Project Name: Nydia Passkey Holder – Chapter 3: Where Nydia Unlocks the Power of Touch
Project Lead: Oleh N.
Project Description
Nydia’s evolution unfolds in three acts:
2024 — Nydia launched as a decentralized passkey authenticator.
Chrome and Firefox gained seamless passkey storage and sync backed by the Sia network, removing vendor-ecosystem lock-in between browsers and their cloud services and shifting credentials from corporate servers to user-owned infrastructure.
2025 — If the first act was an escape, the second is a gathering of allies. Safari arrives, and passkeys flow across Chrome, Firefox, and Safari — powered by Sia.
Nydia also implemented support for the EdDSA (Ed25519) signature algorithm for passkeys, going further than what is currently available in most browser-extension authenticators. While most remain limited to ECDSA (ES256) and RSA (RS256), Ed25519 offers superior performance, smaller key sizes, and enhanced security.
Another critically important feature has been implemented: the onboarding process generates a unique 12-word BIP39 recovery phrase to encrypt passkeys before storing them on the Sia network.
This combination of decentralized storage and cutting-edge cryptography makes Nydia not just another authenticator, but a glimpse into the future of authentication.
2026 — Android has joined the group chat.
With this research and development initiative, Nydia brings passkey ownership to Android with a credential provider backed by the Sia network.
The Android Credential Provider Service lets third-party authenticators plug directly into Android’s native sign-in UI and present passkeys alongside platform options with no app switching. For the first time on Android, users can choose their passkey storage provider while keeping a fully integrated, one-tap experience. With Nydia, user-owned credentials feel as natural as the defaults, pairing control with ease of use.
Two key features distinguish Nydia’s Android release: borderless, cross-device QR sign-in and verifiable, tamper-evident registration provenance.
For universal accessibility, Nydia implements QR-based cross-device passkey sign-in, allowing users to sign in on a desktop or laptop by scanning a QR code with their Android phone. This FIDO2/WebAuthn-aligned passwordless flow generates the passkey assertion on the phone, while the desktop browser completes authentication — without storing or transferring keys to the client device, enabling secure use on shared computers, public workstations, and borrowed devices.
For registration provenance, Nydia implements Self Attestation — an attestation type that uses the packed attestation statement format, where each passkey proves the authenticity of the registration data and key possession by producing an attestation signature over that data with the private key generated during the registration ceremony. This creates a tamper-evident cryptographic binding between the registration parameters and the resulting credential, ensuring the server can verify, using the corresponding public key, that this credential originates from the user’s authenticator. This enhances auditability of registration, from challenge through credential creation. For Nydia, self attestation delivers verifiable passkey registration while preserving Nydia’s commitment to user privacy — each credential carries a self-signature as its own proof of authenticity.
Who benefits from your project?
Users: Android users gain full control over their passkey storage — choosing where credentials are stored and by whom. Beyond personal devices, QR-based cross-device authentication extends Nydia’s reach to anyone who needs secure access on untrusted hardware — whether signing in at a library computer, a colleague’s workstation, or a hotel business center. Passkeys remain accessible everywhere, without ever leaving the phone.
Developers: Nydia provides open-source building blocks for creating authentication applications:
-
Android Credential Provider Service scaffold — an implementation of Android’s Credential Provider API that forms the integration layer between the Android OS and third-party password and passkey managers.
-
Nydia-Core — a FIDO2/CTAP2 authenticator library published on crates.io with support for Ed25519, ES256, RS256, and self attestation.
Together, these components turn a single application into a reusable toolkit.
How does the project serve the Foundation’s mission of user-owned data?
With Android support, Nydia brings passkey ownership to mobile devices.
Your keys. Your network. No vendor lock-in.
Project Goals & Milestones
Note: For planning purposes, the timeline is based on a December 1, 2025 start date.
Milestone #1 (Due by 25 December 2025)
Create CredentialProviderService skeleton for Android 14.
- Make provider visible in Android system credential picker.
