PM-7746 Added specific validation messages for (non) privileged apps validation on Fido2 flows. Also fixed typo on "privileged" and updated UT

* PM-7553 Fix native apps passkeys autofill and creation

* PM-7658 Implemented Fido2 priviliged apps verification

* PM-7576 Implemented digital asset links verification on Fido2 flows for native apps.

* PM-7576 Renamed to ValidateAssetLinksAndGetOriginAsync to go along with Google naming and also changed method to private given that public is not necessary

* PM-7576 Moved digital asset links verification to a Core service AssetLinksService and added unit tests for it.

.github/CODEOWNERS

@@ -21,7 +21,6 @@ src/App/Platforms/iOS/Info.plist
 
 ## Platform team files ##
 appIcons @bitwarden/team-platform-dev
-build.cake @bitwarden/team-platform-dev
 
 ## Vault team files ##
 src/watchOS @bitwarden/team-vault-dev
@@ -30,14 +29,14 @@ src/watchOS @bitwarden/team-vault-dev
 src/Core/Services/EmailForwarders @bitwarden/team-tools-dev
 
 ## Crowdin Sync files ##
-src/App/Resources @bitwarden/team-tools-dev
+src/Core/Resources/Localization @bitwarden/team-tools-dev
 src/watchOS/bitwarden/bitwarden\ WatchKit\ Extension/Localization @bitwarden/team-tools-dev
 store/apple @bitwarden/team-tools-dev
 store/google @bitwarden/team-tools-dev
 
 ## Locales ## 
-src/App/Resources/AppResources.Designer.cs
-src/App/Resources/AppResources.resx
+src/Core/Resources/Localization/AppResources.Designer.cs
+src/Core/Resources/Localization/AppResources.resx
 src/watchOS/bitwarden/bitwarden\ WatchKit\ Extension/Localization/en.lproj
 store/apple/en
 store/google/en

.github/secrets/google-services.json.gpg

@@ -1,3 +0,0 @@
-<EFBFBD>
-	K<>Y#<23>(<28><><EFBFBD><EFBFBD>
EI֐߄T?)l<><6C><EFBFBD><18><><10>"=<3D>|<7C>'e<><0E>m<EFBFBD>/~<7E><>'F<><46>><3E><><EFBFBD><EFBFBD>l<EFBFBD>b<EFBFBD>[<5B>+R<><52>iL<69><4C>"<22><><EFBFBD>~V:<3A><>p<EFBFBD>a<17>ڵel%8t<38><74>튖<EFBFBD>y<<3C>n<EFBFBD><6E><EFBFBD>aU<61>w<16>JD<4A><44><1F><>We<57>9<EFBFBD><39><EFBFBD><EFBFBD><x8d<38>O<EFBFBD>j\<14>ד<EFBFBD><D793><EFBFBD>Vq<56><71>֋
-Ǻ<EFBFBD>-<2D>#<23><><11><>]$<24>(<28>l,<2C>Br<42><02><>d<><64><EFBFBD>•a-<2D><><EFBFBD>:<3A><>:<3A><04>9b,!Em<02><19><>Qf<>D<EFBFBD>g<EFBFBD><06><0E>x(P<>ȡ~<7E>͹<EFBFBD><CDB9>	<09><>[<06><>!:<3A>;f<><66>

.github/workflows/build-beta.yml

@@ -0,0 +1,350 @@
+---
+name: Build Beta
+
+on:
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: 'Branch or tag to build'
+        required: true
+        default: 'main'
+        type: string
+
+env:
+  main_app_folder_path: src/App
+  main_app_project_path: src/App/App.csproj
+  target-net-version: net8.0
+
+jobs:
+  setup:
+    name: Setup
+    runs-on: ubuntu-22.04
+    outputs:
+      rc_branch_exists: ${{ steps.branch-check.outputs.rc_branch_exists }}
+      hotfix_branch_exists: ${{ steps.branch-check.outputs.hotfix_branch_exists }}
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          submodules: 'true'
+
+      - name: Check if special branches exist
+        id: branch-check
+        run: |
+          if [[ $(git ls-remote --heads origin rc) ]]; then
+            echo "rc_branch_exists=1" >> $GITHUB_OUTPUT
+          else
+            echo "rc_branch_exists=0" >> $GITHUB_OUTPUT
+          fi
+
+          if [[ $(git ls-remote --heads origin hotfix-rc) ]]; then
+            echo "hotfix_branch_exists=1" >> $GITHUB_OUTPUT
+          else
+            echo "hotfix_branch_exists=0" >> $GITHUB_OUTPUT
+          fi
+
+  ios:
+    name: Apple iOS
+    runs-on: macos-13
+    needs: setup
+    env:
+      ios_folder_path: src/App/Platforms/iOS
+      app_output_name: App
+      app_ci_output_filename: App_x64_Debug
+    steps:
+      - name: Set XCode version
+        uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd # v1.6.0
+        with:
+          xcode-version: 15.1
+
+      - name: Setup NuGet
+        uses: nuget/setup-nuget@296fd3ccf8528660c91106efefe2364482f86d6f # v1.2.0
+        with:
+          nuget-version: 6.4.0
+      
+      - name: Set up .NET
+        uses: actions/setup-dotnet@4d6c8fcf3c8f7a60068d26b594648e99df24cee3 # v4.0.0
+        with:
+          dotnet-version: '8.0.x'
+  
+      # This step might be obsolete at some point as .NET MAUI workloads 
+      # are starting to come pre-installed on the GH Actions build agents.
+      - name: Install MAUI Workload
+        run: dotnet workload install maui --ignore-failed-sources
+
+      - name: Print environment
+        run: |
+          nuget help | grep Version
+          dotnet --info
+          echo "GitHub ref: $GITHUB_REF"
+          echo "GitHub event: $GITHUB_EVENT"
+
+      - name: Checkout repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+          ref: ${{ inputs.ref }}
+          submodules: 'true'
+
+      - name: Login to Azure - CI Subscription
+        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+        with:
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+
+      - name: Retrieve secrets
+        id: retrieve-secrets
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: "bitwarden-ci"
+          secrets: "appcenter-ios-token"
+
+      - name: Download Provisioning Profiles secrets
+        env:
+          ACCOUNT_NAME: bitwardenci
+          CONTAINER_NAME: profiles
+        run: |
+          mkdir -p $HOME/secrets
+          profiles=(
+              "dist_beta_autofill.mobileprovision"
+              "dist_beta_bitwarden.mobileprovision"
+              "dist_beta_extension.mobileprovision"
+              "dist_beta_share_extension.mobileprovision"
+              "dist_beta_bitwarden_watch_app.mobileprovision"
+              "dist_beta_bitwarden_watch_app_extension.mobileprovision"
+          )
+
+          for FILE in "${profiles[@]}"
+          do
+            az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME --name $FILE \
+              --file $HOME/secrets/$FILE --output none
+          done
+
+      - name: Download Google Services secret
+        env:
+          ACCOUNT_NAME: bitwardenci
+          CONTAINER_NAME: mobile
+          FILE: GoogleService-Info.plist
+        run: |
+          mkdir -p $HOME/secrets
+          az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME --name $FILE \
+            --file $HOME/secrets/$FILE --output none
+
+      - name: Increment version
+        run: |
+          BUILD_NUMBER=$((100 + $GITHUB_RUN_NUMBER))
+          echo "##### Setting CFBundleVersion $BUILD_NUMBER"
+
+          echo "### CFBundleVersion $BUILD_NUMBER" >> $GITHUB_STEP_SUMMARY
+
+          perl -0777 -pi.bak -e 's/<key>CFBundleVersion<\/key>\s*<string>1<\/string>/<key>CFBundleVersion<\/key>\n\t<string>'"$BUILD_NUMBER"'<\/string>/' ./${{ env.ios_folder_path }}/Info.plist
+          perl -0777 -pi.bak -e 's/<key>CFBundleVersion<\/key>\s*<string>1<\/string>/<key>CFBundleVersion<\/key>\n\t<string>'"$BUILD_NUMBER"'<\/string>/' ./src/iOS.Extension/Info.plist
+          perl -0777 -pi.bak -e 's/<key>CFBundleVersion<\/key>\s*<string>1<\/string>/<key>CFBundleVersion<\/key>\n\t<string>'"$BUILD_NUMBER"'<\/string>/' ./src/iOS.Autofill/Info.plist
+          perl -0777 -pi.bak -e 's/<key>CFBundleVersion<\/key>\s*<string>1<\/string>/<key>CFBundleVersion<\/key>\n\t<string>'"$BUILD_NUMBER"'<\/string>/' ./src/iOS.ShareExtension/Info.plist
+          cd src/watchOS/bitwarden
+          agvtool new-version -all  $BUILD_NUMBER
+
+      - name: Update Entitlements
+        run: |
+          echo "##### Updating Entitlements"
+          perl -0777 -pi.bak -e 's/<key>aps-environment<\/key>\s*<string>development<\/string>/<key>aps-environment<\/key>\n\t<string>beta<\/string>/' ./${{ env.ios_folder_path }}/Entitlements.plist
+
+      - name: Get certificates
+        run: |
+          mkdir -p $HOME/certificates
+          az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/ios-distribution |
+            jq -r .value | base64 -d > $HOME/certificates/ios-distribution.p12
+
+      - name: Set up Keychain
+        env:
+          KEYCHAIN_PASSWORD: ${{ secrets.IOS_KEYCHAIN_PASSWORD }}
+          MOBILE_KEY_PASSWORD: ${{ secrets.IOS_KEY_PASSWORD }}
+          DIST_CERT_PASSWORD: ${{ secrets.IOS_DIST_CERT_PASSWORD }}
+        run: |
+          security create-keychain -p $KEYCHAIN_PASSWORD build.keychain
+          security default-keychain -s build.keychain
+          security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain
+          security set-keychain-settings -lut 1200 build.keychain
+
+          security import $HOME/certificates/ios-distribution.p12 -k build.keychain -P "" -T /usr/bin/codesign \
+            -T /usr/bin/security
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain
+
+      - name: Set up provisioning profiles
+        run: |
+          AUTOFILL_PROFILE_PATH=$HOME/secrets/dist_beta_autofill.mobileprovision
+          BITWARDEN_PROFILE_PATH=$HOME/secrets/dist_beta_bitwarden.mobileprovision
+          EXTENSION_PROFILE_PATH=$HOME/secrets/dist_beta_extension.mobileprovision
+          SHARE_EXTENSION_PROFILE_PATH=$HOME/secrets/dist_beta_share_extension.mobileprovision
+          WATCH_APP_PROFILE_PATH=$HOME/secrets/dist_beta_bitwarden_watch_app.mobileprovision
+          WATCH_APP_EXTENSION_PROFILE_PATH=$HOME/secrets/dist_beta_bitwarden_watch_app_extension.mobileprovision
+          PROFILES_DIR_PATH=$HOME/Library/MobileDevice/Provisioning\ Profiles
+
+          mkdir -p "$PROFILES_DIR_PATH"
+
+          AUTOFILL_UUID=$(grep UUID -A1 -a $AUTOFILL_PROFILE_PATH | grep -io "[-A-F0-9]\{36\}")
+          cp $AUTOFILL_PROFILE_PATH "$PROFILES_DIR_PATH/$AUTOFILL_UUID.mobileprovision"
+
+          BITWARDEN_UUID=$(grep UUID -A1 -a $BITWARDEN_PROFILE_PATH | grep -io "[-A-F0-9]\{36\}")
+          cp $BITWARDEN_PROFILE_PATH "$PROFILES_DIR_PATH/$BITWARDEN_UUID.mobileprovision"
+
+          EXTENSION_UUID=$(grep UUID -A1 -a $EXTENSION_PROFILE_PATH | grep -io "[-A-F0-9]\{36\}")
+          cp $EXTENSION_PROFILE_PATH "$PROFILES_DIR_PATH/$EXTENSION_UUID.mobileprovision"
+
+          SHARE_EXTENSION_UUID=$(grep UUID -A1 -a $SHARE_EXTENSION_PROFILE_PATH | grep -io "[-A-F0-9]\{36\}")
+          cp $SHARE_EXTENSION_PROFILE_PATH "$PROFILES_DIR_PATH/$SHARE_EXTENSION_UUID.mobileprovision"
+
+          WATCH_APP_UUID=$(grep UUID -A1 -a $WATCH_APP_PROFILE_PATH | grep -io "[-A-F0-9]\{36\}")
+          cp $WATCH_APP_PROFILE_PATH "$PROFILES_DIR_PATH/$WATCH_APP_UUID.mobileprovision"
+
+          WATCH_APP_EXTENSION_UUID=$(grep UUID -A1 -a $WATCH_APP_EXTENSION_PROFILE_PATH | grep -io "[-A-F0-9]\{36\}")
+          cp $WATCH_APP_EXTENSION_PROFILE_PATH "$PROFILES_DIR_PATH/$WATCH_APP_EXTENSION_UUID.mobileprovision"
+
+      - name: Restore packages
+        run: |
+          dotnet restore
+          dotnet tool restore
+
+      - name: Setup iOS build CAKE (Testing)
+        run: dotnet cake build.cake --target iOS --variant beta
+
+      - name: Bulid WatchApp
+        run: |
+          echo "##### Build WatchApp with Release Configuration"
+          xcodebuild archive -workspace ./src/watchOS/bitwarden/bitwarden.xcodeproj/project.xcworkspace -configuration Release -scheme bitwarden\ WatchKit\ App -archivePath ./src/watchOS/bitwarden
+
+          echo "##### Done"
+
+      - name: Archive Build for App Store
+        shell: pwsh
+        run: |
+          Write-Output "##### Archive for Release ios-arm64"
+          dotnet publish ${{ env.main_app_project_path }} -c Release -f ${{ env.target-net-version }}-ios /p:RuntimeIdentifier=ios-arm64 /p:ArchiveOnBuild=true /p:MtouchUseLlvm=false
+
+          Write-Output "##### Done"
+
+      - name: Archive Build for Mobile Automation
+        shell: pwsh
+        run: |
+          Write-Output "##### Archive Debug for iossimulator-x64"
+          dotnet build ${{ env.main_app_project_path }} -c Debug -f ${{ env.target-net-version }}-ios /p:RuntimeIdentifier=iossimulator-x64 /p:ArchiveOnBuild=true /p:MtouchUseLlvm=false
+
+          Write-Output "##### Done"
+          ls ~/Library/Developer/Xcode/Archives
+          
+      - name: Export .ipa for App Store
+        env:
+          EXPORT_OPTIONS_PATH: ./.github/resources/export-options-app-store.plist
+          EXPORT_PATH: ./bitwarden-export
+        run: |
+          ARCHIVE_PATH="$HOME/Library/Developer/Xcode/Archives/*/*.xcarchive"
+
+          xcodebuild -exportArchive -archivePath $ARCHIVE_PATH -exportPath $EXPORT_PATH \
+            -exportOptionsPlist $EXPORT_OPTIONS_PATH
+
+      - name: Export .app for Automation CI
+        env:
+          ARCHIVE_PATH: ./${{ env.main_app_folder_path }}/bin/Debug/${{ env.target-net-version }}-ios/iossimulator-x64
+          EXPORT_PATH: ./bitwarden-export
+        run: |
+          zip -r -q ${{ env.app_ci_output_filename }}.app.zip $ARCHIVE_PATH
+          mv ${{ env.app_ci_output_filename }}.app.zip $EXPORT_PATH
+
+      - name: Show Bitwarden Export
+        shell: bash
+        run:  ls -a -R ./bitwarden-export
+
+      - name: Copy all dSYMs files to upload
+        env:
+          EXPORT_PATH: ./bitwarden-export
+          WATCH_ARCHIVE_DSYMS_PATH: ./src/watchOS/bitwarden.xcarchive/dSYMs/
+          WATCH_DSYMS_EXPORT_PATH: ./bitwarden-export/Watch_dSYMs
+        run: |
+          ARCHIVE_DSYMS_PATH="$HOME/Library/Developer/Xcode/Archives/*/*.xcarchive/dSYMs"
+
+          cp -r -v $ARCHIVE_DSYMS_PATH $EXPORT_PATH
+          mkdir $WATCH_DSYMS_EXPORT_PATH
+          cp -r -v $WATCH_ARCHIVE_DSYMS_PATH $WATCH_DSYMS_EXPORT_PATH
+
+      - name: Upload App Store .ipa & dSYMs artifacts
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        with:
+          name: Bitwarden iOS
+          path: |
+            ./bitwarden-export/Bitwarden*.ipa
+            ./bitwarden-export/dSYMs/*.*
+          if-no-files-found: error
+
+      - name: Upload .app file for Automation CI
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        with:
+          name: ${{ env.app_ci_output_filename }}.app.zip
+          path: ./bitwarden-export/${{ env.app_ci_output_filename }}.app.zip
+          if-no-files-found: error
+
+      - name: Install AppCenter CLI
+        run: npm install -g appcenter-cli
+
+      - name: Upload dSYMs to App Center
+        env:
+          APPCENTER_IOS_TOKEN: ${{ steps.retrieve-secrets.outputs.appcenter-ios-token }}
+        run: appcenter crashes upload-symbols -a bitwarden/bitwarden -s "./bitwarden-export/dSYMs" --token $APPCENTER_IOS_TOKEN
+
+      - name: Upload Watch dSYMs to Firebase Crashlytics
+        run: |
+          echo "##### Uploading Watch dSYMs to Firebase"
+          find "$HOME/Library/Developer/XCode/DerivedData" -name "upload-symbols" -exec chmod +x {} \; -exec {} -gsp "./src/watchOS/bitwarden/GoogleService-Info.plist" -p ios "./bitwarden-export/Watch_dSYMs" \;
+
+      - name: Validate app in App Store
+        env:
+          APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }}
+          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
+        run: |
+          xcrun altool --validate-app --type ios --file "./bitwarden-export/Bitwarden Beta.ipa" \
+              --username "$APPLE_ID_USERNAME" --password "$APPLE_ID_PASSWORD"
+        shell: bash
+
+      - name: Deploy to App Store
+        env:
+          APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }}
+          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
+        run: |
+          xcrun altool --upload-app --type ios --file "./bitwarden-export/Bitwarden Beta.ipa" \
+              --username "$APPLE_ID_USERNAME" --password "$APPLE_ID_PASSWORD"
+
+  check-failures:
+    name: Check for failures
+    if: always()
+    runs-on: ubuntu-22.04
+    needs:
+      - setup
+      - ios
+    steps:
+      - name: Check if any job failed
+        if: |
+          (github.ref == 'refs/heads/main'
+          || github.ref == 'refs/heads/rc'
+          || github.ref == 'refs/heads/hotfix-rc')
+          && contains(needs.*.result, 'failure')
+        run: exit 1
+
+      - name: Login to Azure - CI Subscription
+        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+        if: failure()
+        with:
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+
+      - name: Retrieve secrets
+        id: retrieve-secrets
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        if: failure()
+        with:
+          keyvault: "bitwarden-ci"
+          secrets: "devops-alerts-slack-webhook-url"
+
+      - name: Notify Slack on failure
+        uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0
+        if: failure()
+        env:
+          SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }}
+        with:
+          status: ${{ job.status }}

.github/workflows/build.yml

@@ -31,6 +31,7 @@ jobs:
       - name: Print lines of code
         run: cloc --vcs git --exclude-dir Resources,store,test,Properties --include-lang C#,XAML
 
+
   setup:
     name: Setup
     runs-on: ubuntu-22.04
@@ -58,6 +59,7 @@ jobs:
             echo "hotfix_branch_exists=0" >> $GITHUB_OUTPUT
           fi
 
+
   android:
     name: Android
     runs-on: windows-2022
@@ -67,7 +69,8 @@ jobs:
       matrix:
         variant: ["prod", "qa"]
     env:
-      android_folder_path: src/App/Platforms/Android
+      android_folder_path: src\App\Platforms\Android
+      android_folder_path_bash: src/App/Platforms/Android
     steps:
       - name: Setup NuGet
         uses: nuget/setup-nuget@296fd3ccf8528660c91106efefe2364482f86d6f # v1.2.0
@@ -82,7 +85,7 @@ jobs:
       - name: Set up MSBuild
         uses: microsoft/setup-msbuild@ede762b26a2de8d110bb5a3db4d7e0e080c0e917 # v1.3.3
 
