Project Name: Nydia Passkey Holder — Chapter 3: Where Nydia Unlocks the Power of Touch
Project Lead: Oleh N.
Project Description
Nydia’s evolution unfolds in three acts:
2024 — Nydia launched as the first truly decentralized passkey authenticator.
Chrome and Firefox gained seamless passkey storage and sync backed by the Sia network, removing vendor-ecosystem lock-in between browsers and their cloud services and shifting credentials from corporate servers to user-owned infrastructure.
2025 — If the first act was an escape, the second is a gathering of allies. Safari arrives, and passkeys flow across Chrome, Firefox, and Safari — powered by Sia.
Nydia also accomplished what popular passkey managers haven’t: becoming the first browser-extension authenticator to support the EdDSA (Ed25519) signature algorithm for passkeys. While most browser-extension authenticators remain limited to ECDSA (ES256) and RSA (RS256) algorithms, Nydia embraces the future with Ed25519 — offering superior performance, smaller key sizes, and enhanced security.
Another critically important feature has been implemented: the onboarding process now generates a unique 12-word BIP39 recovery phrase to encrypt passkeys before storing them on the Sia network.
This combination of decentralized storage and cutting-edge cryptography makes Nydia not just another authenticator, but a glimpse into the future of authentication.
2026 — Android has joined the group chat.
With this research and development initiative, Nydia brings true passkey ownership to Android with a credential provider backed by the Sia network.
The Android Credential Provider Service lets third-party authenticators plug directly into Android’s native sign-in UI and present passkeys alongside platform options with no app switching. For the first time on Android, users can choose their passkey storage provider while keeping a fully integrated, one-tap experience. With Nydia, user-owned credentials feel as natural as the defaults — turning the usual “convenience vs. control” trade-off into convenience and control.
Two defining features elevate Nydia’s Android release: borderless, cross-device QR sign-in and verifiable, tamper-evident registration provenance.
For universal accessibility, Nydia implements QR-based cross-device passkey sign-in, allowing users to sign in on a desktop or laptop by scanning a QR code with their Android phone. This FIDO2/WebAuthn-aligned passwordless flow generates the passkey assertion on the phone, while the desktop browser completes authentication — without storing or transferring keys to the client device, enabling secure use on shared computers, public workstations, and borrowed devices.
For registration provenance, Nydia unveils Self Attestation — an attestation type implemented using the packed attestation statement format, where each passkey proves the authenticity of the registration data and key possession by producing an attestation signature over that data with the private key generated during the registration ceremony. This creates a tamper-evident cryptographic binding between the registration parameters and the resulting credential, ensuring the server can verify, using the corresponding public key, that this credential originates from the user’s authenticator. This enhances auditability of registration, from challenge through credential creation. For Nydia, self attestation delivers verifiable passkey registration while preserving Nydia’s commitment to user privacy — each credential carries a self-signature as its own proof of authenticity.
Who benefits from your project?
Users of the Nydia browser extensions will be able to synchronize passkeys across devices and browsers, with full portability via the Sia network. So will Android users, who can now finally decide where their passkeys are stored — and by whom.
Beyond personal devices, QR-based cross-device authentication extends Nydia’s reach to anyone who needs secure access on untrusted hardware — whether signing in at a library computer, a colleague’s workstation, or a hotel business center. Passkeys remain accessible everywhere, without ever leaving the phone.
How does the project serve the Foundation’s mission of user-owned data?
With Android support, Nydia makes passkey ownership truly universal.
Your keys. Your network. No vendor lock-in. Across browsers and Android.
Project Goals & Milestones
Note: For planning purposes, the timeline is based on an October 1, 2025 start date.
Milestone #1 (Due by April 2026)
- Develop
CredentialProviderServicefor Android 14+ - Build passkey creation with support for Ed25519, ES256, and RS256
- Build CBOR encoder for attestation objects and COSE keys.
- Implement authenticator data flags per the WebAuthn specification.
