valid assertion signatures that pass relying party verification.
- Implement
allowCredentialsfiltering in the assertion flow. - Support usernameless assertion with client-side discoverable credentials.
- Create a demo video demonstrating successful authentication flow.
Milestone #4 (Due by 25 September 2026)
Integrate the Sia Storage SDK.
- Upload and delete passkeys per credential.
- Reconcile local and remote passkey state via bidirectional sync.
Milestone #5 (Due by 25 October 2026)
Design UI.
- Create UI displaying all saved passkeys.
- Add per-credential passkey backup UI.
- Track and display per-credential passkey sync status in the UI.
- Add UI for bidirectional sync of passkeys.
- Add a settings screen.
- Add in-app notifications.
- Add passkey deletion.
- Implement dark theme support.
Milestone #6 (Due by 25 November 2026)
Implement passkey encryption.
- Implement an onboarding walkthrough with seed phrase generation.
- Implement a login wizard with seed phrase recovery.
- Implement biometric authentication.
- Implement fallback to PIN/pattern when biometric authentication is unavailable.
Milestone #7 (Due by 25 December 2026)
Implement QR-based cross-device authentication and ensure compatibility across Android 14–17 platform versions.
- Implement QR-based cross-device passkey sign-in.
- Comprehensive testing across Android 14–17 to ensure compatibility.
- The first months will focus on Android 14 in daily development, but scheduled regression cycles will also run on 15–17 to watch for API changes, added features, or behavioral changes. If those newer releases surface platform-specific quirks, I’ll budget time within this milestone to address them so that Nydia remains feature-aligned across Android 14–17 without assuming breakage in advance.
- Test websites and applications including QR sign-in scenarios, using the FIDO Alliance Passkeys Directory as reference.
High-level architecture overview and security best practices
Components:
- Kotlin application layer: Android UI, Credential Provider service integration, passkey request flows, and backup/restore orchestration.
- Core layer: credential creation, assertion signing, COSE key encoding, and WebAuthn response serialization.
- Vault layer: a two-tier key model — BIP39 seed phrase for deterministic master-key recovery, device-local Android Keystore for biometric day-to-day unlock — with private passkey material encrypted in Room.
- Sia integration: the app uses the Sia Storage SDK to upload encrypted backups, manage object metadata, and restore backed-up passkeys.
Security practices:
- Passkeys are encrypted locally before being stored or backed up.
- The master key that protects passkeys is deterministically derived from the user’s BIP39 recovery phrase; recovery on a new device requires the same seed phrase.
- Android Keystore backs biometric unlock for day-to-day access.
- Sensitive key material is cleared from memory after use where possible.
- Backups contain encrypted credentials and non-secret recovery parameters only; Sia hosts and indexers never receive plaintext passkey material.
- The third-party dependency surface approaches zero.
Potential Risks
While Android 14+ allows third-party passkey managers to provide passkeys, certain OEM devices may lack support for this feature. This may result in limited availability of Nydia on some devices.
Supporting native Android applications via the Credential Manager API may require additional discovery, testing, and adaptation to app-specific behaviors (e.g., apps that integrate WebAuthn in nonstandard ways). If full implementation proves infeasible during the grant period, initial support will focus on browser-based use cases, with native app flows deferred to post-grant development.
Budget Justification
The project requests $56,000 to cover the developer fee over a 7-month research and development period. This budget reflects the substantial engineering complexity required to architect and launch a robust credential provider service for the Android ecosystem with comprehensive passkey support.
Beyond the Grant
One day, Nydia will be on the store shelves — and in users’ pockets.
Working on the previous grant taught me that, for a project of this complexity, committing to public release dates is a promise better not made lightly.
I prefer to frame this work as a research and development initiative — roughly 30% of the time is implementation, while the other 70% is spent studying, prototyping, and comparing approaches before choosing one. I’m drawn to frontier technologies, but as often happens with R&D, the road ahead isn’t always clear, and I’d rather be honest about that up front than overpromise a ship date.
But one thing doesn’t depend on timing: Nydia will always stay Sia-first.
The project is part of a long-term commitment to the Sia ecosystem — advancing decentralized, self-sovereign authentication built on the safest user-owned cloud storage.
Sia isn’t a phase Nydia will eventually outgrow.
Sia is the thread woven through every chapter, past and future ![]()
![]()
Are you a resident of any jurisdiction on that list? Will your payment bank account be located in any jurisdiction on that list?
No to both questions.
Will all of your project’s code be open-source?
Yes.
Where will the code be accessible for review?
Do you agree to submit monthly progress reports?
Yes.
Contact info
Email: [email protected]
Discord: new0ne