-      # This step might be obsolete at some point as .NET MAUI workloads 
+      # This step might be obsolete at some point as .NET MAUI workloads
       # are starting to come pre-installed on the GH Actions build agents.
       - name: Install MAUI Workload
         run: dotnet workload install maui --ignore-failed-sources
@@ -93,7 +96,8 @@ jobs:
       - name: Install Microsoft OpenJDK 11
         run: |
           choco install microsoft-openjdk11 --no-progress
-          Write-Output "JAVA_HOME=$(Get-ChildItem -Path 'C:\Program Files\Microsoft\jdk*' | Select -First 1 -ExpandProperty FullName)" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+          Write-Output "JAVA_HOME=$(Get-ChildItem -Path 'C:\Program Files\Microsoft\jdk*' | `
+            Select -First 1 -ExpandProperty FullName)" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
           Write-Output "Java Home: $env:JAVA_HOME"
 
       - name: Print environment
@@ -109,39 +113,43 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Decrypt secrets
-        env:
-          DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }}
-        run: |
-          mkdir -p ~/secrets
+      - name: Login to Azure - CI Subscription
+        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+        with:
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
 
-          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
-            --output ./${{ env.main_app_folder_path }}/app_play-keystore.jks ./.github/secrets/app_play-keystore.jks.gpg
-          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
-            --output ./${{ env.main_app_folder_path }}/app_upload-keystore.jks ./.github/secrets/app_upload-keystore.jks.gpg
-          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
-            --output $HOME/secrets/play_creds.json ./.github/secrets/play_creds.json.gpg
+      - name: Download secrets
+        env:
+          ACCOUNT_NAME: bitwardenci
+          CONTAINER_NAME: mobile
+        run: |
+          mkdir -p $HOME/secrets
+
+          az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \
+          --name app_play-keystore.jks --file ./${{ env.android_folder_path_bash }}/app_play-keystore.jks --output none
+          az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \
+          --name app_upload-keystore.jks --file ./${{ env.android_folder_path_bash }}/app_upload-keystore.jks --output none
+          az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \
+          --name play_creds.json --file $HOME/secrets/play_creds.json --output none
         shell: bash
 
-      - name: Decrypt secrets - Google Services
+      - name: Download secrets - Google Services
         if: ${{ matrix.variant == 'prod' }}
         env:
-          DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }}
+          ACCOUNT_NAME: bitwardenci
+          CONTAINER_NAME: mobile
         run: |
-          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
-            --output ./${{ env.android_folder_path }}/google-services.json ./.github/secrets/google-services.json.gpg
+          az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \
+          --name google-services.json --file ./${{ env.android_folder_path_bash }}/google-services.json --output none
         shell: bash
 
       - name: Increment version
         run: |
           BUILD_NUMBER=$((3000 + $GITHUB_RUN_NUMBER))
+          echo "##### Setting Android Version Code to $BUILD_NUMBER" | tee -a $GITHUB_STEP_SUMMARY
 
-          echo "########################################"
-          echo "##### Setting Version Code $BUILD_NUMBER"
-          echo "########################################"
-          
           sed -i "s/android:versionCode=\"1\"/android:versionCode=\"$BUILD_NUMBER\"/" \
-            ./${{ env.android_folder_path }}/AndroidManifest.xml
+            ./${{ env.android_folder_path_bash }}/AndroidManifest.xml
         shell: bash
 
       - name: Restore packages
@@ -150,78 +158,70 @@ jobs:
       - name: Restore tools
         run: dotnet tool restore
 
-      # - name: Verify Format
-      #   run: dotnet tool run dotnet-format --check
+      # - name: Run Core tests
+      #   run: |
+      #     dotnet test test/Core.Test/Core.Test.csproj --logger "trx;LogFileName=test-results.trx" `
+      #       /p:CustomConstants=UT
 
-      - name: Run Core tests
-        run: dotnet test test/Core.Test/Core.Test.csproj --logger "trx;LogFileName=test-results.trx" /p:CustomConstants=UT
-
-      - name: Report test results
-        uses: dorny/test-reporter@eaa763f6ffc21c7a37837f56cd5f9737f27fc6c8 # v1.8.0
-        if: always()
-        with:
-          name: Test Results
-          path: "**/test-results.trx"
-          reporter: dotnet-trx
-          fail-on-error: true
+      # - name: Report test results
+      #   uses: dorny/test-reporter@eaa763f6ffc21c7a37837f56cd5f9737f27fc6c8 # v1.8.0
+      #   if: always()
+      #   with:
+      #     name: Test Results
+      #     path: "**/test-results.trx"
+      #     reporter: dotnet-trx
+      #     fail-on-error: true
 
       - name: Build Play Store publisher
         if: ${{ matrix.variant == 'prod' }}
-        run: dotnet build ./store/google/Publisher/Publisher.csproj -p:Configuration=Release
+        run: dotnet build .\store\google\Publisher\Publisher.csproj /p:Configuration=Release
 
       - name: Setup Android build  (${{ matrix.variant }})
         run: dotnet cake build.cake --target Android --variant ${{ matrix.variant }}
 
-      - name: Build Android
-        run: |
-          $configuration = "Release";
-          $projToBuild = $($env:GITHUB_WORKSPACE + "/${{ env.main_app_project_path }}");
-
-          Write-Output "########################################"
-          Write-Output "##### Build $configuration Configuration"
-          Write-Output "########################################"
-          
-          dotnet build $projToBuild -c $configuration -f ${{ env.target-net-version }}-android
-
-      - name: Sign Android Build
+      - name: Build & Sign Android
         env:
           PLAY_KEYSTORE_PASSWORD: ${{ secrets.PLAY_KEYSTORE_PASSWORD }}
           UPLOAD_KEYSTORE_PASSWORD: ${{ secrets.UPLOAD_KEYSTORE_PASSWORD }}
         run: |
-          $projToBuild = $($env:GITHUB_WORKSPACE + "/${{ env.main_app_project_path }}");
+          $projToBuild = "$($env:GITHUB_WORKSPACE)/${{ env.main_app_project_path }}";
           $packageName = "com.x8bit.bitwarden";
 
           if ("${{ matrix.variant }}" -ne "prod")
           {
             $packageName = "com.x8bit.bitwarden.${{ matrix.variant }}";
           }
-          Write-Output "########################################"
           Write-Output "##### Sign Google Play Bundle Release Configuration"
-          Write-Output "########################################"
 
-          dotnet publish $projToBuild -c Release -f ${{ env.target-net-version }}-android /p:AndroidPackageFormats=aab /p:AndroidKeyStore=true /p:AndroidSigningKeyStore=$("app_upload-keystore.jks") /p:AndroidSigningKeyAlias=upload /p:AndroidSigningKeyPass="$($env:UPLOAD_KEYSTORE_PASSWORD)" /p:AndroidSigningStorePass="$($env:UPLOAD_KEYSTORE_PASSWORD)" --no-restore
+          $signingUploadKeyStore = "$($env:GITHUB_WORKSPACE)\${{ env.android_folder_path }}\app_upload-keystore.jks"
+          dotnet publish $projToBuild -c Release -f ${{ env.target-net-version }}-android `
+            /p:AndroidPackageFormats=aab `
+            /p:AndroidKeyStore=true `
+            /p:AndroidSigningKeyStore=$signingUploadKeyStore `
+            /p:AndroidSigningKeyAlias=upload `
+            /p:AndroidSigningKeyPass="$($env:UPLOAD_KEYSTORE_PASSWORD)" `
+            /p:AndroidSigningStorePass="$($env:UPLOAD_KEYSTORE_PASSWORD)" --no-restore
 
-          Write-Output "########################################"
           Write-Output "##### Copy Google Play Bundle to project root"
-          Write-Output "########################################"
 
-          $signedAabPath = $($env:GITHUB_WORKSPACE + "/${{ env.main_app_folder_path }}/bin/Release/${{ env.target-net-version }}-android/publish/$($packageName)-Signed.aab");
-          $signedAabDestPath = $($env:GITHUB_WORKSPACE + "/$($packageName).aab");
+          $signedAabPath = "$($env:GITHUB_WORKSPACE)\${{ env.main_app_folder_path }}\bin\Release\${{ env.target-net-version }}-android\publish\$($packageName)-Signed.aab";
+          $signedAabDestPath = "$($env:GITHUB_WORKSPACE)\$($packageName).aab";
           Copy-Item $signedAabPath $signedAabDestPath
 
-          Write-Output "########################################"
           Write-Output "##### Sign APK Release Configuration"
-          Write-Output "########################################"
 
-          dotnet publish $projToBuild -c Release -f ${{ env.target-net-version }}-android /p:AndroidKeyStore=true /p:AndroidSigningKeyStore=$("app_play-keystore.jks") /p:AndroidSigningKeyAlias=bitwarden /p:AndroidSigningKeyPass="$($env:PLAY_KEYSTORE_PASSWORD)" /p:AndroidSigningStorePass="$($env:PLAY_KEYSTORE_PASSWORD)" --no-restore
+          $signingPlayKeyStore = "$($env:GITHUB_WORKSPACE)\${{ env.android_folder_path }}\app_play-keystore.jks"
+          dotnet publish $projToBuild -c Release -f ${{ env.target-net-version }}-android `
+            /p:AndroidKeyStore=true `
+            /p:AndroidSigningKeyStore=$signingPlayKeyStore `
+            /p:AndroidSigningKeyAlias=bitwarden `
+            /p:AndroidSigningKeyPass="$($env:PLAY_KEYSTORE_PASSWORD)" `
+            /p:AndroidSigningStorePass="$($env:PLAY_KEYSTORE_PASSWORD)" --no-restore
 
-          Write-Output "########################################"
           Write-Output "##### Copy Release APK to project root"
-          Write-Output "########################################"
-
-          $signedApkPath = $($env:GITHUB_WORKSPACE + "/${{ env.main_app_folder_path }}/bin/Release/${{ env.target-net-version }}-android/publish/$($packageName)-Signed.apk");
-          $signedApkDestPath = $($env:GITHUB_WORKSPACE + "/$($packageName).apk");
 
+          $signedApkPath = "$($env:GITHUB_WORKSPACE)\${{ env.main_app_folder_path }}\bin\Release\${{ env.target-net-version }}-android\publish\$($packageName)-Signed.apk";
+          $signedApkDestPath = "$($env:GITHUB_WORKSPACE)\$($packageName).apk";
           Copy-Item $signedApkPath $signedApkDestPath
 
       - name: Upload Prod .aab artifact
@@ -283,20 +283,20 @@ jobs:
           || (github.ref == 'refs/heads/rc' && needs.setup.outputs.hotfix_branch_exists == 0)
           || github.ref == 'refs/heads/hotfix-rc' ) }}
         run: |
-          PUBLISHER_PATH="$GITHUB_WORKSPACE/store/google/Publisher/bin/Release/net7.0/Publisher.dll"
-          CREDS_PATH="$HOME/secrets/play_creds.json"
-          AAB_PATH="$GITHUB_WORKSPACE/com.x8bit.bitwarden.aab"
-          TRACK="internal"
+          $publisherPath = "$($env:GITHUB_WORKSPACE)\store\google\Publisher\bin\Release\net8.0\Publisher.dll"
+          $credsPath = "$($HOME)\secrets\play_creds.json"
+          $aabPath = "$($env:GITHUB_WORKSPACE)\com.x8bit.bitwarden.aab"
+          $track = "internal"
 
-          dotnet $PUBLISHER_PATH $CREDS_PATH $AAB_PATH $TRACK
-        shell: bash
+          dotnet $publisherPath $credsPath $aabPath $track
 
 
   f-droid:
     name: F-Droid Build
     runs-on: windows-2022
     env:
-      android_folder_path: src/App/Platforms/Android
+      android_folder_path: src\App\Platforms\Android
+      android_folder_path_bash: src/App/Platforms/Android
       android_manifest_path: src/App/Platforms/Android/AndroidManifest.xml
     steps:
       - name: Setup NuGet
@@ -305,14 +305,14 @@ jobs:
           nuget-version: 6.4.0
 
       - name: Set up .NET
-        uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0
+        uses: actions/setup-dotnet@4d6c8fcf3c8f7a60068d26b594648e99df24cee3 # v4.0.0
         with:
           dotnet-version: '8.0.x'
 
       - name: Set up MSBuild
         uses: microsoft/setup-msbuild@ede762b26a2de8d110bb5a3db4d7e0e080c0e917 # v1.3.3
 
-      # This step might be obsolete at some point as .NET MAUI workloads 
+      # This step might be obsolete at some point as .NET MAUI workloads
       # are starting to come pre-installed on the GH Actions build agents.
       - name: Install MAUI Workload
         run: dotnet workload install maui --ignore-failed-sources
@@ -337,23 +337,25 @@ jobs:
       - name: Checkout repo
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-      - name: Decrypt secrets
-        env:
-          DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }}
-        run: |
-          mkdir -p ~/secrets
+      - name: Login to Azure - CI Subscription
+        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+        with:
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
 
-          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
-            --output ./${{ env.main_app_folder_path }}/app_fdroid-keystore.jks ./.github/secrets/app_fdroid-keystore.jks.gpg
+      - name: Download secrets
+        env:
+          ACCOUNT_NAME: bitwardenci
+          CONTAINER_NAME: mobile
+          FILE: app_fdroid-keystore.jks
+        run: |
+          az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME --name $FILE \
+            --file ${{ env.android_folder_path_bash }}/$FILE --output none
         shell: bash
 
       - name: Increment version
         run: |
           BUILD_NUMBER=$((3000 + $GITHUB_RUN_NUMBER))
-
-          echo "########################################"
-          echo "##### Setting Version Code $BUILD_NUMBER"
-          echo "########################################"
+          echo "##### Setting F-Droid Version Code to $BUILD_NUMBER" | tee -a $GITHUB_STEP_SUMMARY
 
           sed -i "s/android:versionCode=\"1\"/android:versionCode=\"$BUILD_NUMBER\"/" \
             ./${{ env.android_manifest_path }}
@@ -361,21 +363,16 @@ jobs:
 
       - name: Clean for F-Droid
         run: |
-          $appPath = $($env:GITHUB_WORKSPACE + "/${{ env.main_app_project_path }}");
-          $corePath = $($env:GITHUB_WORKSPACE + "/src/Core/Core.csproj");
+          $directoryBuildProps = $($env:GITHUB_WORKSPACE + "/Directory.Build.props");
 
           $androidManifest = $($env:GITHUB_WORKSPACE + "/${{ env.android_manifest_path }}");
 
-          Write-Output "########################################"
-          Write-Output "##### Backup project files"
-          Write-Output "########################################"
+          Write-Output "##### Back up project files"
 
           Copy-Item $androidManifest $($androidManifest + ".original");
-          Copy-Item $appPath $($appPath + ".original");
+          Copy-Item $directoryBuildProps $($directoryBuildProps + ".original");
 
-          Write-Output "########################################"
           Write-Output "##### Cleanup Android Manifest"
-          Write-Output "########################################"
 
           $xml=New-Object XML;
           $xml.Load($androidManifest);
@@ -385,39 +382,34 @@ jobs:
 
           $xml.Save($androidManifest);
 
+          Write-Output "##### Enabling FDROID constant"
+
+          (Get-Content $directoryBuildProps).Replace('<!-- <CustomConstants>FDROID</CustomConstants> -->', '<CustomConstants>FDROID</CustomConstants>') | Set-Content $directoryBuildProps
+
       - name: Restore packages
         run: dotnet restore
 
-      - name: Build for F-Droid
-        run: |
-          $configuration = "Release";
-          $projToBuild = $($env:GITHUB_WORKSPACE + "/${{ env.main_app_project_path }}");
-
-          Write-Output "########################################"
-          Write-Output "##### Build $configuration FDROID
-          Write-Output "########################################"
-          
-          dotnet build $projToBuild -c $configuration -f ${{ env.target-net-version }}-android /p:CustomConstants="FDROID"
-
-      - name: Sign for F-Droid
+      - name: Build & Sign F-Droid
         env:
           FDROID_KEYSTORE_PASSWORD: ${{ secrets.FDROID_KEYSTORE_PASSWORD }}
         run: |
-          $projToBuild = $($env:GITHUB_WORKSPACE + "/${{ env.main_app_project_path }}");
+          $projToBuild = "$($env:GITHUB_WORKSPACE)\${{ env.main_app_project_path }}";
           $packageName = "com.x8bit.bitwarden";
 
-          Write-Output "########################################"
           Write-Output "##### Sign FDroid"
-          Write-Output "########################################"
 
-          dotnet publish $projToBuild -c Release -f ${{ env.target-net-version }}-android /p:AndroidKeyStore=true /p:AndroidSigningKeyStore=$("app_fdroid-keystore.jks") /p:AndroidSigningKeyAlias=bitwarden /p:AndroidSigningKeyPass="$($env:FDROID_KEYSTORE_PASSWORD)" /p:AndroidSigningStorePass="$($env:FDROID_KEYSTORE_PASSWORD)" /p:CustomConstants="FDROID" --no-restore
+          $signingFdroidKeyStore = "$($env:GITHUB_WORKSPACE)\${{ env.android_folder_path }}\app_fdroid-keystore.jks"
+          dotnet build $projToBuild -c Release -f ${{ env.target-net-version }}-android `
+            /p:AndroidKeyStore=true `
+            /p:AndroidSigningKeyStore=$signingFdroidKeyStore `
+            /p:AndroidSigningKeyAlias=bitwarden `
+            /p:AndroidSigningKeyPass="$($env:FDROID_KEYSTORE_PASSWORD)" `
+            /p:AndroidSigningStorePass="$($env:FDROID_KEYSTORE_PASSWORD)" ` --no-restore
 
-          Write-Output "########################################"
           Write-Output "##### Copy FDroid apk to project root"
-          Write-Output "########################################"
 
-          $signedApkPath = $($env:GITHUB_WORKSPACE + "/${{ env.main_app_folder_path }}/bin/Release/${{ env.target-net-version }}-android/publish/$($packageName)-Signed.apk");
-          $signedApkDestPath = $($env:GITHUB_WORKSPACE + "/com.x8bit.bitwarden-fdroid.apk");
+          $signedApkPath = "$($env:GITHUB_WORKSPACE)\${{ env.main_app_folder_path }}\bin\Release\${{ env.target-net-version }}-android\$($packageName)-Signed.apk";
+          $signedApkDestPath = "$($env:GITHUB_WORKSPACE)\com.x8bit.bitwarden-fdroid.apk";
 
           Copy-Item $signedApkPath $signedApkDestPath
 
@@ -440,6 +432,7 @@ jobs:
           path: ./bw-fdroid-apk-sha256.txt
           if-no-files-found: error
 
+
   ios:
     name: Apple iOS
     runs-on: macos-13
@@ -458,13 +451,13 @@ jobs:
         uses: nuget/setup-nuget@296fd3ccf8528660c91106efefe2364482f86d6f # v1.2.0
         with:
           nuget-version: 6.4.0
-      
+
       - name: Set up .NET
-        uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0
+        uses: actions/setup-dotnet@4d6c8fcf3c8f7a60068d26b594648e99df24cee3 # v4.0.0
         with:
           dotnet-version: '8.0.x'
-  
-      # This step might be obsolete at some point as .NET MAUI workloads 
+
+      # This step might be obsolete at some point as .NET MAUI workloads
       # are starting to come pre-installed on the GH Actions build agents.
       - name: Install MAUI Workload
         run: dotnet workload install maui --ignore-failed-sources
@@ -493,73 +486,71 @@ jobs:
           keyvault: "bitwarden-ci"
           secrets: "appcenter-ios-token"
 
-      - name: Decrypt secrets
+      - name: Download Provisioning Profiles secrets
         env:
-          DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }}
+          ACCOUNT_NAME: bitwardenci
+          CONTAINER_NAME: profiles
         run: |
-          mkdir -p ~/secrets
+          mkdir -p $HOME/secrets
+          profiles=(
+              "dist_autofill.mobileprovision"
+              "dist_bitwarden.mobileprovision"
+              "dist_extension.mobileprovision"
+              "dist_share_extension.mobileprovision"
+              "dist_bitwarden_watch_app.mobileprovision"
+              "dist_bitwarden_watch_app_extension.mobileprovision"
+          )
 