- Return authenticator attachment as part of the
PublicKeyCredential. - Support the credProps registration extension and return
rkin client extension results. - Enable passkey authentication.
- Implement allowCredentials filtering in the assertion flow.
- Support usernameless assertion with client-side discoverable credentials.
- Implement transport hints for credentials.
- Implement self attestation support for passkey registration.
- Design user interface for passkey management.
- Add support for biometric and device credential authentication.
Milestone #2 (Due by July 2026)
- Implement per-credential passkey upload via
renterdAPI - Implement QR-based cross-device passkey sign-in.
- Implement event-driven background upload to
renterdon local passkey updates (e.g., signCount increments) to keep local andrenterdstates consistent. - Implement bidirectional passkey sync core via
renterdAPI to reconcile local and remote passkey states. - Create
renterdsettings UI with connection testing and proper settings validation. - Implement per-credential passkey backup UI for Sia storage.
- Implement UI for bidirectional sync of passkeys.
- Implement in-app bucket creation via
renterdAPI - Implement per-credential passkey deletion via
renterdAPI - Track and display per-credential passkey sync status in the UI.
- Implement dark theme support with system preference detection.
- Add passkey encryption/decryption.
- Create 12-word BIP39 seed phrase generation and recovery logic.
- Develop onboarding UI flow featuring welcome screen, seed generation/restore choice, 12-word display grid, seed input validation with BIP39 dictionary check and error messaging.
- Enable cross-platform use of the same encrypted passkey set between Android and Nydia browser extensions.
- Determine handling for the scenario where a user enters an incorrect seed phrase and synchronizes passkeys: records are downloaded from the
renterdserver but remain undecryptable in the database. Research and define optimal approaches for handling this edge case. Define the most appropriate way to present this state to the user in the UI. - Comprehensive compatibility testing and version adaptation, starting with the stable Android 14 credential provider foundation established in Milestone #1, then systematically examining API evolution through Android 15–16 to understand implementation improvements, feature expansions, and technical refinements introduced in subsequent platform releases.
- At the same time, though the primary scope of this grant is the Android implementation of Nydia, development of the browser extensions remains ongoing. If any attestation enhancements come up during
Nydia-for-Androiddevelopment, they’ll be added to the Chrome, Firefox, and Safari extensions as part of this milestone to maintain alignment across the ecosystem.
Clarification Note: A
renterdendpoint is used to synchronize passkeys across devices via the Sia network — mirroring how Nydia’s browser extensions work today. As outlined in the “Who benefits from your project?” section, the Android implementation is meant to extend the existing Nydia workflow: users of the browser extensions can synchronize passkeys across Android devices and desktop browsers via the Sia network, while the app remains local-first and fully usable without sync. For users who already run arenterdnode, the Android app simply extends that setup with an improved, mobile-friendly experience where tasks like bucket creation and passkey deletion via therenterdAPI are built into the app’s interface for a seamless user experience without needing to interact with therenterddashboard. Over time, the browser extensions will adopt the same improved UX.
Potential Risks
While Android 14+ allows third-party passkey managers to provide passkeys, certain OEM devices may lack support for this feature. This may result in limited availability of Nydia on some devices.
Supporting native Android applications via the Credential Manager API may require additional discovery, testing, and adaptation to app-specific behaviors. If full implementation proves infeasible during the grant period, initial support will focus on browser-based use cases, with native app flows deferred to a future chapter.
Budget Justification
The project requests $72,000, disbursed in nine equal monthly installments of $8,000, of developer fees for the project author over a 9-month research and development period, acknowledging the substantial engineering complexity required to architect and launch a robust credential provider service for the Android ecosystem.
Are you a resident of any jurisdiction on that list? Will your payment bank account be located in any jurisdiction on that list?
No to both questions.
Will all of your project’s code be open-source?
Yes.
Where will the code be accessible for review?
Do you agree to submit monthly progress reports?
Yes.
Contact info
Email: [email protected]
Discord: new0ne