- Handle Credential Manager requests for
createCredentialandgetCredential - Implement UI parsing and display of
PublicKeyCredentialCreationOptions - Implement UI parsing and display of
PublicKeyCredentialRequestOptions - Publish project on GitHub with clear build instructions.
- Create a demo video demonstrating provider in action.
Milestone #2 (Due by 25 January 2026)
Implement passkey creation across WebAuthn playgrounds and pilot apps with support for Ed25519, ES256, and RS256 signature algorithms.
- Implement passkey creation with support for Ed25519, ES256, and RS256
- Implement CBOR encoder for attestation objects and COSE keys.
- Implement authenticator data flags per the WebAuthn specification.
- Return authenticator attachment as part of the
PublicKeyCredential - Support the credProps registration extension and return
rkin client extension results. - Implement transport hints for credentials.
- Implement self attestation support for passkey registration.
- Create a demo video demonstrating successful passkey registration.
Milestone #3 (Due by 25 February 2026)
Implement passkey authentication (assertion).
- Generate valid assertion signatures that pass relying party verification.
- Implement
allowCredentialsfiltering in the assertion flow. - Support usernameless assertion with client-side discoverable credentials.
- Implement incrementing
signCountinauthenticatorData - Publish core authenticator logic as Nydia-Core library on crates.io
- Create a demo video demonstrating successful authentication flow.
Milestone #4 (Due by 25 March 2026)
Design UI.
- Create UI displaying all saved passkeys.
- Implement passkey deletion functionality.
- Implement dark theme support.
Milestone #5 (Due by 25 April 2026)
Integrate indexd.
- Implement per-credential passkey upload and deletion.
- Implement per-credential passkey backup UI.
- Track and display per-credential passkey sync status in the UI.
- Implement bidirectional passkey sync to reconcile local and remote passkey states.
- Implement UI for bidirectional sync of passkeys.
- Implement event-driven background upload using
indexdon local passkey updates (e.g., signCount increments) to keep local and remote states consistent.
Milestone #6 (Due by 25 May 2026)
Implement passkey encryption.
- Implement biometric authentication.
- Implement fallback to PIN/pattern when biometric unavailable.
Milestone #7 (Due by 25 June 2026)
Implement QR-based cross-device authentication and ensure compatibility across Android 14–16 platform versions.
- Implement QR-based cross-device passkey sign-in.
- Comprehensive testing across Android 14–16 to ensure compatibility.
- The first months will focus on Android 14 in daily development, but scheduled regression cycles will also run on 15-16 to watch for API changes, added features, or behavioral changes. If those newer releases surface platform-specific quirks, I’ll budget time within this milestone to address them so that Nydia remains feature-aligned across Android 14-16 without assuming breakage in advance.
- Test websites and applications including QR sign-in.
Potential Risks
While Android 14+ allows third-party passkey managers to provide passkeys, certain OEM devices may lack support for this feature. This may result in limited availability of Nydia on some devices.
Supporting native Android applications via the Credential Manager API may require additional discovery, testing, and adaptation to app-specific behaviors (e.g., apps that integrate WebAuthn in nonstandard ways). If full implementation proves infeasible during the grant period, initial support will focus on browser-based use cases, with native app flows deferred to post-grant development.
If the Sia SDK is not ready for integration by Milestone 5, the timeline will be adjusted: QR-based cross-device authentication (Milestone 7) will be pulled forward to replace Milestone 5, while the indexd integration, indexer testing, and Android 14–16 compatibility checks will resume once the SDK ships.
Budget Justification
The project requests $56,000 to cover the developer fee over a 7-month research and development period. This budget reflects the substantial engineering complexity required to architect and launch a robust credential provider service for the Android ecosystem with comprehensive passkey support.
Are you a resident of any jurisdiction on that list? Will your payment bank account be located in any jurisdiction on that list?
No to both questions.
Will all of your project’s code be open-source?
Yes.
Where will the code be accessible for review?
Do you agree to submit monthly progress reports?
Yes.
Contact info
Email: [email protected]
Discord: new0ne