-          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
-            --output $HOME/secrets/bitwarden-mobile-key.p12 ./.github/secrets/bitwarden-mobile-key.p12.gpg
-          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
-            --output $HOME/secrets/iphone-distribution-cert.p12 ./.github/secrets/iphone-distribution-cert.p12.gpg
-          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
-            --output $HOME/secrets/dist_autofill.mobileprovision ./.github/secrets/dist_autofill.mobileprovision.gpg
-          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
-            --output $HOME/secrets/dist_bitwarden.mobileprovision ./.github/secrets/dist_bitwarden.mobileprovision.gpg
-          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
-            --output $HOME/secrets/dist_extension.mobileprovision ./.github/secrets/dist_extension.mobileprovision.gpg
-          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
-            --output $HOME/secrets/dist_share_extension.mobileprovision \
-            ./.github/secrets/dist_share_extension.mobileprovision.gpg
-          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
-            --output $HOME/secrets/dist_watch_app.mobileprovision \
-            ./.github/secrets/dist_watch_app.mobileprovision.gpg
-          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
-            --output $HOME/secrets/dist_watch_app_extension.mobileprovision \
-            ./.github/secrets/dist_watch_app_extension.mobileprovision.gpg
-          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
-            --output ./src/watchOS/bitwarden/GoogleService-Info.plist ./.github/secrets/GoogleService-Info.plist.gpg
+          for FILE in "${profiles[@]}"
+          do
+            az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME --name $FILE \
+              --file $HOME/secrets/$FILE --output none
+          done
+
+      - name: Download Google Services secret
+        env:
+          ACCOUNT_NAME: bitwardenci
+          CONTAINER_NAME: mobile
+          FILE: GoogleService-Info.plist
+        run: |
+          mkdir -p $HOME/secrets
+          az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME --name $FILE \
+            --file src/watchOS/bitwarden/$FILE --output none
 
       - name: Increment version
         run: |
           BUILD_NUMBER=$((100 + $GITHUB_RUN_NUMBER))
-
-          echo "########################################"
-          echo "##### Setting CFBundleVersion $BUILD_NUMBER"
-          echo "########################################"
-
-          echo "### CFBundleVersion $BUILD_NUMBER" >> $GITHUB_STEP_SUMMARY
+          echo "##### Setting iOS CFBundleVersion to $BUILD_NUMBER" | tee -a $GITHUB_STEP_SUMMARY
 
           perl -0777 -pi.bak -e 's/<key>CFBundleVersion<\/key>\s*<string>1<\/string>/<key>CFBundleVersion<\/key>\n\t<string>'"$BUILD_NUMBER"'<\/string>/' ./${{ env.ios_folder_path }}/Info.plist
           perl -0777 -pi.bak -e 's/<key>CFBundleVersion<\/key>\s*<string>1<\/string>/<key>CFBundleVersion<\/key>\n\t<string>'"$BUILD_NUMBER"'<\/string>/' ./src/iOS.Extension/Info.plist
           perl -0777 -pi.bak -e 's/<key>CFBundleVersion<\/key>\s*<string>1<\/string>/<key>CFBundleVersion<\/key>\n\t<string>'"$BUILD_NUMBER"'<\/string>/' ./src/iOS.Autofill/Info.plist
           perl -0777 -pi.bak -e 's/<key>CFBundleVersion<\/key>\s*<string>1<\/string>/<key>CFBundleVersion<\/key>\n\t<string>'"$BUILD_NUMBER"'<\/string>/' ./src/iOS.ShareExtension/Info.plist
           cd src/watchOS/bitwarden
-          agvtool new-version -all  $BUILD_NUMBER
+          agvtool new-version -all $BUILD_NUMBER
 
       - name: Update Entitlements
         run: |
-          echo "########################################"
           echo "##### Updating Entitlements"
-          echo "########################################"
-
           perl -0777 -pi.bak -e 's/<key>aps-environment<\/key>\s*<string>development<\/string>/<key>aps-environment<\/key>\n\t<string>production<\/string>/' ./${{ env.ios_folder_path }}/Entitlements.plist
-        
+
+      - name: Get certificates
+        run: |
+          mkdir -p $HOME/certificates
+          az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/ios-distribution |
+            jq -r .value | base64 -d > $HOME/certificates/ios-distribution.p12
+
       - name: Set up Keychain
         env:
           KEYCHAIN_PASSWORD: ${{ secrets.IOS_KEYCHAIN_PASSWORD }}
-          MOBILE_KEY_PASSWORD: ${{ secrets.IOS_KEY_PASSWORD }}
-          DIST_CERT_PASSWORD: ${{ secrets.IOS_DIST_CERT_PASSWORD }}
         run: |
           security create-keychain -p $KEYCHAIN_PASSWORD build.keychain
           security default-keychain -s build.keychain
           security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain
           security set-keychain-settings -lut 1200 build.keychain
-          security import ~/secrets/bitwarden-mobile-key.p12 -k build.keychain -P $MOBILE_KEY_PASSWORD \
-            -T /usr/bin/codesign -T /usr/bin/security
-          security import ~/secrets/iphone-distribution-cert.p12 -k build.keychain -P $DIST_CERT_PASSWORD \
-            -T /usr/bin/codesign -T /usr/bin/security
+
+          security import $HOME/certificates/ios-distribution.p12 -k build.keychain -P "" -T /usr/bin/codesign \
+            -T /usr/bin/security
           security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain
 
       - name: Set up provisioning profiles
@@ -568,8 +559,8 @@ jobs:
           BITWARDEN_PROFILE_PATH=$HOME/secrets/dist_bitwarden.mobileprovision
           EXTENSION_PROFILE_PATH=$HOME/secrets/dist_extension.mobileprovision
           SHARE_EXTENSION_PROFILE_PATH=$HOME/secrets/dist_share_extension.mobileprovision
-          WATCH_APP_PROFILE_PATH=$HOME/secrets/dist_watch_app.mobileprovision
-          WATCH_APP_EXTENSION_PROFILE_PATH=$HOME/secrets/dist_watch_app_extension.mobileprovision
+          WATCH_APP_PROFILE_PATH=$HOME/secrets/dist_bitwarden_watch_app.mobileprovision
+          WATCH_APP_EXTENSION_PROFILE_PATH=$HOME/secrets/dist_bitwarden_watch_app_extension.mobileprovision
           PROFILES_DIR_PATH=$HOME/Library/MobileDevice/Provisioning\ Profiles
 
           mkdir -p "$PROFILES_DIR_PATH"
@@ -597,68 +588,44 @@ jobs:
 
       - name: Bulid WatchApp
         run: |
-          echo "########################################"
           echo "##### Build WatchApp with Release Configuration"
-          echo "########################################"
-
           xcodebuild archive -workspace ./src/watchOS/bitwarden/bitwarden.xcodeproj/project.xcworkspace -configuration Release -scheme bitwarden\ WatchKit\ App -archivePath ./src/watchOS/bitwarden
 
-          echo "########################################"
-          echo "##### Done"
-          echo "########################################"
-
       - name: Archive Build for App Store
         run: |
-          Write-Output "########################################"
-          Write-Output "##### Archive for Release ios-arm64
-          Write-Output "########################################"
-
+          echo "##### Archive for Release ios-arm64"
           dotnet publish ${{ env.main_app_project_path }} -c Release -f ${{ env.target-net-version }}-ios /p:RuntimeIdentifier=ios-arm64 /p:ArchiveOnBuild=true /p:MtouchUseLlvm=false
 
-          Write-Output "########################################"
-          Write-Output "##### Done"
-          Write-Output "########################################"
-        shell: pwsh
-
       - name: Archive Build for Mobile Automation
         run: |
-          Write-Output "########################################"
-          Write-Output "##### Archive Debug for iossimulator-x64
-          Write-Output "########################################"
-
+          echo "##### Archive Debug for iossimulator-x64"
           dotnet build ${{ env.main_app_project_path }} -c Debug -f ${{ env.target-net-version }}-ios /p:RuntimeIdentifier=iossimulator-x64 /p:ArchiveOnBuild=true /p:MtouchUseLlvm=false
-
-          Write-Output "########################################"
-          Write-Output "##### Done"
-          Write-Output "########################################"
-          ls ~/Library/Developer/Xcode/Archives
-        shell: pwsh
+          ls $HOME/Library/Developer/Xcode/Archives
 
       - name: Export .ipa for App Store
+        env:
+          EXPORT_OPTIONS_PATH: ./.github/resources/export-options-app-store.plist
+          EXPORT_PATH: ./bitwarden-export
         run: |
-          EXPORT_OPTIONS_PATH="./.github/resources/export-options-app-store.plist"
           ARCHIVE_PATH="$HOME/Library/Developer/Xcode/Archives/*/*.xcarchive"
-          EXPORT_PATH="./bitwarden-export"
-
           xcodebuild -exportArchive -archivePath $ARCHIVE_PATH -exportPath $EXPORT_PATH \
             -exportOptionsPlist $EXPORT_OPTIONS_PATH
 
       - name: Export .app for Automation CI
+        env:
+          ARCHIVE_PATH: ./${{ env.main_app_folder_path }}/bin/Debug/${{ env.target-net-version }}-ios/iossimulator-x64
+          EXPORT_PATH: ./bitwarden-export
         run: |
-          ARCHIVE_PATH="./${{ env.main_app_folder_path }}/bin/Debug/${{ env.target-net-version }}-ios/iossimulator-x64"
-          EXPORT_PATH="./bitwarden-export"
-
           zip -r -q ${{ env.app_ci_output_filename }}.app.zip $ARCHIVE_PATH
           mv ${{ env.app_ci_output_filename }}.app.zip $EXPORT_PATH
 
       - name: Copy all dSYMs files to upload
+        env:
+          EXPORT_PATH: ./bitwarden-export
+          WATCH_ARCHIVE_DSYMS_PATH: ./src/watchOS/bitwarden.xcarchive/dSYMs/
+          WATCH_DSYMS_EXPORT_PATH: ./bitwarden-export/Watch_dSYMs
         run: |
           ARCHIVE_DSYMS_PATH="$HOME/Library/Developer/Xcode/Archives/*/*.xcarchive/dSYMs"
-          EXPORT_PATH="./bitwarden-export"
-
-          WATCH_ARCHIVE_DSYMS_PATH="./src/watchOS/bitwarden.xcarchive/dSYMs/"
-          WATCH_DSYMS_EXPORT_PATH="$EXPORT_PATH/Watch_dSYMs"
-
           cp -r -v $ARCHIVE_DSYMS_PATH $EXPORT_PATH
           mkdir $WATCH_DSYMS_EXPORT_PATH
           cp -r -v $WATCH_ARCHIVE_DSYMS_PATH $WATCH_DSYMS_EXPORT_PATH
@@ -707,10 +674,7 @@ jobs:
           || (github.ref == 'refs/heads/rc' && needs.setup.outputs.hotfix_branch_exists == 0)
           || github.ref == 'refs/heads/hotfix-rc'
         run: |
-          echo "########################################"
           echo "##### Uploading Watch dSYMs to Firebase"
-          echo "########################################"
-
           find "$HOME/Library/Developer/XCode/DerivedData" -name "upload-symbols" -exec chmod +x {} \; -exec {} -gsp "./src/watchOS/bitwarden/GoogleService-Info.plist" -p ios "./bitwarden-export/Watch_dSYMs" \;
 
       - name: Validate app in App Store
@@ -726,7 +690,6 @@ jobs:
         run: |
           xcrun altool --validate-app --type ios --file "./bitwarden-export/Bitwarden.ipa" \
               --username "$APPLE_ID_USERNAME" --password "$APPLE_ID_PASSWORD"
-        shell: bash
 
       - name: Deploy to App Store
         if: |
@@ -770,13 +733,13 @@ jobs:
           secrets: "crowdin-api-token"
 
       - name: Upload Sources
-        uses: crowdin/github-action@198daeb2d30636c4608d6a6bb96c009dbefc02a2 # v1.18.0
+        uses: crowdin/github-action@67705afb6985401459cd143d5f5f00c9dc212f23 # v1.20.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           CROWDIN_API_TOKEN: ${{ steps.retrieve-secrets.outputs.crowdin-api-token }}
         with:
           config: crowdin.yml
-          crowdin_branch_name: main 
+          crowdin_branch_name: main
           upload_sources: true
           upload_translations: false
 
@@ -794,27 +757,11 @@ jobs:
     steps:
       - name: Check if any job failed
         if: |
-          (github.ref == 'refs/heads/main')
-          || (github.ref == 'refs/heads/rc')
-          || (github.ref == 'refs/heads/hotfix-rc')
-        env:
-          CLOC_STATUS: ${{ needs.cloc.result }}
-          ANDROID_STATUS: ${{ needs.android.result }}
-          F_DROID_STATUS: ${{ needs.f-droid.result }}
-          IOS_STATUS: ${{ needs.ios.result }}
-          CROWDIN_PUSH_STATUS: ${{ needs.crowdin-push.result }}
-        run: |
-          if [ "$CLOC_STATUS" = "failure" ]; then
-              exit 1
-          elif [ "$ANDROID_STATUS" = "failure" ]; then
-              exit 1
-          elif [ "$F_DROID_STATUS" = "failure" ]; then
-              exit 1
-          elif [ "$IOS_STATUS" = "failure" ]; then
-              exit 1
-          elif [ "$CROWDIN_PUSH_STATUS" = "failure" ]; then
-              exit 1
-          fi
+          (github.ref == 'refs/heads/main'
+          || github.ref == 'refs/heads/rc'
+          || github.ref == 'refs/heads/hotfix-rc')
+          && contains(needs.*.result, 'failure')
+        run: exit 1
 
       - name: Login to Azure - CI Subscription
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
@@ -831,7 +778,7 @@ jobs:
           secrets: "devops-alerts-slack-webhook-url"
 
       - name: Notify Slack on failure
-        uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0
+        uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0
         if: failure()
         env:
           SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }}

.github/workflows/cleanup-rc-branch.yml

@@ -0,0 +1,53 @@
+---
+name: Cleanup RC Branch
+
+on:
+  push:
+    tags:
+      - v**
+
+jobs:
+  delete-rc:
+    name: Delete RC Branch
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Login to Azure - CI Subscription
+        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+        with:
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+
+      - name: Retrieve bot secrets
+        id: retrieve-bot-secrets
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: bitwarden-ci
+          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+
+      - name: Checkout main
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: main
+          token: ${{ steps.retrieve-bot-secrets.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
+
+      - name: Check if a RC branch exists
+        id: branch-check
+        run: |
+          hotfix_rc_branch_check=$(git ls-remote --heads origin hotfix-rc | wc -l)
+          rc_branch_check=$(git ls-remote --heads origin rc | wc -l)
+
+          if [[ "${hotfix_rc_branch_check}" -gt 0 ]]; then
+            echo "hotfix-rc branch exists." | tee -a $GITHUB_STEP_SUMMARY
+            echo "name=hotfix-rc" >> $GITHUB_OUTPUT
+          elif [[ "${rc_branch_check}" -gt 0 ]]; then
+            echo "rc branch exists." | tee -a $GITHUB_STEP_SUMMARY
+            echo "name=rc" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Delete RC branch
+        env:
+          BRANCH_NAME: ${{ steps.branch-check.outputs.name }}
+        run: |
+          if ! [[ -z "$BRANCH_NAME" ]]; then
+            git push --quiet origin --delete $BRANCH_NAME
+            echo "Deleted $BRANCH_NAME branch." | tee -a $GITHUB_STEP_SUMMARY
+          fi

.github/workflows/crowdin-pull.yml

@@ -15,7 +15,7 @@ jobs:
       _CROWDIN_PROJECT_ID: "269690"
     steps:
       - name: Checkout repo
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Login to Azure - CI Subscription
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
@@ -30,7 +30,7 @@ jobs:
           secrets: "crowdin-api-token, github-gpg-private-key, github-gpg-private-key-passphrase"
 
       - name: Download translations
-        uses: crowdin/github-action@198daeb2d30636c4608d6a6bb96c009dbefc02a2 # v1.18.0
+        uses: crowdin/github-action@67705afb6985401459cd143d5f5f00c9dc212f23 # v1.20.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           CROWDIN_API_TOKEN: ${{ steps.retrieve-secrets.outputs.crowdin-api-token }}

.github/workflows/pr-labeler.yml

@@ -12,6 +12,6 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/labeler@ac9175f8a1f3625fd0d4fb234536d26811351594  # v4.3.0
+      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
         with:
           sync-labels: true

.github/workflows/release.yml

@@ -28,7 +28,7 @@ jobs:
       branch-name: ${{ steps.branch.outputs.branch-name }}
     steps:
       - name: Branch check
-        if: github.event.inputs.release_type != 'Dry Run'
+        if: inputs.release_type != 'Dry Run'
         run: |
           if [[ "$GITHUB_REF" != "refs/heads/rc" ]] && [[ "$GITHUB_REF" != "refs/heads/hotfix-rc" ]]; then
             echo "==================================="
@@ -38,15 +38,15 @@ jobs:
           fi
 
       - name: Checkout repo
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Check Release Version
         id: version
         uses: bitwarden/gh-actions/release-version-check@main
         with:
-          release-type: ${{ github.event.inputs.release_type }}
+          release-type: ${{ inputs.release_type }}
           project-type: xamarin
-          file: src/Android/Properties/AndroidManifest.xml
+          file: src/App/Platforms/Android/AndroidManifest.xml
 
       - name: Get branch name
         id: branch
@@ -55,7 +55,7 @@ jobs:
           echo "branch-name=$BRANCH_NAME" >> $GITHUB_OUTPUT
 
       - name: Create GitHub deployment
-        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
+        if: ${{ inputs.release_type != 'Dry Run' }}
         uses: chrnorm/deployment-action@55729fcebec3d284f60f5bcabbd8376437d696b1 # v2.0.7
         id: deployment
         with:
@@ -67,16 +67,16 @@ jobs:
 
 
       - name: Download all artifacts
-        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
-        uses: dawidd6/action-download-artifact@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d # v3.0.0
+        if: ${{ inputs.release_type != 'Dry Run' }}
+        uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4
         with:
           workflow: build.yml
           workflow_conclusion: success
           branch: ${{ steps.branch.outputs.branch-name }}
 
       - name: Dry Run - Download all artifacts
-        if: ${{ github.event.inputs.release_type == 'Dry Run' }}
-        uses: dawidd6/action-download-artifact@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d # v3.0.0
+        if: ${{ inputs.release_type == 'Dry Run' }}
+        uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4
         with:
           workflow: build.yml
           workflow_conclusion: success
@@ -86,7 +86,7 @@ jobs:
         run: zip -r Bitwarden\ iOS.zip Bitwarden\ iOS
 
       - name: Create release
-        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
+        if: ${{ inputs.release_type != 'Dry Run' }}
         uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
         with:
           artifacts: "./com.x8bit.bitwarden.aab/com.x8bit.bitwarden.aab,
@@ -103,16 +103,16 @@ jobs:
           draft: true
 
       - name: Update deployment status to Success
-        if: ${{ github.event.inputs.release_type != 'Dry Run' && success() }}
-        uses: chrnorm/deployment-status@2afb7d27101260f4a764219439564d954d10b5b0 # v2.0.1
+        if: ${{ inputs.release_type != 'Dry Run' && success() }}
+        uses: chrnorm/deployment-status@9a72af4586197112e0491ea843682b5dc280d806 # v2.0.3
         with:
           token: '${{ secrets.GITHUB_TOKEN }}'
           state: 'success'
           deployment-id: ${{ steps.deployment.outputs.deployment_id }}
 
       - name: Update deployment status to Failure
-        if: ${{ github.event.inputs.release_type != 'Dry Run' && failure() }}
-        uses: chrnorm/deployment-status@2afb7d27101260f4a764219439564d954d10b5b0 # v2.0.1
+        if: ${{ inputs.release_type != 'Dry Run' && failure() }}
+        uses: chrnorm/deployment-status@9a72af4586197112e0491ea843682b5dc280d806 # v2.0.3
         with:
           token: '${{ secrets.GITHUB_TOKEN }}'
           state: 'failure'
@@ -126,11 +126,11 @@ jobs:
     if: inputs.fdroid_publish
     steps:
       - name: Checkout repo
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Download F-Droid .apk artifact
-        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
-        uses: dawidd6/action-download-artifact@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d # v3.0.0
+        if: ${{ inputs.release_type != 'Dry Run' }}
+        uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4
         with:
           workflow: build.yml
           workflow_conclusion: success
@@ -138,8 +138,8 @@ jobs:
           name: com.x8bit.bitwarden-fdroid.apk
 
       - name: Dry Run - Download F-Droid .apk artifact
-        if: ${{ github.event.inputs.release_type == 'Dry Run' }}
-        uses: dawidd6/action-download-artifact@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d # v3.0.0
+        if: ${{ inputs.release_type == 'Dry Run' }}
+        uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4
         with:
           workflow: build.yml
           workflow_conclusion: success
@@ -176,13 +176,19 @@ jobs:
       - name: Install Node dependencies
         run: npm install
 
-      - name: Decrypt secrets
+      - name: Login to Azure - CI Subscription
+        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+        with:
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+
+      - name: Download secrets
         env:
-          DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }}
+          ACCOUNT_NAME: bitwardenci
+          CONTAINER_NAME: mobile
         run: |
-          mkdir -p ~/secrets
-          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
-            --output ./store/fdroid/keystore.jks ./.github/secrets/store_fdroid-keystore.jks.gpg
+          mkdir -p $HOME/secrets
+          az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \
+          --name store_fdroid-keystore.jks --file ./store/fdroid/keystore.jks --output none
 
       - name: Compile for F-Droid Store
         env:
@@ -211,5 +217,5 @@ jobs:
           cd $GITHUB_WORKSPACE
 
       - name: Deploy to gh-pages
-        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
+        if: ${{ inputs.release_type != 'Dry Run' }}
         run: npm run deploy

.github/workflows/version-auto-bump.yml

@@ -11,24 +11,6 @@ jobs:
     name: Bump Mobile Version
     runs-on: ubuntu-22.04
     steps:
-      - name: Checkout Branch
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-
-      - name: Calculate bumped version
-        id: version
-        env:
-          RELEASE_TAG: ${{ github.ref }}
-        run: |
-          CURR_MAJOR=$(echo $RELEASE_TAG | sed -r 's/refs\/tags\/v([0-9]{4}\.[0-9]{1,2})\.([0-9]{1,2})/\1/')
-          CURR_PATCH=$(echo $RELEASE_TAG | sed -r 's/refs\/tags\/v([0-9]{4}\.[0-9]{1,2})\.([0-9]{1,2})/\2/')
-          echo "Current Major: $CURR_MAJOR"
-          echo "Current Patch: $CURR_PATCH"
-
-          NEW_PATCH=$((CURR_PATCH+1))
-          NEW_VER=$CURR_MAJOR.$NEW_PATCH
-          echo "New Version: $NEW_VER"
-          echo "new_version=$NEW_VER" >> $GITHUB_OUTPUT
-
       - name: Login to Azure - CI Subscription
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
         with:
@@ -41,9 +23,9 @@ jobs:
           keyvault: bitwarden-ci
           secrets: "github-pat-bitwarden-devops-bot-repo-scope"
 
-      - name: "Bump version to ${{ steps.version.outputs.new_version }}"
+      - name: Trigger Version Bump workflow
         env:
           GH_TOKEN: ${{ steps.retrieve-bot-secrets.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
         run: |
-          echo '{"cut_rc_branch": "false", "version_number": "${{ steps.version.outputs.new_version }}"}' | \
-          gh workflow run version-bump.yml --json --repo bitwarden/mobile
+          echo '{"cut_rc_branch": "false"}' | \
+          gh workflow run version-bump.yml --json --repo bitwarden/mobile

.github/workflows/version-bump.yml

@@ -1,13 +1,13 @@
 ---
 name: Version Bump
-run-name: Version Bump - v${{ inputs.version_number }}
 
 on:
   workflow_dispatch:
     inputs:
-      version_number:
-        description: "New version (example: '2024.1.0')"
-        required: true
+      version_number_override:
+        description: "New version override (leave blank for automatic calculation, example: '2024.1.0')"
+        required: false
+        type: string
       cut_rc_branch:
         description: "Cut RC branch?"
         default: true
@@ -15,22 +15,16 @@ on:
 
 jobs:
   bump_version:
-    name: "Bump Version to v${{ inputs.version_number }}"
+    name: Bump Version
     runs-on: ubuntu-22.04
+    outputs:
+      version: ${{ steps.set-final-version-output.outputs.version }}
     steps:
-      - name: Login to Azure - CI Subscription
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+      - name: Validate version input
+        if: ${{ inputs.version_number_override != '' }}
+        uses: bitwarden/gh-actions/version-check@main
         with:
-         creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
-
-      - name: Retrieve secrets
-        id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: "bitwarden-ci"
-          secrets: "github-gpg-private-key,
-            github-gpg-private-key-passphrase,
-            github-pat-bitwarden-devops-bot-repo-scope"
+          version: ${{ inputs.version_number_override }}
 
       - name: Checkout Branch
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -47,6 +41,20 @@ jobs:
             exit 1
           fi
 
+      - name: Login to Azure - CI Subscription
+        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+        with:
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+
+      - name: Retrieve secrets
+        id: retrieve-secrets
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: "bitwarden-ci"
+          secrets: "github-gpg-private-key,
+            github-gpg-private-key-passphrase,
+            github-pat-bitwarden-devops-bot-repo-scope"
+
       - name: Import GPG key
         uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
         with:
@@ -55,25 +63,38 @@ jobs:
           git_user_signingkey: true
           git_commit_gpgsign: true
 
+      - name: Setup git
+        run: |
+          git config --local user.email "106330231+bitwarden-devops-bot@users.noreply.github.com"
+          git config --local user.name "bitwarden-devops-bot"
+
       - name: Create Version Branch
         id: create-branch
         run: |
-          NAME=version_bump_${{ github.ref_name }}_${{ inputs.version_number }}
+          NAME=version_bump_${{ github.ref_name }}_$(date +"%Y-%m-%d")
           git switch -c $NAME
           echo "name=$NAME" >> $GITHUB_OUTPUT
 
       - name: Install xmllint
-        run: sudo apt install -y libxml2-utils
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libxml2-utils
 
-      - name: Verify input version
-        env:
-          NEW_VERSION: ${{ inputs.version_number }}
+      - name: Get current version
+        id: current-version
         run: |
           CURRENT_VERSION=$(xmllint --xpath '
-            string(/manifest/@*[local-name()="versionName" 
+            string(/manifest/@*[local-name()="versionName"
               and namespace-uri()="http://schemas.android.com/apk/res/android"])
             ' src/App/Platforms/Android/AndroidManifest.xml)
+          echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
 
+      - name: Verify input version
+        if: ${{ inputs.version_number_override != '' }}
+        env:
+          CURRENT_VERSION: ${{ steps.current-version.outputs.version }}
+          NEW_VERSION: ${{ inputs.version_number_override }}
+        run: |
           # Error if version has not changed.
           if [[ "$NEW_VERSION" == "$CURRENT_VERSION" ]]; then
             echo "Version has not changed."
@@ -89,40 +110,93 @@ jobs:
             exit 1
           fi
 
-      - name: Bump Version - Android XML
+      - name: Calculate next release version
+        if: ${{ inputs.version_number_override == '' }}
+        id: calculate-next-version
+        uses: bitwarden/gh-actions/version-next@main
+        with:
+          version: ${{ steps.current-version.outputs.version }}
+
+      - name: Bump Version - Android XML - Version Override
+        if: ${{ inputs.version_number_override != '' }}
+        id: bump-version-override
         uses: bitwarden/gh-actions/version-bump@main
         with:
-          version: ${{ inputs.version_number }}
           file_path: "src/App/Platforms/Android/AndroidManifest.xml"
+          version: ${{ inputs.version_number_override }}
 
-      - name: Bump Version - iOS.Autofill
+      - name: Bump Version - Android XML - Automatic Calculation
+        if: ${{ inputs.version_number_override == '' }}
+        id: bump-version-automatic
+        uses: bitwarden/gh-actions/version-bump@main
+        with:
+          file_path: "src/App/Platforms/Android/AndroidManifest.xml"
+          version: ${{ steps.calculate-next-version.outputs.version }}
+
+      - name: Bump Version - iOS.Autofill - Version Override
+        if: ${{ inputs.version_number_override != '' }}
         uses: bitwarden/gh-actions/version-bump@main
         with:
-          version: ${{ inputs.version_number }}
           file_path: "src/iOS.Autofill/Info.plist"
+          version: ${{ inputs.version_number_override }}
 
-      - name: Bump Version - iOS.Extension
+      - name: Bump Version - iOS.Autofill - Automatic Calculation
+        if: ${{ inputs.version_number_override == '' }}
+        uses: bitwarden/gh-actions/version-bump@main
+        with:
+          file_path: "src/iOS.Autofill/Info.plist"
+          version: ${{ steps.calculate-next-version.outputs.version }}
+
+      - name: Bump Version - iOS.Extension - Version Override
+        if: ${{ inputs.version_number_override != '' }}
         uses: bitwarden/gh-actions/version-bump@main
         with:
-          version: ${{ inputs.version_number }}
           file_path: "src/iOS.Extension/Info.plist"
+          version: ${{ inputs.version_number_override }}
 
-      - name: Bump Version - iOS.ShareExtension
+      - name: Bump Version - iOS.Extension - Automatic Calculation
+        if: ${{ inputs.version_number_override == '' }}
+        uses: bitwarden/gh-actions/version-bump@main
+        with:
+          file_path: "src/iOS.Extension/Info.plist"
+          version: ${{ steps.calculate-next-version.outputs.version }}
+
+      - name: Bump Version - iOS.ShareExtension - Version Override
+        if: ${{ inputs.version_number_override != '' }}
         uses: bitwarden/gh-actions/version-bump@main
         with:
-          version: ${{ inputs.version_number }}
           file_path: "src/iOS.ShareExtension/Info.plist"
+          version: ${{ inputs.version_number_override }}
 
-      - name: Bump Version - iOS
+      - name: Bump Version - iOS.ShareExtension - Automatic Calculation
+        if: ${{ inputs.version_number_override == '' }}
         uses: bitwarden/gh-actions/version-bump@main
         with:
-          version: ${{ inputs.version_number }}
-          file_path: "src/App/Platforms/iOS/Info.plist"
+          file_path: "src/iOS.ShareExtension/Info.plist"
+          version: ${{ steps.calculate-next-version.outputs.version }}
 
-      - name: Setup git
+      - name: Bump Version - iOS - Version Override
+        if: ${{ inputs.version_number_override != '' }}
+        uses: bitwarden/gh-actions/version-bump@main
+        with:
+          file_path: "src/App/Platforms/iOS/Info.plist"
+          version: ${{ inputs.version_number_override }}
+
+      - name: Bump Version - iOS - Automatic Calculation
+        if: ${{ inputs.version_number_override == '' }}
+        uses: bitwarden/gh-actions/version-bump@main
+        with:
+          file_path: "src/App/Platforms/iOS/Info.plist"
+          version: ${{ steps.calculate-next-version.outputs.version }}
+
+      - name: Set Job output
+        id: set-final-version-output
         run: |
-          git config --local user.email "106330231+bitwarden-devops-bot@users.noreply.github.com"
-          git config --local user.name "bitwarden-devops-bot"
+          if [[ "${{ steps.bump-version-override.outcome }}" == "success" ]]; then
+            echo "version=${{ inputs.version_number_override }}" >> $GITHUB_OUTPUT
+          elif [[ "${{ steps.bump-version-automatic.outcome }}" == "success" ]]; then
+            echo "version=${{ steps.calculate-next-version.outputs.version }}" >> $GITHUB_OUTPUT
+          fi
 
       - name: Check if version changed
         id: version-changed
@@ -136,7 +210,7 @@ jobs:
 
       - name: Commit files
         if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
-        run: git commit -m "Bumped version to ${{ inputs.version_number }}" -a
+        run: git commit -m "Bumped version to ${{ steps.set-final-version-output.outputs.version }}" -a
 
       - name: Push changes
         if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
@@ -150,7 +224,7 @@ jobs:
         env:
           GH_TOKEN: ${{ steps.retrieve-secrets.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
           PR_BRANCH: ${{ steps.create-branch.outputs.name }}
-          TITLE: "Bump version to ${{ inputs.version_number }}"
+          TITLE: "Bump version to ${{ steps.set-final-version-output.outputs.version }}"
         run: |
           PR_URL=$(gh pr create --title "$TITLE" \
             --base "main" \
@@ -166,16 +240,18 @@ jobs:
               - [X] Other
 
               ## Objective
-              Automated version bump to ${{ inputs.version_number }}")
+              Automated version bump to ${{ steps.set-final-version-output.outputs.version }}")
           echo "pr_number=${PR_URL##*/}" >> $GITHUB_OUTPUT
 
       - name: Approve PR
+        if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_NUMBER: ${{ steps.create-pr.outputs.pr_number }}
         run: gh pr review $PR_NUMBER --approve
 
       - name: Merge PR
+        if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
         env:
           GH_TOKEN: ${{ steps.retrieve-secrets.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
           PR_NUMBER: ${{ steps.create-pr.outputs.pr_number }}
@@ -183,28 +259,30 @@ jobs:
 
   cut_rc:
     name: Cut RC branch
-    needs: bump_version
     if: ${{ inputs.cut_rc_branch == true }}
+    needs: bump_version
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout Branch
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           ref: main
-      
+
       - name: Install xmllint
-        run: sudo apt install -y libxml2-utils
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libxml2-utils
 
       - name: Verify version has been updated
         env:
-          NEW_VERSION: ${{ inputs.version_number }}
+          NEW_VERSION: ${{ needs.bump_version.outputs.version }}
         run: |
           # Wait for version to change.
           while : ; do
             echo "Waiting for version to be updated..."
             git pull --force
             CURRENT_VERSION=$(xmllint --xpath '
-            string(/manifest/@*[local-name()="versionName" 
+            string(/manifest/@*[local-name()="versionName"
               and namespace-uri()="http://schemas.android.com/apk/res/android"])
             ' src/App/Platforms/Android/AndroidManifest.xml)
 

.github/workflows/workflow-linter.yml

@@ -1,11 +0,0 @@
----
-name: Workflow Linter
-
-on:
-  pull_request:
-    paths:
-      - .github/workflows/**
-
-jobs:
-  call-workflow:
-    uses: bitwarden/gh-actions/.github/workflows/workflow-linter.yml@main

Directory.Build.props

@@ -1,6 +1,6 @@
 <Project>
  <PropertyGroup>
-   <MauiVersion>8.0.7-nightly.*</MauiVersion>
+   <MauiVersion>8.0.7</MauiVersion>
    <ReleaseCodesignProvision>Automatic:AppStore</ReleaseCodesignProvision>
    <ReleaseCodesignKey>iPhone Distribution</ReleaseCodesignKey>
    <IncludeBitwardeniOSExtensions>True</IncludeBitwardeniOSExtensions>
@@ -9,5 +9,8 @@
    
    <!-- Uncomment this when Unit Testing-->
    <!-- <CustomConstants>UT</CustomConstants> -->
+
+   <!-- Uncomment this when building FDROID-->
+   <!-- <CustomConstants>FDROID</CustomConstants> -->
  </PropertyGroup>
-</Project>
+</Project>

README.md

@@ -12,7 +12,7 @@ The Bitwarden mobile application is written in C# using .NET MAUI.
 
 # Build/Run
 
-Please refer to the [Mobile section](https://contributing.bitwarden.com/getting-started/clients/mobile/) of the [Contributing Documentation](https://contributing.bitwarden.com/) for build instructions, recommended tooling, code style tips, and lots of other great information to get you started.
+Please refer to the [Mobile section](https://contributing.bitwarden.com/getting-started/mobile/) of the [Contributing Documentation](https://contributing.bitwarden.com/) for build instructions, recommended tooling, code style tips, and lots of other great information to get you started.
 
 # We're Hiring!
 

build.cake

@@ -15,16 +15,18 @@ abstract record VariantConfig(
     string AppName, 
     string AndroidPackageName,
     string iOSBundleId,
-    string ApsEnvironment
+    string ApsEnvironment,
+    string DistProvisioningProfilePrefix
     );
 
 const string BASE_BUNDLE_ID_DROID = "com.x8bit.bitwarden";
 const string BASE_BUNDLE_ID_IOS = "com.8bit.bitwarden";
 
-record Dev(): VariantConfig("Bitwarden Dev", $"{BASE_BUNDLE_ID_DROID}.dev", $"{BASE_BUNDLE_ID_IOS}.dev", "development");
-record QA(): VariantConfig("Bitwarden QA", $"{BASE_BUNDLE_ID_DROID}.qa", $"{BASE_BUNDLE_ID_IOS}.qa", "development");
-record Beta(): VariantConfig("Bitwarden Beta", $"{BASE_BUNDLE_ID_DROID}.beta", $"{BASE_BUNDLE_ID_IOS}.beta", "production");
-record Prod(): VariantConfig("Bitwarden", $"{BASE_BUNDLE_ID_DROID}", $"{BASE_BUNDLE_ID_IOS}", "production");
+//NOTE: Beta iOS variants have a different ITSEncryptionExportComplianceCode 
+record Dev(): VariantConfig("Bitwarden Dev", $"{BASE_BUNDLE_ID_DROID}.dev", $"{BASE_BUNDLE_ID_IOS}.dev", "development", "Dist:");
+record QA(): VariantConfig("Bitwarden QA", $"{BASE_BUNDLE_ID_DROID}.qa", $"{BASE_BUNDLE_ID_IOS}.qa", "development", "Dist:");
+record Beta(): VariantConfig("Bitwarden Beta", $"{BASE_BUNDLE_ID_DROID}.beta", $"{BASE_BUNDLE_ID_IOS}.beta", "production", "Dist: Beta");
+record Prod(): VariantConfig("Bitwarden", $"{BASE_BUNDLE_ID_DROID}", $"{BASE_BUNDLE_ID_IOS}", "production", "Dist:");
 
 VariantConfig GetVariant() => variant.ToLower() switch{
     "qa" => new QA(),
@@ -197,7 +199,8 @@ private void UpdateiOSInfoPlist(string plistPath, VariantConfig buildVariant, Gi
     var prevBundleId = plist["CFBundleIdentifier"];
     var prevBundleName = plist["CFBundleName"];
     //var newVersion = CreateBuildNumber(prevVersion).ToString();
-    var newVersionName = GetVersionName(prevVersionName, buildVariant, git);
+    // we need to maintain version formatting here composed of one to three period-separated integers, so we cannot use the GetVersionName method as in Android for non-Prod.
+    var newVersionName = prevVersionName;
     var newBundleId = GetiOSBundleId(buildVariant, projectType);
     var newBundleName = GetiOSBundleName(buildVariant, projectType);
 
@@ -219,6 +222,11 @@ private void UpdateiOSInfoPlist(string plistPath, VariantConfig buildVariant, Gi
         plist["NSExtension"]["NSExtensionAttributes"]["NSExtensionActivationRule"] = keyText.Replace("com.8bit.bitwarden", buildVariant.iOSBundleId);
     }
 
+    if(buildVariant is Beta)
+    {
+        plist["ITSEncryptionExportComplianceCode"] = "3dd3e32f-efa6-4d99-b410-28aa28b1cb77";
+    }
+
     SerializePlist(plistFile, plist);
 
     Information($"Changed app name from {prevBundleName} to {newBundleName}");
@@ -228,12 +236,15 @@ private void UpdateiOSInfoPlist(string plistPath, VariantConfig buildVariant, Gi
     Information($"{plistPath} updated with success!");
 }
 
-private void UpdateiOSEntitlementsPlist(string entitlementsPath, VariantConfig buildVariant)
+private void UpdateiOSEntitlementsPlist(string entitlementsPath, VariantConfig buildVariant, bool updateApsEnv)
 {
     var EntitlementlistFile = File(entitlementsPath);
     dynamic Entitlements = DeserializePlist(EntitlementlistFile);
 
-    Entitlements["aps-environment"] = buildVariant.ApsEnvironment;
+    if (updateApsEnv)
+    {
+        Entitlements["aps-environment"] = buildVariant.ApsEnvironment;
+    }
     Entitlements["keychain-access-groups"] = new List<string>() { "$(AppIdentifierPrefix)" + buildVariant.iOSBundleId };
     Entitlements["com.apple.security.application-groups"] = new List<string>() { $"group.{buildVariant.iOSBundleId}" };;
 
@@ -272,9 +283,10 @@ private void UpdateWatchPbxproj(string pbxprojPath, string newVersion)
     const string pattern = @"MARKETING_VERSION = [^;]*;";
 
     fileText = Regex.Replace(fileText, pattern, $"MARKETING_VERSION = {newVersion};");
-
+    
     FileWriteText(pbxprojPath, fileText);
-    Information($"{pbxprojPath} modified successfully.");
+
+    Information($"{pbxprojPath} modified Marketing Version successfully.");
 }
 
 /// <summary>
@@ -327,7 +339,7 @@ Task("UpdateiOSPlist")
         var infoPath = Path.Combine(_slnPath, "src", "App", "Platforms", "iOS", "Info.plist");
         var entitlementsPath = Path.Combine(_slnPath, "src", "App", "Platforms", "iOS", "Entitlements.plist");
         UpdateiOSInfoPlist(infoPath, buildVariant, _gitVersion, iOSProjectType.MainApp);
-        UpdateiOSEntitlementsPlist(entitlementsPath, buildVariant);
+        UpdateiOSEntitlementsPlist(entitlementsPath, buildVariant, true);
     });
 
 Task("UpdateiOSAutofillPlist")
@@ -338,7 +350,7 @@ Task("UpdateiOSAutofillPlist")
         var infoPath = Path.Combine(_slnPath, "src", "iOS.Autofill", "Info.plist");
         var entitlementsPath = Path.Combine(_slnPath, "src", "iOS.Autofill", "Entitlements.plist");
         UpdateiOSInfoPlist(infoPath, buildVariant, _gitVersion, iOSProjectType.Autofill);
-        UpdateiOSEntitlementsPlist(entitlementsPath, buildVariant);
+        UpdateiOSEntitlementsPlist(entitlementsPath, buildVariant, false);
     });
 
 Task("UpdateiOSExtensionPlist")
@@ -349,7 +361,7 @@ Task("UpdateiOSExtensionPlist")
         var infoPath = Path.Combine(_slnPath, "src", "iOS.Extension", "Info.plist");
         var entitlementsPath = Path.Combine(_slnPath, "src", "iOS.Extension", "Entitlements.plist");
         UpdateiOSInfoPlist(infoPath, buildVariant, _gitVersion, iOSProjectType.Extension);
-        UpdateiOSEntitlementsPlist(entitlementsPath, buildVariant);
+        UpdateiOSEntitlementsPlist(entitlementsPath, buildVariant, false);
     });
 
 Task("UpdateiOSShareExtensionPlist")
@@ -360,7 +372,7 @@ Task("UpdateiOSShareExtensionPlist")
         var infoPath = Path.Combine(_slnPath, "src", "iOS.ShareExtension", "Info.plist");
         var entitlementsPath = Path.Combine(_slnPath, "src", "iOS.ShareExtension", "Entitlements.plist");
         UpdateiOSInfoPlist(infoPath, buildVariant, _gitVersion, iOSProjectType.ShareExtension);
-        UpdateiOSEntitlementsPlist(entitlementsPath, buildVariant);
+        UpdateiOSEntitlementsPlist(entitlementsPath, buildVariant, false);
     });
 
 Task("UpdateiOSCodeFiles")
@@ -397,6 +409,22 @@ Task("UpdateWatchKitAppInfoPlist")
         UpdateWatchKitAppInfoPlist(infoPath, buildVariant);
     });
 
+Task("UpdateDistProfiles")
+    .IsDependentOn("UpdateiOSCodeFiles")
+    .Does(()=> {
+        var buildVariant = GetVariant();
+    
+        var filesToReplace = new string[] {
+            Path.Combine(".github", "resources", "export-options-app-store.plist"),
+            Path.Combine(_slnPath, "src", "watchOS", "bitwarden", "bitwarden.xcodeproj", "project.pbxproj")
+        };
+
+        foreach(string path in filesToReplace)
+        {
+            ReplaceInFile(path, "Dist:", buildVariant.DistProvisioningProfilePrefix);
+        }
+    });
+
 #endregion iOS
 
 #region Main Tasks
@@ -418,6 +446,7 @@ Task("iOS")
     .IsDependentOn("UpdateiOSCodeFiles")
     .IsDependentOn("UpdateWatchProject")
     .IsDependentOn("UpdateWatchKitAppInfoPlist")
+    .IsDependentOn("UpdateDistProfiles")
     .Does(()=>
     {
         Information("iOS app updated");
@@ -437,4 +466,4 @@ Options:
     });
 #endregion Main Tasks
 
-RunTarget(target);
+RunTarget(target);

src/App/App.csproj

@@ -117,6 +117,8 @@
 	  <Folder Include="Platforms\Android\Services\" />
 	  <Folder Include="Platforms\Android\Tiles\" />
 	  <Folder Include="Platforms\Android\Utilities\" />
+	  <Folder Include="Platforms\Android\Resources\drawable-xxxhdpi\" />
+	  <Folder Include="Resources\Raw\" />
 	</ItemGroup>
 	<ItemGroup Condition="$([MSBuild]::GetTargetPlatformIdentifier('$(TargetFramework)')) == 'android'">
 	  <PackageReference Include="Xamarin.AndroidX.AutoFill" Version="1.1.0.18" />
@@ -257,5 +259,13 @@
 	  <None Remove="Platforms\iOS\Resources\more_vert.png" />
 	  <None Remove="Platforms\iOS\Resources\logo_white.png" />
 	  <None Remove="Platforms\iOS\Resources\logo%402x.png" />
+	  <None Remove="Platforms\Android\Resources\drawable-xxxhdpi\" />
+	  <None Remove="Resources\Raw\" />
+	</ItemGroup>
+	<ItemGroup Condition="$([MSBuild]::GetTargetPlatformIdentifier('$(TargetFramework)')) == 'ios'">
+		<BundleResource Include="Platforms\iOS\PrivacyInfo.xcprivacy" LogicalName="PrivacyInfo.xcprivacy" />
+	</ItemGroup>
+	<ItemGroup Condition="$([MSBuild]::GetTargetPlatformIdentifier('$(TargetFramework)')) == 'android'">
+	  <MauiAsset Include="Resources\Raw\fido2_privileged_allow_list.json" LogicalName="fido2_privileged_allow_list.json" />
 	</ItemGroup>
 </Project>

src/App/Platforms/Android/AndroidManifest.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<manifest xmlns:android="http://schemas.android.com/apk/res/android" xmlns:tools="http://schemas.android.com/tools" android:versionCode="1" android:versionName="2024.2.2" android:installLocation="internalOnly" package="com.x8bit.bitwarden">
+<manifest xmlns:android="http://schemas.android.com/apk/res/android" xmlns:tools="http://schemas.android.com/tools" android:versionCode="1" android:versionName="2024.4.1" android:installLocation="internalOnly" package="com.x8bit.bitwarden">
 	<uses-sdk android:minSdkVersion="21" android:targetSdkVersion="34" />
 	<uses-permission android:name="android.permission.INTERNET" />
 	<uses-permission android:name="android.permission.NFC" />
@@ -43,6 +43,9 @@
 	<!-- Support for Xamarin.Essentials.Browser.OpenAsync  (for Android > 11) -->
 	<!-- Related docs: https://learn.microsoft.com/en-us/xamarin/essentials/open-browser?tabs=android -->
 	<queries>
+		<intent>
+			<action android:name="android.support.customtabs.action.CustomTabsService" />
+		</intent>
 		<intent>
 			<action android:name="android.intent.action.VIEW" />
 			<data android:scheme="http" />

src/App/Platforms/Android/Autofill/AutofillHelpers.cs

@@ -347,7 +347,7 @@ namespace Bit.Droid.Autofill
                 // InlinePresentation requires nonNull pending intent (even though we only utilize one for the
                 // "my vault" presentation) so we're including an empty one here
                 pendingIntent = PendingIntent.GetService(context, 0, new Intent(),
-                    AndroidHelpers.AddPendingIntentMutabilityFlag(PendingIntentFlags.OneShot | PendingIntentFlags.UpdateCurrent, true));
+                    AndroidHelpers.AddPendingIntentMutabilityFlag(PendingIntentFlags.OneShot | PendingIntentFlags.UpdateCurrent, false));
             }
             var slice = CreateInlinePresentationSlice(
                 inlinePresentationSpec,

src/App/Platforms/Android/Autofill/CredentialHelpers.cs

@@ -0,0 +1,321 @@
+using System.ComponentModel.DataAnnotations;
+using System.Text.Json.Nodes;
+using Android.App;
+using Android.Content;
+using Android.OS;
+using AndroidX.Credentials;
+using AndroidX.Credentials.Exceptions;
+using AndroidX.Credentials.Provider;
+using AndroidX.Credentials.WebAuthn;
+using Bit.App.Abstractions;
+using Bit.App.Droid.Utilities;
+using Bit.Core.Abstractions;
+using Bit.Core.Resources.Localization;
+using Bit.Core.Services;
+using Bit.Core.Utilities;
+using Bit.Core.Utilities.Fido2;
+using Bit.Core.Utilities.Fido2.Extensions;
+using Bit.Droid;
+using Org.Json;
+using Activity = Android.App.Activity;
+using Drawables = Android.Graphics.Drawables;
+
+namespace Bit.App.Platforms.Android.Autofill
+{
+    public static class CredentialHelpers
+    {
+        public static async Task<List<CredentialEntry>> PopulatePasskeyDataAsync(CallingAppInfo callingAppInfo,
+            BeginGetPublicKeyCredentialOption option, Context context, bool hasVaultBeenUnlockedInThisTransaction)
+        {
+            var passkeyEntries = new List<CredentialEntry>();
+            var requestOptions = new PublicKeyCredentialRequestOptions(option.RequestJson);
+
+            var authenticator = Bit.Core.Utilities.ServiceContainer.Resolve<IFido2AuthenticatorService>();
+            var credentials = await authenticator.SilentCredentialDiscoveryAsync(requestOptions.RpId);
+
+            // We need to change the request code for every pending intent on mapping the credential so the extras are not overriten by the last
+            // credential entry created.
+            int requestCodeAddition = 0;
+            passkeyEntries = credentials.Select(credential => MapCredential(credential, option, context, hasVaultBeenUnlockedInThisTransaction, Bit.Droid.Autofill.CredentialProviderService.UniqueGetRequestCode + requestCodeAddition++) as CredentialEntry).ToList();
+
+            return passkeyEntries;
+        }
+
+        private static PublicKeyCredentialEntry MapCredential(Fido2AuthenticatorDiscoverableCredentialMetadata credential, BeginGetPublicKeyCredentialOption option, Context context, bool hasVaultBeenUnlockedInThisTransaction, int requestCode)
+        {
+            var credDataBundle = new Bundle();
+            credDataBundle.PutByteArray(Bit.Core.Utilities.Fido2.CredentialProviderConstants.CredentialIdIntentExtra, credential.Id);
+
+            var intent = new Intent(context, typeof(Bit.Droid.Autofill.CredentialProviderSelectionActivity))
+                .SetAction(Bit.Droid.Autofill.CredentialProviderService.GetFido2IntentAction).SetPackage(Constants.PACKAGE_NAME);
+            intent.PutExtra(Bit.Core.Utilities.Fido2.CredentialProviderConstants.CredentialDataIntentExtra, credDataBundle);
+            intent.PutExtra(Bit.Core.Utilities.Fido2.CredentialProviderConstants.CredentialProviderCipherId, credential.CipherId);
+            intent.PutExtra(Bit.Core.Utilities.Fido2.CredentialProviderConstants.CredentialHasVaultBeenUnlockedInThisTransactionExtra, hasVaultBeenUnlockedInThisTransaction);
+            var pendingIntent = PendingIntent.GetActivity(context, requestCode, intent,
+                PendingIntentFlags.Mutable | PendingIntentFlags.UpdateCurrent);
+
+            return new PublicKeyCredentialEntry.Builder(
+                        context,
+                        credential.UserName ?? "No username",
+                        pendingIntent,
+                        option)
+                    .SetDisplayName(credential.UserName ?? "No username")
+                    .SetIcon(Drawables.Icon.CreateWithResource(context, Microsoft.Maui.Resource.Drawable.icon))
+                    .Build();
+        }
+
+        private static PublicKeyCredentialCreationOptions GetPublicKeyCredentialCreationOptionsFromJson(string json)
+        {
+            var request = new PublicKeyCredentialCreationOptions(json);
+            var jsonObj = new JSONObject(json);
+            var authenticatorSelection = jsonObj.GetJSONObject("authenticatorSelection");
+            request.AuthenticatorSelection = new AndroidX.Credentials.WebAuthn.AuthenticatorSelectionCriteria(
+                authenticatorSelection.OptString("authenticatorAttachment", "platform"),
+                authenticatorSelection.OptString("residentKey", null),
+                authenticatorSelection.OptBoolean("requireResidentKey", false),
+                authenticatorSelection.OptString("userVerification", "preferred"));
+
+            return request;
+        }
+
+        public static async Task CreateCipherPasskeyAsync(ProviderCreateCredentialRequest getRequest, Activity activity)
+        {
+            var callingRequest = getRequest?.CallingRequest as CreatePublicKeyCredentialRequest;
+
+            if (callingRequest is null)
+            {
+                await DisplayAlertAsync(AppResources.AnErrorHasOccurred, string.Empty);
+                FailAndFinish();
+                return;
+            }
+
+            var credentialCreationOptions = GetPublicKeyCredentialCreationOptionsFromJson(callingRequest.RequestJson);
+            string origin;
+            try
+            {
+                origin = await ValidateCallingAppInfoAndGetOriginAsync(getRequest.CallingAppInfo, credentialCreationOptions.Rp.Id);
+            }
+            catch (Core.Exceptions.ValidationException valEx)
+            {
+                await DisplayAlertAsync(AppResources.AnErrorHasOccurred, valEx.Message);
+                FailAndFinish();
+                return;
+            }
+
+            if (origin is null)
+            {
+                await DisplayAlertAsync(AppResources.ErrorCreatingPasskey, AppResources.PasskeysNotSupportedForThisApp);
+                FailAndFinish();
+                return;
+            }
+
+            var rp = new Core.Utilities.Fido2.PublicKeyCredentialRpEntity()
+            {
+                Id = credentialCreationOptions.Rp.Id,
+                Name = credentialCreationOptions.Rp.Name
+            };
+
+            var user = new Core.Utilities.Fido2.PublicKeyCredentialUserEntity()
+            {
+                Id = credentialCreationOptions.User.GetId(),
+                Name = credentialCreationOptions.User.Name,
+                DisplayName = credentialCreationOptions.User.DisplayName
+            };
+
+            var pubKeyCredParams = new List<Core.Utilities.Fido2.PublicKeyCredentialParameters>();
+            foreach (var pubKeyCredParam in credentialCreationOptions.PubKeyCredParams)
+            {
+                pubKeyCredParams.Add(new Core.Utilities.Fido2.PublicKeyCredentialParameters() { Alg = Convert.ToInt32(pubKeyCredParam.Alg), Type = pubKeyCredParam.Type });
+            }
+
+            var excludeCredentials = new List<Core.Utilities.Fido2.PublicKeyCredentialDescriptor>();
+            foreach (var excludeCred in credentialCreationOptions.ExcludeCredentials)
+            {
+                excludeCredentials.Add(new Core.Utilities.Fido2.PublicKeyCredentialDescriptor() { Id = excludeCred.GetId(), Type = excludeCred.Type, Transports = excludeCred.Transports.ToArray() });
+            }
+
+            var authenticatorSelection = new Core.Utilities.Fido2.AuthenticatorSelectionCriteria()
+            {
+                UserVerification = credentialCreationOptions.AuthenticatorSelection.UserVerification,
+                ResidentKey = credentialCreationOptions.AuthenticatorSelection.ResidentKey,
+                RequireResidentKey = credentialCreationOptions.AuthenticatorSelection.RequireResidentKey
+            };
+
+            var timeout = Convert.ToInt32(credentialCreationOptions.Timeout);
+
+            var credentialCreateParams = new Fido2ClientCreateCredentialParams()
+            {
+                Challenge = credentialCreationOptions.GetChallenge(),
+                Origin = origin,
+                PubKeyCredParams = pubKeyCredParams.ToArray(),
+                Rp = rp,
+                User = user,
+                Timeout = timeout,
+                Attestation = credentialCreationOptions.Attestation,
+                AuthenticatorSelection = authenticatorSelection,
+                ExcludeCredentials = excludeCredentials.ToArray(),
+                Extensions = MapExtensionsFromJson(credentialCreationOptions),
+                SameOriginWithAncestors = true
+            };
+
+            var credentialExtraCreateParams = new Fido2ExtraCreateCredentialParams
+            (
+                callingRequest.GetClientDataHash(),
+                getRequest.CallingAppInfo?.PackageName
+            );
+
+            var fido2MediatorService = ServiceContainer.Resolve<IFido2MediatorService>();
+            var clientCreateCredentialResult = await fido2MediatorService.CreateCredentialAsync(credentialCreateParams, credentialExtraCreateParams);
+            if (clientCreateCredentialResult == null)
+            {
+                FailAndFinish();
+                return;
+            }
+
+            var transportsArray = new JSONArray();
+            if (clientCreateCredentialResult.Transports != null)
+            {
+                foreach (var transport in clientCreateCredentialResult.Transports)
+                {
+                    transportsArray.Put(transport);
+                }
+            }
+
+            var responseInnerAndroidJson = new JSONObject();
+            if (clientCreateCredentialResult.ClientDataJSON != null)
+            {
+                responseInnerAndroidJson.Put("clientDataJSON", CoreHelpers.Base64UrlEncode(clientCreateCredentialResult.ClientDataJSON));
+            }
+            responseInnerAndroidJson.Put("authenticatorData", CoreHelpers.Base64UrlEncode(clientCreateCredentialResult.AuthData));
+            responseInnerAndroidJson.Put("attestationObject", CoreHelpers.Base64UrlEncode(clientCreateCredentialResult.AttestationObject));
+            responseInnerAndroidJson.Put("transports", transportsArray);
+            responseInnerAndroidJson.Put("publicKeyAlgorithm", clientCreateCredentialResult.PublicKeyAlgorithm);
+            responseInnerAndroidJson.Put("publicKey", CoreHelpers.Base64UrlEncode(clientCreateCredentialResult.PublicKey));
+
+            var rootAndroidJson = new JSONObject();
+            rootAndroidJson.Put("id", CoreHelpers.Base64UrlEncode(clientCreateCredentialResult.CredentialId));
+            rootAndroidJson.Put("rawId", CoreHelpers.Base64UrlEncode(clientCreateCredentialResult.CredentialId));
+            rootAndroidJson.Put("authenticatorAttachment", "platform");
+            rootAndroidJson.Put("type", "public-key");
+            rootAndroidJson.Put("clientExtensionResults", MapExtensionsToJson(clientCreateCredentialResult.Extensions));
+            rootAndroidJson.Put("response", responseInnerAndroidJson);
+
+            var result = new Intent();
+            var publicKeyResponse = new CreatePublicKeyCredentialResponse(rootAndroidJson.ToString());
+            PendingIntentHandler.SetCreateCredentialResponse(result, publicKeyResponse);
+
+            activity.SetResult(Result.Ok, result);
+            activity.Finish();
+
+            async Task DisplayAlertAsync(string title, string message)
+            {
+                if (ServiceContainer.TryResolve<IDeviceActionService>(out var deviceActionService))
+                {
+                    await deviceActionService.DisplayAlertAsync(title, message, AppResources.Ok);
+                }
+            }
+
+            void FailAndFinish()
+            {
+                var result = new Intent();
+                PendingIntentHandler.SetCreateCredentialException(result, new CreateCredentialUnknownException());
+
+                activity.SetResult(Result.Ok, result);
+                activity.Finish();
+            }
+        }
+
+        private static Fido2CreateCredentialExtensionsParams MapExtensionsFromJson(PublicKeyCredentialCreationOptions options)
+        {
+            if (options == null || !options.Json.Has("extensions"))
+            {
+                return null;
+            }
+
+            var extensions = options.Json.GetJSONObject("extensions");
+            return new Fido2CreateCredentialExtensionsParams
+            {
+                CredProps = extensions.Has("credProps") && extensions.GetBoolean("credProps")
+            };
+        }
+
+        private static JSONObject MapExtensionsToJson(Fido2CreateCredentialExtensionsResult extensions)
+        {
+            if (extensions == null)
+            {
+                return null;
+            }
+
+            var extensionsJson = new JSONObject();
+            if (extensions.CredProps != null)
+            {
+                var credPropsJson = new JSONObject();
+                credPropsJson.Put("rk", extensions.CredProps.Rk);
+                extensionsJson.Put("credProps", credPropsJson);
+            }
+
+            return extensionsJson;
+        }
+
+        public static async Task<string> LoadFido2PrivilegedAllowedListAsync()
+        {
+            try
+            {
+                using var stream = await FileSystem.OpenAppPackageFileAsync("fido2_privileged_allow_list.json");
+                using var reader = new StreamReader(stream);
+
+                return reader.ReadToEnd();
+            }
+            catch
+            {
+                return null;
+            }
+        }
+
+        public static async Task<string> ValidateCallingAppInfoAndGetOriginAsync(CallingAppInfo callingAppInfo, string rpId)
+        {
+            if (callingAppInfo.Origin is null)
+            {
+                return await ValidateAssetLinksAndGetOriginAsync(callingAppInfo, rpId);
+            }
+
+            var privilegedAllowedList = await LoadFido2PrivilegedAllowedListAsync();
+            if (privilegedAllowedList is null)
+            {
+                throw new InvalidOperationException("Could not load Fido2 privileged allowed list");
+            }
+
+            if (!privilegedAllowedList.Contains($"\"package_name\": \"{callingAppInfo.PackageName}\""))
+            {
+                throw new Core.Exceptions.ValidationException(AppResources.PasskeyOperationFailedBecauseBrowserIsNotPrivileged);
+            }
+
+            try
+            {
+                return callingAppInfo.GetOrigin(privilegedAllowedList);
+            }
+            catch (Java.Lang.IllegalStateException)
+            {
+                throw new Core.Exceptions.ValidationException(AppResources.PasskeyOperationFailedBecauseBrowserSignatureDoesNotMatch);
+            }
+            catch (Java.Lang.IllegalArgumentException)
+            {
+                return null; // wrong list format
+            }
+        }
+
+        private static async Task<string> ValidateAssetLinksAndGetOriginAsync(CallingAppInfo callingAppInfo, string rpId)
+        {
+            if (!ServiceContainer.TryResolve<IAssetLinksService>(out var assetLinksService))
+            {
+                throw new InvalidOperationException("Can't resolve IAssetLinksService");
+            }
+
+            var normalizedFingerprint = callingAppInfo.GetLatestCertificationFingerprint();
+
+            var isValid = await assetLinksService.ValidateAssetLinksAsync(rpId, callingAppInfo.PackageName, normalizedFingerprint);
+
+            return isValid ? callingAppInfo.GetAndroidOrigin() : null;
+        }
+    }
+}

src/App/Platforms/Android/Autofill/CredentialProviderConstants.cs

@@ -1,9 +0,0 @@
-namespace Bit.Droid.Autofill
-{
-    public class CredentialProviderConstants
-    {
-        public const string CredentialProviderCipherId = "credentialProviderCipherId";
-        public const string CredentialDataIntentExtra = "CREDENTIAL_DATA";
-        public const string CredentialIdIntentExtra = "credId";
-    }
-}

src/App/Platforms/Android/Autofill/CredentialProviderSelectionActivity.cs

@@ -1,12 +1,20 @@
-using System.Threading.Tasks;
-using Android.App;
+using Android.App;
+using Android.Content;
 using Android.Content.PM;
 using Android.OS;
+using AndroidX.Credentials;
 using AndroidX.Credentials.Provider;
 using AndroidX.Credentials.WebAuthn;
+using Bit.App.Droid.Utilities;
+using Bit.App.Abstractions;
 using Bit.Core.Abstractions;
 using Bit.Core.Utilities;
-using Bit.App.Droid.Utilities;
+using Bit.Core.Resources.Localization;
+using Bit.Core.Utilities.Fido2;
+using Bit.Core.Services;
+using Bit.App.Platforms.Android.Autofill;
+using AndroidX.Credentials.Exceptions;
+using Org.Json;
 
 namespace Bit.Droid.Autofill
 {
@@ -15,6 +23,14 @@ namespace Bit.Droid.Autofill
         LaunchMode = LaunchMode.SingleTop)]
     public class CredentialProviderSelectionActivity : MauiAppCompatActivity
     {
+        private LazyResolve<IFido2MediatorService> _fido2MediatorService = new LazyResolve<IFido2MediatorService>();
+        private LazyResolve<IFido2AndroidGetAssertionUserInterface> _fido2GetAssertionUserInterface = new LazyResolve<IFido2AndroidGetAssertionUserInterface>();
+        private LazyResolve<IVaultTimeoutService> _vaultTimeoutService = new LazyResolve<IVaultTimeoutService>();
+        private LazyResolve<IStateService> _stateService = new LazyResolve<IStateService>();
+        private LazyResolve<ICipherService> _cipherService = new LazyResolve<ICipherService>();
+        private LazyResolve<IUserVerificationMediatorService> _userVerificationMediatorService = new LazyResolve<IUserVerificationMediatorService>();
+        private LazyResolve<IDeviceActionService> _deviceActionService = new LazyResolve<IDeviceActionService>();
+
         protected override void OnCreate(Bundle bundle)
         {
             Intent?.Validate();
@@ -23,43 +39,145 @@ namespace Bit.Droid.Autofill
             var cipherId = Intent?.GetStringExtra(CredentialProviderConstants.CredentialProviderCipherId);
             if (string.IsNullOrEmpty(cipherId))
             {
-                SetResult(Result.Canceled);
                 Finish();
                 return;
             }
 
-            GetCipherAndPerformPasskeyAuthAsync(cipherId).FireAndForget();
+            GetCipherAndPerformFido2AuthAsync(cipherId).FireAndForget();
         }
 
-        private async Task GetCipherAndPerformPasskeyAuthAsync(string cipherId)
+        //Used to avoid crash on MAUI when doing back
+        public override void OnBackPressed()
         {
-            // TODO this is a work in progress
-            // https://developer.android.com/training/sign-in/credential-provider#passkeys-implement
+            Finish();
+        }
 
-            var getRequest = PendingIntentHandler.RetrieveProviderGetCredentialRequest(Intent);
-            // var publicKeyRequest = getRequest?.CredentialOptions as PublicKeyCredentialRequestOptions;
+        private async Task GetCipherAndPerformFido2AuthAsync(string cipherId)
+        {
+            string RpId = string.Empty;
+            try
+            {
+                var getRequest = PendingIntentHandler.RetrieveProviderGetCredentialRequest(Intent);
 
-            var requestInfo = Intent.GetBundleExtra(CredentialProviderConstants.CredentialDataIntentExtra);
-            var credIdEnc = requestInfo?.GetString(CredentialProviderConstants.CredentialIdIntentExtra);
+                if (getRequest is null)
+                {
+                    FailAndFinish();
+                    return;
+                }
 
-            var cipherService = ServiceContainer.Resolve<ICipherService>();
-            var cipher = await cipherService.GetAsync(cipherId);
-            var decCipher = await cipher.DecryptAsync();
+                var credentialOption = getRequest.CredentialOptions.FirstOrDefault();
+                var credentialPublic = credentialOption as GetPublicKeyCredentialOption;
 
-            var passkey = decCipher.Login.Fido2Credentials.Find(f => f.CredentialId == credIdEnc);
+                var requestOptions = new PublicKeyCredentialRequestOptions(credentialPublic.RequestJson);
+                RpId = requestOptions.RpId;
 
-            var credId = Convert.FromBase64String(credIdEnc);
-            // var privateKey = Convert.FromBase64String(passkey.PrivateKey);
-            // var uid = Convert.FromBase64String(passkey.uid);
+                var requestInfo = Intent.GetBundleExtra(CredentialProviderConstants.CredentialDataIntentExtra);
+                var credentialId = requestInfo?.GetByteArray(CredentialProviderConstants.CredentialIdIntentExtra);
+                var hasVaultBeenUnlockedInThisTransaction = Intent.GetBooleanExtra(CredentialProviderConstants.CredentialHasVaultBeenUnlockedInThisTransactionExtra, false);
 
-            var origin = getRequest?.CallingAppInfo.Origin;
-            var packageName = getRequest?.CallingAppInfo.PackageName;
+                var packageName = getRequest.CallingAppInfo.PackageName;
 
-            // --- continue WIP here (save TOTP copy as last step) ---
+                string origin;
+                try
+                {
+                    origin = await CredentialHelpers.ValidateCallingAppInfoAndGetOriginAsync(getRequest.CallingAppInfo, RpId);
+                }
+                catch (Core.Exceptions.ValidationException valEx)
+                {
+                    await _deviceActionService.Value.DisplayAlertAsync(AppResources.AnErrorHasOccurred, valEx.Message, AppResources.Ok);
+                    FailAndFinish();
+                    return;
+                }
 
-            // Copy TOTP if needed
-            var autofillHandler = ServiceContainer.Resolve<IAutofillHandler>();
-            autofillHandler.Autofill(decCipher);
+                if (origin is null)
+                {
+                    await _deviceActionService.Value.DisplayAlertAsync(AppResources.ErrorReadingPasskey, AppResources.PasskeysNotSupportedForThisApp, AppResources.Ok);
+                    FailAndFinish();
+                    return;
+                }
+
+                _fido2GetAssertionUserInterface.Value.Init(
+                    cipherId,
+                    false,
+                    () => hasVaultBeenUnlockedInThisTransaction,
+                    RpId
+                );
+
+                var clientAssertParams = new Fido2ClientAssertCredentialParams
+                {
+                    Challenge = requestOptions.GetChallenge(),
+                    RpId = RpId,
+                    AllowCredentials = new Core.Utilities.Fido2.PublicKeyCredentialDescriptor[] { new Core.Utilities.Fido2.PublicKeyCredentialDescriptor { Id = credentialId } },
+                    Origin = origin,
+                    SameOriginWithAncestors = true,
+                    UserVerification = requestOptions.UserVerification
+                };
+
+                var extraAssertParams = new Fido2ExtraAssertCredentialParams
+                (
+                    getRequest.CallingAppInfo.Origin != null ? credentialPublic.GetClientDataHash() : null,
+                    packageName
+                );
+
+                var assertResult = await _fido2MediatorService.Value.AssertCredentialAsync(clientAssertParams, extraAssertParams);
+
+                var result = new Intent();
+
+                var responseInnerAndroidJson = new JSONObject();
+                if (assertResult.ClientDataJSON != null)
+                {
+                    responseInnerAndroidJson.Put("clientDataJSON", CoreHelpers.Base64UrlEncode(assertResult.ClientDataJSON));
+                }
+                responseInnerAndroidJson.Put("authenticatorData", CoreHelpers.Base64UrlEncode(assertResult.AuthenticatorData));
+                responseInnerAndroidJson.Put("signature", CoreHelpers.Base64UrlEncode(assertResult.Signature));
+                responseInnerAndroidJson.Put("userHandle", CoreHelpers.Base64UrlEncode(assertResult.SelectedCredential.UserHandle));
+
+                var rootAndroidJson = new JSONObject();
+                rootAndroidJson.Put("id", CoreHelpers.Base64UrlEncode(assertResult.SelectedCredential.Id));
+                rootAndroidJson.Put("rawId", CoreHelpers.Base64UrlEncode(assertResult.SelectedCredential.Id));
+                rootAndroidJson.Put("authenticatorAttachment", "platform");
+                rootAndroidJson.Put("type", "public-key");
+                rootAndroidJson.Put("clientExtensionResults", new JSONObject());
+                rootAndroidJson.Put("response", responseInnerAndroidJson);
+
+                var json = rootAndroidJson.ToString();
+
+                var cred = new PublicKeyCredential(json);
+                var credResponse = new GetCredentialResponse(cred);
+                PendingIntentHandler.SetGetCredentialResponse(result, credResponse);
+
+                await MainThread.InvokeOnMainThreadAsync(() =>
+                {
+                    SetResult(Result.Ok, result);
+                    Finish();
+                });
+            }
+            catch (NotAllowedError)
+            {
+                await MainThread.InvokeOnMainThreadAsync(async () =>
+                {
+                    await _deviceActionService.Value.DisplayAlertAsync(AppResources.ErrorReadingPasskey, string.Format(AppResources.ThereWasAProblemReadingAPasskeyForXTryAgainLater, RpId), AppResources.Ok);
+                    FailAndFinish();
+                });
+            }
+            catch (Exception ex)
+            {
+                LoggerHelper.LogEvenIfCantBeResolved(ex);
+                await MainThread.InvokeOnMainThreadAsync(async () =>
+                {
+                    await _deviceActionService.Value.DisplayAlertAsync(AppResources.ErrorReadingPasskey, string.Format(AppResources.ThereWasAProblemReadingAPasskeyForXTryAgainLater, RpId), AppResources.Ok);
+                    FailAndFinish();
+                });
+            }
+        }
+
+        private void FailAndFinish()
+        {
+            var result = new Intent();
+            PendingIntentHandler.SetGetCredentialException(result, new GetCredentialUnknownException());
+
+            SetResult(Result.Ok, result);
+            Finish();
         }
     }
 }

src/App/Platforms/Android/Autofill/CredentialProviderService.cs

@@ -1,16 +1,15 @@
 using Android;
 using Android.App;
 using Android.Content;
-using Android.Graphics.Drawables;
 using Android.OS;
 using Android.Runtime;
 using AndroidX.Credentials.Provider;
 using Bit.Core.Abstractions;
 using Bit.Core.Utilities;
 using AndroidX.Credentials.Exceptions;
-using AndroidX.Credentials.WebAuthn;
-using Bit.Core.Models.View;
-using Resource = Microsoft.Maui.Resource;
+using Bit.App.Droid.Utilities;
+using Bit.Core.Resources.Localization;
+using Bit.Core.Utilities.Fido2;
 
 namespace Bit.Droid.Autofill
 {
@@ -20,62 +19,123 @@ namespace Bit.Droid.Autofill
     [Register("com.x8bit.bitwarden.Autofill.CredentialProviderService")]
     public class CredentialProviderService : AndroidX.Credentials.Provider.CredentialProviderService
     {
-        private const string GetPasskeyIntentAction = "PACKAGE_NAME.GET_PASSKEY";
-        private const int UniqueRequestCode = 94556023;
+        public const string GetFido2IntentAction = "PACKAGE_NAME.GET_PASSKEY";
+        public const string CreateFido2IntentAction = "PACKAGE_NAME.CREATE_PASSKEY";
+        public const int UniqueGetRequestCode = 94556023;
+        public const int UniqueCreateRequestCode = 94556024;
 
-        private ICipherService _cipherService;
-        private IUserVerificationService _userVerificationService;
-        private IVaultTimeoutService _vaultTimeoutService;
-        private LazyResolve<ILogger> _logger = new LazyResolve<ILogger>("logger");
+        private readonly LazyResolve<IVaultTimeoutService> _vaultTimeoutService = new LazyResolve<IVaultTimeoutService>();
+        private readonly LazyResolve<IStateService> _stateService = new LazyResolve<IStateService>();
+        private readonly LazyResolve<ILogger> _logger = new LazyResolve<ILogger>();
 
         public override async void OnBeginCreateCredentialRequest(BeginCreateCredentialRequest request,
-            CancellationSignal cancellationSignal, IOutcomeReceiver callback) => throw new NotImplementedException();
+            CancellationSignal cancellationSignal, IOutcomeReceiver callback)
+        {
+            try
+            {
+                var response = await ProcessCreateCredentialsRequestAsync(request);
+                if (response != null)
+                {
+                    await MainThread.InvokeOnMainThreadAsync(() => callback.OnResult(response));
+                    return;
+                }
+            }
+            catch (Exception ex)
+            {
+                _logger.Value.Exception(ex);
+            }
+            MainThread.BeginInvokeOnMainThread(() => callback.OnError(AppResources.ErrorCreatingPasskey));
+        }
 
         public override async void OnBeginGetCredentialRequest(BeginGetCredentialRequest request,
             CancellationSignal cancellationSignal, IOutcomeReceiver callback)
         {
             try
             {
-                _vaultTimeoutService ??= ServiceContainer.Resolve<IVaultTimeoutService>();
-
-                await _vaultTimeoutService.CheckVaultTimeoutAsync();
-                var locked = await _vaultTimeoutService.IsLockedAsync();
+                await _vaultTimeoutService.Value.CheckVaultTimeoutAsync();
+                var locked = await _vaultTimeoutService.Value.IsLockedAsync();
                 if (!locked)
                 {
                     var response = await ProcessGetCredentialsRequestAsync(request);
                     callback.OnResult(response);
+                    return;
                 }
-                // TODO handle auth/unlock account flow
+
+                var intent = new Intent(ApplicationContext, typeof(MainActivity));
+                intent.PutExtra(CredentialProviderConstants.Fido2CredentialAction, CredentialProviderConstants.Fido2CredentialGet);
+                var pendingIntent = PendingIntent.GetActivity(ApplicationContext, UniqueGetRequestCode, intent,
+                    AndroidHelpers.AddPendingIntentMutabilityFlag(PendingIntentFlags.UpdateCurrent, true));
+
+                var unlockAction = new AuthenticationAction(AppResources.Unlock, pendingIntent);
+
+                var unlockResponse = new BeginGetCredentialResponse.Builder()
+                    .SetAuthenticationActions(new List<AuthenticationAction>() { unlockAction } )
+                    .Build();
+                callback.OnResult(unlockResponse);
             }
             catch (GetCredentialException e)
             {
                 _logger.Value.Exception(e);
-                callback.OnError(e.ErrorMessage ?? "Error getting credentials");
+                callback.OnError(e.ErrorMessage ?? AppResources.ErrorReadingPasskey);
             }
             catch (Exception e)
             {
                 _logger.Value.Exception(e);
-                throw;
+                callback.OnError(AppResources.ErrorReadingPasskey);
             }
         }
 
+        private async Task<BeginCreateCredentialResponse> ProcessCreateCredentialsRequestAsync(
+            BeginCreateCredentialRequest request)
+        {
+            if (request == null) { return null; }
+
+            if (request is BeginCreatePasswordCredentialRequest beginCreatePasswordCredentialRequest)
+            {
+                //This flow can be used if Password flow needs to be implemented
+                throw new NotImplementedException();
+                //return HandleCreatePasswordQuery(beginCreatePasswordCredentialRequest);
+            }
+            else if (request is BeginCreatePublicKeyCredentialRequest beginCreatePublicKeyCredentialRequest)
+            {
+                return await HandleCreatePasskeyQueryAsync(beginCreatePublicKeyCredentialRequest);
+            }
+
+            return null;
+        }
+
+        private async Task<BeginCreateCredentialResponse> HandleCreatePasskeyQueryAsync(BeginCreatePublicKeyCredentialRequest optionRequest)
+        {
+            var intent = new Intent(ApplicationContext, typeof(MainActivity));
+            intent.PutExtra(CredentialProviderConstants.Fido2CredentialAction, CredentialProviderConstants.Fido2CredentialCreate);
+            var pendingIntent = PendingIntent.GetActivity(ApplicationContext, UniqueCreateRequestCode, intent,
+                AndroidHelpers.AddPendingIntentMutabilityFlag(PendingIntentFlags.UpdateCurrent, true));
+
+            var userEmail = await GetSafeActiveAccountEmailAsync();
+
+            var createEntryBuilder = new CreateEntry.Builder(userEmail ?? AppResources.Bitwarden, pendingIntent)
+                .SetDescription(userEmail != null
+                                    ? string.Format(AppResources.YourPasskeyWillBeSavedToYourBitwardenVaultForX, userEmail)
+                                    : AppResources.YourPasskeyWillBeSavedToYourBitwardenVault)
+                .Build();
+
+            var createCredentialResponse = new BeginCreateCredentialResponse.Builder()
+                .AddCreateEntry(createEntryBuilder);
+
+            return createCredentialResponse.Build();
+        }
+
         private async Task<BeginGetCredentialResponse> ProcessGetCredentialsRequestAsync(
             BeginGetCredentialRequest request)
         {
-            IList<CredentialEntry> credentialEntries = null;
+            var credentialEntries = new List<CredentialEntry>();
 
-            foreach (var option in request.BeginGetCredentialOptions)
+            foreach (var option in request.BeginGetCredentialOptions.OfType<BeginGetPublicKeyCredentialOption>())
             {
-                var credentialOption = option as BeginGetPublicKeyCredentialOption;
-                if (credentialOption != null)
-                {
-                    credentialEntries ??= new List<CredentialEntry>();
-                    ((List<CredentialEntry>)credentialEntries).AddRange(
-                        await PopulatePasskeyDataAsync(request.CallingAppInfo, credentialOption));
-                }
+                credentialEntries.AddRange(await Bit.App.Platforms.Android.Autofill.CredentialHelpers.PopulatePasskeyDataAsync(request.CallingAppInfo, option, ApplicationContext, false));
             }
 
-            if (credentialEntries == null)
+            if (!credentialEntries.Any())
             {
                 return new BeginGetCredentialResponse();
             }
@@ -85,63 +145,24 @@ namespace Bit.Droid.Autofill
                 .Build();
         }
 
-        private async Task<List<CredentialEntry>> PopulatePasskeyDataAsync(CallingAppInfo callingAppInfo,
-            BeginGetPublicKeyCredentialOption option)
-        {
-            var packageName = callingAppInfo.PackageName;
-            var origin = callingAppInfo.Origin;
-            var signingInfo = callingAppInfo.SigningInfo;
-
-            var request = new PublicKeyCredentialRequestOptions(option.RequestJson);
-
-            var passkeyEntries = new List<CredentialEntry>();
-
-            _cipherService ??= ServiceContainer.Resolve<ICipherService>();
-            var ciphers = await _cipherService.GetAllDecryptedForUrlAsync(origin);
-            if (ciphers == null)
-            {
-                return passkeyEntries;
-            }
-
-            var passkeyCiphers = ciphers.Where(cipher => cipher.HasFido2Credential).ToList();
-            if (!passkeyCiphers.Any())
-            {
-                return passkeyEntries;
-            }
-
-            foreach (var cipher in passkeyCiphers)
-            {
-                var passkeyEntry = GetPasskey(cipher, option);
-                passkeyEntries.Add(passkeyEntry);
-            }
-
-            return passkeyEntries;
-        }
-
-        private PublicKeyCredentialEntry GetPasskey(CipherView cipher, BeginGetPublicKeyCredentialOption option)
-        {
-            var credDataBundle = new Bundle();
-            credDataBundle.PutString(CredentialProviderConstants.CredentialIdIntentExtra,
-                cipher.Login.MainFido2Credential.CredentialId);
-
-            var intent = new Intent(ApplicationContext, typeof(CredentialProviderSelectionActivity))
-                .SetAction(GetPasskeyIntentAction).SetPackage(Constants.PACKAGE_NAME);
-            intent.PutExtra(CredentialProviderConstants.CredentialDataIntentExtra, credDataBundle);
-            intent.PutExtra(CredentialProviderConstants.CredentialProviderCipherId, cipher.Id);
-            var pendingIntent = PendingIntent.GetActivity(ApplicationContext, UniqueRequestCode, intent,
-                PendingIntentFlags.Mutable | PendingIntentFlags.UpdateCurrent);
-
-            return new PublicKeyCredentialEntry.Builder(
-                    ApplicationContext,
-                    cipher.Login.Username ?? "No username",
-                    pendingIntent,
-                    option)
-                .SetDisplayName(cipher.Name)
-                .SetIcon(Icon.CreateWithResource(ApplicationContext, Resource.Drawable.icon))
-                .Build();
-        }
-
         public override void OnClearCredentialStateRequest(ProviderClearCredentialStateRequest request,
-            CancellationSignal cancellationSignal, IOutcomeReceiver callback) => throw new NotImplementedException();
+            CancellationSignal cancellationSignal, IOutcomeReceiver callback)
+        {
+            callback.OnResult(null);
+        }
+
+        private async Task<string> GetSafeActiveAccountEmailAsync()
+        {
+            try
+            {
+                return await _stateService.Value.GetEmailAsync();
+            }
+            catch (Exception ex)
+            {
+                // if it throws to get the user's email then we log and continue showing a more generic message
+                _logger.Value.Exception(ex);
+                return null;
+            }
+        }
     }
 }

src/App/Platforms/Android/Autofill/Fido2GetAssertionUserInterface.cs

@@ -0,0 +1,77 @@
+using Bit.Core.Abstractions;
+using Bit.Core.Services;
+using Bit.Core.Utilities.Fido2;
+
+namespace Bit.App.Platforms.Android.Autofill
+{
+    public interface IFido2AndroidGetAssertionUserInterface : IFido2GetAssertionUserInterface
+    {
+        void Init(string cipherId,
+            bool userVerified,
+            Func<bool> hasVaultBeenUnlockedInThisTransaction,
+            string rpId);
+    }
+
+    public class Fido2GetAssertionUserInterface : Core.Utilities.Fido2.Fido2GetAssertionUserInterface, IFido2AndroidGetAssertionUserInterface
+    {
+        private readonly IStateService _stateService;
+        private readonly IVaultTimeoutService _vaultTimeoutService;
+        private readonly ICipherService _cipherService;
+        private readonly IUserVerificationMediatorService _userVerificationMediatorService;
+
+        public Fido2GetAssertionUserInterface(IStateService stateService, 
+            IVaultTimeoutService vaultTimeoutService,
+            ICipherService cipherService,
+            IUserVerificationMediatorService userVerificationMediatorService)
+        {
+            _stateService = stateService;
+            _vaultTimeoutService = vaultTimeoutService;
+            _cipherService = cipherService;
+            _userVerificationMediatorService = userVerificationMediatorService;
+        }
+
+        public void Init(string cipherId,
+            bool userVerified,
+            Func<bool> hasVaultBeenUnlockedInThisTransaction,
+            string rpId)
+        {
+            Init(cipherId, 
+                userVerified, 
+                EnsureAuthenAndVaultUnlockedAsync, 
+                hasVaultBeenUnlockedInThisTransaction, 
+                (cipherId, userVerificationPreference) => VerifyUserAsync(cipherId, userVerificationPreference, rpId, hasVaultBeenUnlockedInThisTransaction()));
+        }
+
+        public async Task EnsureAuthenAndVaultUnlockedAsync()
+        {
+            if (!await _stateService.IsAuthenticatedAsync() || await _vaultTimeoutService.IsLockedAsync())
+            {
+                // this should never happen but just in case.
+                throw new InvalidOperationException("Not authed or vault locked");
+            }
+        }
+
+        private async Task<bool> VerifyUserAsync(string selectedCipherId, Fido2UserVerificationPreference userVerificationPreference, string rpId, bool vaultUnlockedDuringThisTransaction)
+        {
+            try
+            {
+                var encrypted = await _cipherService.GetAsync(selectedCipherId);
+                var cipher = await encrypted.DecryptAsync();
+
+                var userVerification = await _userVerificationMediatorService.VerifyUserForFido2Async(
+                    new Fido2UserVerificationOptions(
+                        cipher?.Reprompt == Core.Enums.CipherRepromptType.Password,
+                        userVerificationPreference,
+                        vaultUnlockedDuringThisTransaction,
+                        rpId)
+                    );
+                return !userVerification.IsCancelled && userVerification.Result;
+            }
+            catch (Exception ex)
+            {
+                LoggerHelper.LogEvenIfCantBeResolved(ex);
+                return false;
+            }
+        }
+    }
+}

src/App/Platforms/Android/Autofill/Fido2MakeCredentialUserInterface.cs

@@ -0,0 +1,202 @@
+using Bit.App.Abstractions;
+using Bit.Core.Abstractions;
+using Bit.Core.Resources.Localization;
+using Bit.Core.Services;
+using Bit.Core.Utilities;
+using Bit.Core.Utilities.Fido2;
+
+namespace Bit.App.Platforms.Android.Autofill
+{
+    public class Fido2MakeCredentialUserInterface : IFido2MakeCredentialConfirmationUserInterface
+    {
+        private readonly IStateService _stateService;
+        private readonly IVaultTimeoutService _vaultTimeoutService;
+        private readonly ICipherService _cipherService;
+        private readonly IUserVerificationMediatorService _userVerificationMediatorService;
+        private readonly IDeviceActionService _deviceActionService;
+        private readonly IPlatformUtilsService _platformUtilsService;
+        private LazyResolve<IMessagingService> _messagingService = new LazyResolve<IMessagingService>();
+
+        private TaskCompletionSource<(string cipherId, bool? userVerified)> _confirmCredentialTcs;
+        private TaskCompletionSource<bool> _unlockVaultTcs;
+        private Fido2UserVerificationOptions? _currentDefaultUserVerificationOptions;
+        private Func<bool> _checkHasVaultBeenUnlockedInThisTransaction;
+
+        public Fido2MakeCredentialUserInterface(IStateService stateService,
+            IVaultTimeoutService vaultTimeoutService,
+            ICipherService cipherService,
+            IUserVerificationMediatorService userVerificationMediatorService,
+            IDeviceActionService deviceActionService,
+            IPlatformUtilsService platformUtilsService)
+        {
+            _stateService = stateService;
+            _vaultTimeoutService = vaultTimeoutService;
+            _cipherService = cipherService;
+            _userVerificationMediatorService = userVerificationMediatorService;
+            _deviceActionService = deviceActionService;
+            _platformUtilsService = platformUtilsService;
+        }
+
+        public bool HasVaultBeenUnlockedInThisTransaction => _checkHasVaultBeenUnlockedInThisTransaction?.Invoke() == true;
+
+        public bool IsConfirmingNewCredential => _confirmCredentialTcs?.Task != null && !_confirmCredentialTcs.Task.IsCompleted;
+        public bool IsWaitingUnlockVault => _unlockVaultTcs?.Task != null && !_unlockVaultTcs.Task.IsCompleted;
+
+        public async Task<(string CipherId, bool UserVerified)> ConfirmNewCredentialAsync(Fido2ConfirmNewCredentialParams confirmNewCredentialParams)
+        {
+            _confirmCredentialTcs?.TrySetCanceled();
+            _confirmCredentialTcs = null;
+            _confirmCredentialTcs = new TaskCompletionSource<(string cipherId, bool? userVerified)>();
+
+            _currentDefaultUserVerificationOptions = new Fido2UserVerificationOptions(false, confirmNewCredentialParams.UserVerificationPreference, HasVaultBeenUnlockedInThisTransaction, confirmNewCredentialParams.RpId);
+            
+            _messagingService.Value.Send(Bit.Core.Constants.CredentialNavigateToAutofillCipherMessageCommand, confirmNewCredentialParams);
+
+            var (cipherId, isUserVerified) = await _confirmCredentialTcs.Task;
+
+            var verified = isUserVerified;
+            if (verified is null)
+            {
+                var userVerification = await VerifyUserAsync(cipherId, confirmNewCredentialParams.UserVerificationPreference, confirmNewCredentialParams.RpId);
+                // TODO: If cancelled then let the user choose another cipher.
+                // I think this can be done by showing a message to the uesr and recursive calling of this method ConfirmNewCredentialAsync
+                verified = !userVerification.IsCancelled && userVerification.Result;
+            }
+
+            if (cipherId is null)
+            {
+                return await CreateNewLoginForFido2CredentialAsync(confirmNewCredentialParams, verified.Value);
+            }
+
+            return (cipherId, verified.Value);
+        }
+
+        private async Task<(string CipherId, bool UserVerified)> CreateNewLoginForFido2CredentialAsync(Fido2ConfirmNewCredentialParams confirmNewCredentialParams, bool userVerified)
+        {
+            if (!userVerified && await _userVerificationMediatorService.ShouldEnforceFido2RequiredUserVerificationAsync(new Fido2UserVerificationOptions
+                (
+                    false,
+                    confirmNewCredentialParams.UserVerificationPreference,
+                    true,
+                    confirmNewCredentialParams.RpId
+                )))
+            {
+                return (null, false);
+            }
+
+            try
+            {
+                await _deviceActionService.ShowLoadingAsync(AppResources.Loading);
+
+                var cipherId = await _cipherService.CreateNewLoginForPasskeyAsync(confirmNewCredentialParams);
+
+                await _deviceActionService.HideLoadingAsync();
+
+                return (cipherId, userVerified);
+            }
+            catch
+            {
+                await _deviceActionService.HideLoadingAsync();
+                throw;
+            }
+        }
+
+        public async Task EnsureUnlockedVaultAsync()
+        {
+            if (!await _stateService.IsAuthenticatedAsync()
+                ||
+                await _vaultTimeoutService.IsLoggedOutByTimeoutAsync()
+                ||
+                await _vaultTimeoutService.ShouldLogOutByTimeoutAsync())
+            {
+                await NavigateAndWaitForUnlockAsync(Bit.Core.Enums.NavigationTarget.HomeLogin);
+                return;
+            }
+
+            if (!await _vaultTimeoutService.IsLockedAsync())
+            {
+                return;
+            }
+
+            await NavigateAndWaitForUnlockAsync(Bit.Core.Enums.NavigationTarget.Lock);
+        }
+
+        private async Task NavigateAndWaitForUnlockAsync(Bit.Core.Enums.NavigationTarget navTarget)
+        {
+            _unlockVaultTcs?.TrySetCanceled();
+            _unlockVaultTcs = new TaskCompletionSource<bool>();
+
+            _messagingService.Value.Send(Bit.Core.Constants.NavigateToMessageCommand, navTarget);
+
+            await _unlockVaultTcs.Task;
+        }
+
+        public Task InformExcludedCredentialAsync(string[] existingCipherIds)
+        {
+            // TODO: Show excluded credential to the user in some screen.
+            return Task.FromResult(true);
+        }
+
+        public void SetCheckHasVaultBeenUnlockedInThisTransaction(Func<bool> checkHasVaultBeenUnlockedInThisTransaction)
+        {
+            _checkHasVaultBeenUnlockedInThisTransaction = checkHasVaultBeenUnlockedInThisTransaction;
+        }
+
+        public void Confirm(string cipherId, bool? userVerified) => _confirmCredentialTcs?.TrySetResult((cipherId, userVerified));
+        public void ConfirmVaultUnlocked() => _unlockVaultTcs?.TrySetResult(true);
+
+        public async Task ConfirmAsync(string cipherId, bool alreadyHasFido2Credential, bool? userVerified)
+        {
+            if (alreadyHasFido2Credential
+                &&
+                !await _platformUtilsService.ShowDialogAsync(
+                    AppResources.ThisItemAlreadyContainsAPasskeyAreYouSureYouWantToOverwriteTheCurrentPasskey,
+                    AppResources.OverwritePasskey,
+                    AppResources.Yes,
+                    AppResources.No))
+            {
+                return;
+            }
+
+            Confirm(cipherId, userVerified);
+        }
+
+        public void Cancel() => _confirmCredentialTcs?.TrySetCanceled();
+
+        public void OnConfirmationException(Exception ex) => _confirmCredentialTcs?.TrySetException(ex);
+
+        private async Task<CancellableResult<bool>> VerifyUserAsync(string selectedCipherId, Fido2UserVerificationPreference userVerificationPreference, string rpId)
+        {
+            try
+            {
+                if (selectedCipherId is null && userVerificationPreference == Fido2UserVerificationPreference.Discouraged)
+                {
+                    return new CancellableResult<bool>(false);
+                }
+
+                var shouldCheckMasterPasswordReprompt = false;
+                if (selectedCipherId != null)
+                {
+                    var encrypted = await _cipherService.GetAsync(selectedCipherId);
+                    var cipher = await encrypted.DecryptAsync();
+                    shouldCheckMasterPasswordReprompt = cipher?.Reprompt == Core.Enums.CipherRepromptType.Password;
+                }
+
+                return await _userVerificationMediatorService.VerifyUserForFido2Async(
+                    new Fido2UserVerificationOptions(
+                        shouldCheckMasterPasswordReprompt,
+                        userVerificationPreference,
+                        HasVaultBeenUnlockedInThisTransaction,
+                        rpId)
+                    );
+            }
+            catch (Exception ex)
+            {
+                LoggerHelper.LogEvenIfCantBeResolved(ex);
+                return new CancellableResult<bool>(false);
+            }
+        }
+
+        public Fido2UserVerificationOptions? GetCurrentUserVerificationOptions() => _currentDefaultUserVerificationOptions;
+    }
+}

src/App/Platforms/Android/MainActivity.cs

@@ -24,6 +24,7 @@ using Bit.App.Droid.Utilities;
 using Newtonsoft.Json;
 using Newtonsoft.Json.Linq;
 using FileProvider = AndroidX.Core.Content.FileProvider;
+using Bit.Core.Utilities.Fido2;
 
 namespace Bit.Droid
 {
@@ -167,6 +168,13 @@ namespace Bit.Droid
             base.OnNewIntent(intent);
             try
             {
+                if (intent?.GetStringExtra(CredentialProviderConstants.Fido2CredentialAction) == CredentialProviderConstants.Fido2CredentialCreate
+                    &&
+                    _appOptions != null)
+                {
+                    _appOptions.HasUnlockedInThisTransaction = false;
+                }
+
                 if (intent?.GetStringExtra("uri") is string uri)
                 {
                     _messagingService.Send(App.App.POP_ALL_AND_GO_TO_AUTOFILL_CIPHERS_MESSAGE);
@@ -325,12 +333,15 @@ namespace Bit.Droid
 
         private AppOptions GetOptions()
         {
+            var fido2CredentialAction = Intent.GetStringExtra(CredentialProviderConstants.Fido2CredentialAction);
             var options = new AppOptions
             {
                 Uri = Intent.GetStringExtra("uri") ?? Intent.GetStringExtra(AutofillConstants.AutofillFrameworkUri),
                 MyVaultTile = Intent.GetBooleanExtra("myVaultTile", false),
                 GeneratorTile = Intent.GetBooleanExtra("generatorTile", false),
                 FromAutofillFramework = Intent.GetBooleanExtra(AutofillConstants.AutofillFramework, false),
+                Fido2CredentialAction = fido2CredentialAction,
+                FromFido2Framework = !string.IsNullOrWhiteSpace(fido2CredentialAction),
                 CreateSend = GetCreateSendRequest(Intent)
             };
             var fillType = Intent.GetIntExtra(AutofillConstants.AutofillFrameworkFillType, 0);

src/App/Platforms/Android/MainApplication.cs

@@ -20,7 +20,10 @@ using Bit.App.Utilities;
 using Bit.App.Pages;
 using Bit.App.Utilities.AccountManagement;
 using Bit.App.Controls;
+using Bit.App.Platforms.Android.Autofill;
 using Bit.Core.Enums;
+using Bit.Core.Services.UserVerification;
+
 #if !FDROID
 using Android.Gms.Security;
 #endif
@@ -85,6 +88,57 @@ namespace Bit.Droid
                     ServiceContainer.Resolve<IWatchDeviceService>(),
                     ServiceContainer.Resolve<IConditionedAwaiterManager>());
                 ServiceContainer.Register<IAccountsManager>("accountsManager", accountsManager);
+
+                var userPinService = new UserPinService(
+                    ServiceContainer.Resolve<IStateService>(),
+                    ServiceContainer.Resolve<ICryptoService>(),
+                    ServiceContainer.Resolve<IVaultTimeoutService>());
+                ServiceContainer.Register<IUserPinService>(userPinService);
+
+                var userVerificationMediatorService = new UserVerificationMediatorService(
+                    ServiceContainer.Resolve<IPlatformUtilsService>("platformUtilsService"),
+                    ServiceContainer.Resolve<IPasswordRepromptService>("passwordRepromptService"),
+                    userPinService,
+                    deviceActionService,
+                    ServiceContainer.Resolve<IUserVerificationService>());
+                ServiceContainer.Register<IUserVerificationMediatorService>(userVerificationMediatorService);
+
+                var fido2AuthenticatorService = new Fido2AuthenticatorService(
+                    ServiceContainer.Resolve<ICipherService>(),
+                    ServiceContainer.Resolve<ISyncService>(),
+                    ServiceContainer.Resolve<ICryptoFunctionService>(),
+                    userVerificationMediatorService);
+                ServiceContainer.Register<IFido2AuthenticatorService>(fido2AuthenticatorService);
+
+                var fido2GetAssertionUserInterface = new Fido2GetAssertionUserInterface(
+                    ServiceContainer.Resolve<IStateService>(),
+                    ServiceContainer.Resolve<IVaultTimeoutService>(),
+                    ServiceContainer.Resolve<ICipherService>(),
+                    ServiceContainer.Resolve<IUserVerificationMediatorService>());
+                ServiceContainer.Register<IFido2AndroidGetAssertionUserInterface>(fido2GetAssertionUserInterface);                
+
+                var fido2MakeCredentialUserInterface = new Fido2MakeCredentialUserInterface(
+                    ServiceContainer.Resolve<IStateService>(),
+                    ServiceContainer.Resolve<IVaultTimeoutService>(),
+                    ServiceContainer.Resolve<ICipherService>(),
+                    ServiceContainer.Resolve<IUserVerificationMediatorService>(),
+                    ServiceContainer.Resolve<IDeviceActionService>(),
+                    ServiceContainer.Resolve<IPlatformUtilsService>());
+                ServiceContainer.Register<IFido2MakeCredentialConfirmationUserInterface>(fido2MakeCredentialUserInterface);
+
+                var fido2ClientService = new Fido2ClientService(
+                    ServiceContainer.Resolve<IStateService>(),
+                    ServiceContainer.Resolve<IEnvironmentService>(),
+                    ServiceContainer.Resolve<ICryptoFunctionService>(),
+                    ServiceContainer.Resolve<IFido2AuthenticatorService>(),
+                    fido2GetAssertionUserInterface,
+                    fido2MakeCredentialUserInterface);
+                ServiceContainer.Register<IFido2ClientService>(fido2ClientService);
+
+                ServiceContainer.Register<IFido2MediatorService>(new Fido2MediatorService(
+                    fido2AuthenticatorService,
+                    fido2ClientService,
+                    ServiceContainer.Resolve<ICipherService>()));
             }
 #if !FDROID
             if (Build.VERSION.SdkInt <= BuildVersionCodes.Kitkat)
@@ -160,7 +214,6 @@ namespace Bit.Droid
             var cryptoFunctionService = new PclCryptoFunctionService(cryptoPrimitiveService);
             var cryptoService = new CryptoService(stateService, cryptoFunctionService, logger);
             var biometricService = new BiometricService(stateService, cryptoService);
-            var userPinService = new UserPinService(stateService, cryptoService);
             var passwordRepromptService = new MobilePasswordRepromptService(platformUtilsService, cryptoService, stateService);
 
             ServiceContainer.Register<ISynchronousStorageService>(preferencesStorage);
@@ -184,7 +237,6 @@ namespace Bit.Droid
             ServiceContainer.Register<ICryptoService>("cryptoService", cryptoService);
             ServiceContainer.Register<IPasswordRepromptService>("passwordRepromptService", passwordRepromptService);
             ServiceContainer.Register<IAvatarImageSourcePool>("avatarImageSourcePool", new AvatarImageSourcePool());
-            ServiceContainer.Register<IUserPinService>(userPinService);
 
             // Push
 #if FDROID

src/App/Platforms/Android/Services/AutofillHandler.cs

@@ -1,11 +1,11 @@
-using System.Linq;
-using System.Threading.Tasks;
-using Android.App;
+using Android.App;
 using Android.App.Assist;
 using Android.Content;
+using Android.Credentials;
 using Android.OS;
 using Android.Provider;
 using Android.Views.Autofill;
+using Bit.App.Abstractions;
 using Bit.Core.Resources.Localization;
 using Bit.Core.Abstractions;
 using Bit.Core.Enums;
@@ -43,9 +43,28 @@ namespace Bit.Droid.Services
             {
                 return false;
             }
+
             try
             {
-                // TODO - find a way to programmatically check if the credential provider service is enabled
+                var activity = (MainActivity)Platform.CurrentActivity;
+                if (activity == null)
+                {
+                    return false;
+                }
+
+                var credManager = activity.GetSystemService(Java.Lang.Class.FromType(typeof(CredentialManager))) as CredentialManager;
+                if (credManager == null)
+                {
+                    return false;
+                }
+
+                var credentialProviderServiceComponentName = new ComponentName(activity, Java.Lang.Class.FromType(typeof(CredentialProviderService)));
+                return credManager.IsEnabledCredentialProviderService(credentialProviderServiceComponentName);
+            }
+            catch (Java.Lang.NullPointerException) 
+            {
+                // CredentialManager API is not working fully and may return a NullPointerException even if the CredentialProviderService is working and enabled
+                // Info Here: https://developer.android.com/reference/android/credentials/CredentialManager#isEnabledCredentialProviderService(android.content.ComponentName)
                 return false;
             }
             catch
@@ -184,7 +203,10 @@ namespace Bit.Droid.Services
         {
             try
             {
-                // TODO - find a way to programmatically disable the provider service, or take the user to the settings page where they can do it
+                // We should try to find a way to programmatically disable the provider service when the API allows for it.
+                // For now we'll take the user to Credential Settings so they can manually disable it
+                var deviceActionService = ServiceContainer.Resolve<IDeviceActionService>();
+                deviceActionService.OpenCredentialProviderSettings();
             }
             catch { }
         }

src/App/Platforms/Android/Services/DeviceActionService.cs

@@ -1,6 +1,4 @@
-using System;
-using System.Threading.Tasks;
-using Android.App;
+using Android.App;
 using Android.Content;
 using Android.Content.PM;
 using Android.Nfc;
@@ -17,11 +15,14 @@ using Bit.Core.Resources.Localization;
 using Bit.App.Utilities;
 using Bit.App.Utilities.Prompts;
 using Bit.Core.Abstractions;
-using Bit.Core.Enums;
 using Bit.App.Droid.Utilities;
+using Bit.App.Models;
+using Bit.Droid.Autofill;
 using Microsoft.Maui.Controls.Compatibility.Platform.Android;
 using Resource = Bit.Core.Resource;
 using Application = Android.App.Application;
+using Bit.Core.Services;
+using Bit.Core.Utilities.Fido2;
 
 namespace Bit.Droid.Services
 {
@@ -73,17 +74,28 @@ namespace Bit.Droid.Services
 
         public bool LaunchApp(string appName)
         {
-            if ((int)Build.VERSION.SdkInt < 33)
+            try
+            {
+                if ((int)Build.VERSION.SdkInt < 33)
+                {
+                    // API 33 required to avoid using wildcard app visibility or dangerous permissions
+                    // https://developer.android.com/reference/android/content/pm/PackageManager#getLaunchIntentSenderForPackage(java.lang.String)
+                    return false;
+                }
+                var activity = Microsoft.Maui.ApplicationModel.Platform.CurrentActivity;
+                appName = appName.Replace("androidapp://", string.Empty);
+                var launchIntentSender = activity?.PackageManager?.GetLaunchIntentSenderForPackage(appName);
+                launchIntentSender?.SendIntent(activity, Result.Ok, null, null, null);
+                return launchIntentSender != null;
+            }
+            catch (IntentSender.SendIntentException)
+            {
+                return false;
+            }
+            catch (Android.Util.AndroidException)
             {
-                // API 33 required to avoid using wildcard app visibility or dangerous permissions
-                // https://developer.android.com/reference/android/content/pm/PackageManager#getLaunchIntentSenderForPackage(java.lang.String)
                 return false;
             }
-            var activity = Microsoft.Maui.ApplicationModel.Platform.CurrentActivity;
-            appName = appName.Replace("androidapp://", string.Empty);
-            var launchIntentSender = activity?.PackageManager?.GetLaunchIntentSenderForPackage(appName);
-            launchIntentSender?.SendIntent(activity, Result.Ok, null, null, null);
-            return launchIntentSender != null;
         }
 
         public async Task ShowLoadingAsync(string text)
@@ -193,7 +205,7 @@ namespace Bit.Droid.Services
             string text = null, string okButtonText = null, string cancelButtonText = null,
             bool numericKeyboard = false, bool autofocus = true, bool password = false)
         {
-            var activity = (MainActivity)Microsoft.Maui.ApplicationModel.Platform.CurrentActivity;
+            var activity = Microsoft.Maui.ApplicationModel.Platform.CurrentActivity;
             if (activity == null)
             {
                 return Task.FromResult<string>(null);
@@ -250,7 +262,7 @@ namespace Bit.Droid.Services
 
         public Task<ValidatablePromptResponse?> DisplayValidatablePromptAsync(ValidatablePromptConfig config)
         {
-            var activity = (MainActivity)Microsoft.Maui.ApplicationModel.Platform.CurrentActivity;
+            var activity = Microsoft.Maui.ApplicationModel.Platform.CurrentActivity;
             if (activity == null)
             {
                 return Task.FromResult<ValidatablePromptResponse?>(null);
@@ -327,7 +339,7 @@ namespace Bit.Droid.Services
 
         public void RateApp()
         {
-            var activity = (MainActivity)Microsoft.Maui.ApplicationModel.Platform.CurrentActivity;
+            var activity = Microsoft.Maui.ApplicationModel.Platform.CurrentActivity;
             try
             {
                 var rateIntent = RateIntentForUrl("market://details", activity);
@@ -360,14 +372,14 @@ namespace Bit.Droid.Services
 
         public bool SupportsNfc()
         {
-            var activity = (MainActivity)Microsoft.Maui.ApplicationModel.Platform.CurrentActivity;
+            var activity = Microsoft.Maui.ApplicationModel.Platform.CurrentActivity;
             var manager = activity.GetSystemService(Context.NfcService) as NfcManager;
             return manager.DefaultAdapter?.IsEnabled ?? false;
         }
 
         public bool SupportsCamera()
         {
-            var activity = (MainActivity)Microsoft.Maui.ApplicationModel.Platform.CurrentActivity;
+            var activity = Microsoft.Maui.ApplicationModel.Platform.CurrentActivity;
             return activity.PackageManager.HasSystemFeature(PackageManager.FeatureCamera);
         }
 
@@ -383,7 +395,7 @@ namespace Bit.Droid.Services
 
         public Task<string> DisplayAlertAsync(string title, string message, string cancel, params string[] buttons)
         {
-            var activity = (MainActivity)Microsoft.Maui.ApplicationModel.Platform.CurrentActivity;
+            var activity = Microsoft.Maui.ApplicationModel.Platform.CurrentActivity;
             if (activity == null)
             {
                 return Task.FromResult<string>(null);
@@ -464,7 +476,7 @@ namespace Bit.Droid.Services
 
         public void OpenAccessibilityOverlayPermissionSettings()
         {
-            var activity = (MainActivity)Microsoft.Maui.ApplicationModel.Platform.CurrentActivity;
+            var activity = Microsoft.Maui.ApplicationModel.Platform.CurrentActivity;
             try
             {
                 var intent = new Intent(Settings.ActionManageOverlayPermission);
@@ -493,10 +505,10 @@ namespace Bit.Droid.Services
 
         public void OpenCredentialProviderSettings()
         {
-            var activity = (MainActivity)Microsoft.Maui.ApplicationModel.Platform.CurrentActivity;
+            var activity = Microsoft.Maui.ApplicationModel.Platform.CurrentActivity;
             try
             {
-                var pendingIntent = CredentialManager.Create(activity).CreateSettingsPendingIntent();
+                var pendingIntent = ICredentialManager.Create(activity).CreateSettingsPendingIntent();
                 pendingIntent.Send();
             }
             catch (ActivityNotFoundException)
@@ -516,7 +528,7 @@ namespace Bit.Droid.Services
         {
             try
             {
-                var activity = (MainActivity)Microsoft.Maui.ApplicationModel.Platform.CurrentActivity;
+                var activity = Microsoft.Maui.ApplicationModel.Platform.CurrentActivity;
                 var intent = new Intent(Settings.ActionAccessibilitySettings);
                 activity.StartActivity(intent);
             }
@@ -525,7 +537,7 @@ namespace Bit.Droid.Services
 
         public void OpenAutofillSettings()
         {
-            var activity = (MainActivity)Microsoft.Maui.ApplicationModel.Platform.CurrentActivity;
+            var activity = Microsoft.Maui.ApplicationModel.Platform.CurrentActivity;
             try
             {
                 var intent = new Intent(Settings.ActionRequestSetAutofillService);
@@ -553,10 +565,92 @@ namespace Bit.Droid.Services
             // ref: https://developer.android.com/reference/android/os/SystemClock#elapsedRealtime()
             return SystemClock.ElapsedRealtime();
         }
+
+        public async Task ExecuteFido2CredentialActionAsync(AppOptions appOptions)
+        {
+            var activity = Microsoft.Maui.ApplicationModel.Platform.CurrentActivity;
+            if (activity == null || string.IsNullOrWhiteSpace(appOptions.Fido2CredentialAction))
+            {
+                return;
+            }
+
+            if (appOptions.Fido2CredentialAction == CredentialProviderConstants.Fido2CredentialGet)
+            {
+                await ExecuteFido2GetCredentialAsync(appOptions);
+            }
+            else if (appOptions.Fido2CredentialAction == CredentialProviderConstants.Fido2CredentialCreate)
+            {
+                await ExecuteFido2CreateCredentialAsync();
+            }
+
+            // Clear CredentialAction and FromFido2Framework values to avoid erratic behaviors in subsequent navigation/flows
+            // For Fido2CredentialGet these are no longer needed as a new Activity will be initiated.
+            // For Fido2CredentialCreate the app will rely on IFido2MakeCredentialConfirmationUserInterface.IsConfirmingNewCredential
+            appOptions.Fido2CredentialAction = null;
+            appOptions.FromFido2Framework = false;
+        }
+
+        private async Task ExecuteFido2GetCredentialAsync(AppOptions appOptions)
+        {
+            var activity = Microsoft.Maui.ApplicationModel.Platform.CurrentActivity;
+            if (activity == null) 
+            {
+                return; 
+            }
+
+            try
+            {
+                var request = AndroidX.Credentials.Provider.PendingIntentHandler.RetrieveBeginGetCredentialRequest(activity.Intent);
+                var response = new AndroidX.Credentials.Provider.BeginGetCredentialResponse();;
+                var credentialEntries = new List<AndroidX.Credentials.Provider.CredentialEntry>();
+                foreach (var option in request.BeginGetCredentialOptions.OfType<AndroidX.Credentials.Provider.BeginGetPublicKeyCredentialOption>())
+                {
+                    credentialEntries.AddRange(await Bit.App.Platforms.Android.Autofill.CredentialHelpers.PopulatePasskeyDataAsync(request.CallingAppInfo, option, activity, appOptions.HasUnlockedInThisTransaction));
+                }
+
+                if (credentialEntries.Any())
+                {
+                    response = new AndroidX.Credentials.Provider.BeginGetCredentialResponse.Builder()
+                        .SetCredentialEntries(credentialEntries)
+                        .Build();
+                }
+
+                var result = new Android.Content.Intent();
+                AndroidX.Credentials.Provider.PendingIntentHandler.SetBeginGetCredentialResponse(result, response);
+                activity.SetResult(Result.Ok, result);
+                activity.Finish();
+            }
+            catch (Exception ex)
+            {
+                Bit.Core.Services.LoggerHelper.LogEvenIfCantBeResolved(ex);
+
+                activity.SetResult(Result.Canceled);
+                activity.Finish();
+            }
+        }
+
+        private async Task ExecuteFido2CreateCredentialAsync()
+        {
+            var activity = Microsoft.Maui.ApplicationModel.Platform.CurrentActivity;
+            if (activity == null) { return; }
+
+            try
+            {
+                var getRequest = AndroidX.Credentials.Provider.PendingIntentHandler.RetrieveProviderCreateCredentialRequest(activity.Intent);
+                await Bit.App.Platforms.Android.Autofill.CredentialHelpers.CreateCipherPasskeyAsync(getRequest, activity);
+            }
+            catch (Exception ex)
+            {
+                Bit.Core.Services.LoggerHelper.LogEvenIfCantBeResolved(ex);
+
+                activity.SetResult(Result.Canceled);
+                activity.Finish();
+            }
+        }
         
         public void CloseMainApp()
         {
-            var activity = (MainActivity)Microsoft.Maui.ApplicationModel.Platform.CurrentActivity;
+            var activity = Microsoft.Maui.ApplicationModel.Platform.CurrentActivity;
             if (activity == null)
             {
                 return;
@@ -597,7 +691,7 @@ namespace Bit.Droid.Services
 
         public float GetSystemFontSizeScale()
         {
-            var activity = Microsoft.Maui.ApplicationModel.Platform.CurrentActivity as MainActivity;
+            var activity = Microsoft.Maui.ApplicationModel.Platform.CurrentActivity;
             return activity?.Resources?.Configuration?.FontScale ?? 1;
         }
         

src/App/Platforms/Android/Tiles/AutofillTileService.cs

@@ -8,6 +8,7 @@ using Bit.Core.Abstractions;
 using Bit.Core.Utilities;
 using Bit.Droid.Accessibility;
 using Java.Lang;
+using Bit.App.Droid.Utilities;
 
 namespace Bit.Droid.Tile
 {
@@ -76,7 +77,7 @@ namespace Bit.Droid.Tile
             var intent = new Intent(this, typeof(AccessibilityActivity));
             intent.SetFlags(ActivityFlags.NewTask | ActivityFlags.SingleTop | ActivityFlags.ClearTop);
             intent.PutExtra("autofillTileClicked", true);
-            StartActivityAndCollapse(intent);
+            this.StartActivityAndCollapseWithIntent(intent, isMutable: true);
         }
 
         private void ShowConfigErrorDialog()

src/App/Platforms/Android/Tiles/GeneratorTileService.cs

@@ -1,15 +1,8 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-
-using Android.App;
+using Android.App;
 using Android.Content;
-using Android.OS;
 using Android.Runtime;
 using Android.Service.QuickSettings;
-using Android.Views;
-using Android.Widget;
+using Bit.App.Droid.Utilities;
 using Java.Lang;
 
 namespace Bit.Droid.Tile
@@ -62,7 +55,7 @@ namespace Bit.Droid.Tile
             var intent = new Intent(this, typeof(MainActivity));
             intent.SetFlags(ActivityFlags.NewTask | ActivityFlags.SingleTop | ActivityFlags.ClearTop);
             intent.PutExtra("generatorTile", true);
-            StartActivityAndCollapse(intent);
+            this.StartActivityAndCollapseWithIntent(intent, isMutable: false);
         }
     }
 }

src/App/Platforms/Android/Tiles/MyVaultTileService.cs

@@ -1,15 +1,8 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-
-using Android.App;
+using Android.App;
 using Android.Content;
-using Android.OS;
 using Android.Runtime;
 using Android.Service.QuickSettings;
-using Android.Views;
-using Android.Widget;
+using Bit.App.Droid.Utilities;
 using Java.Lang;
 
 namespace Bit.Droid.Tile
@@ -63,7 +56,7 @@ namespace Bit.Droid.Tile
             var intent = new Intent(this, typeof(MainActivity));
             intent.SetFlags(ActivityFlags.NewTask | ActivityFlags.SingleTop | ActivityFlags.ClearTop);
             intent.PutExtra("myVaultTile", true);
-            StartActivityAndCollapse(intent);
+            this.StartActivityAndCollapseWithIntent(intent, isMutable: false);
         }
     }
 }

src/App/Platforms/Android/Utilities/AndroidHelpers.cs

@@ -2,6 +2,7 @@
 using Android.Content;
 using Android.OS;
 using Android.Provider;
+using Android.Service.QuickSettings;
 using Bit.App.Utilities;
 
 namespace Bit.App.Droid.Utilities
@@ -64,5 +65,26 @@ namespace Bit.App.Droid.Utilities
 
             return pendingIntentFlags;
         }
+
+        public static void StartActivityAndCollapseWithIntent(this TileService service, Intent intent, bool isMutable)
+        {
+            //For Android 14+ We need to use PendingIntent instead of Intent directly. Older versions still need to use Intent.
+            if (Build.VERSION.SdkInt < BuildVersionCodes.UpsideDownCake)
+            {
+                service.StartActivityAndCollapse(intent);
+                return;
+            }
+            var pendingIntent = PendingIntent.GetActivity(
+                service.ApplicationContext,
+                0,
+                intent,
+                AddPendingIntentMutabilityFlag(PendingIntentFlags.UpdateCurrent, isMutable)
+            );
+            if (pendingIntent == null) 
+            { 
+                return; 
+            }
+            service.StartActivityAndCollapse(pendingIntent);
+        }
     }
 }

src/App/Platforms/Android/Utilities/CallingAppInfoExtensions.cs

@@ -0,0 +1,37 @@
+using Android.OS;
+using AndroidX.Credentials.Provider;
+using Bit.Core.Utilities;
+using Java.Security;
+
+namespace Bit.App.Droid.Utilities
+{
+    public static class CallingAppInfoExtensions
+    {
+        public static string GetAndroidOrigin(this CallingAppInfo callingAppInfo)
+        {
+            if (Build.VERSION.SdkInt < BuildVersionCodes.P || callingAppInfo?.SigningInfo?.GetApkContentsSigners().Any() != true)
+            {
+                return null;
+            }
+
+            var cert = callingAppInfo.SigningInfo.GetApkContentsSigners()[0].ToByteArray();
+            var md = MessageDigest.GetInstance("SHA-256");
+            var certHash = md.Digest(cert);
+            return $"android:apk-key-hash:{CoreHelpers.Base64UrlEncode(certHash)}";
+        }
+
+        public static string GetLatestCertificationFingerprint(this CallingAppInfo callingAppInfo)
+        {
+            if (callingAppInfo.SigningInfo.HasMultipleSigners)
+            {
+                return null;
+            }
+
+            var signature = callingAppInfo.SigningInfo.GetSigningCertificateHistory()[0].ToByteArray();
+            var md = MessageDigest.GetInstance("SHA-256");
+            var digestedSignature = md.Digest(signature);
+            var normalizedFingerprint = string.Join(":", digestedSignature.Select(b => b.ToString("X2")));
+            return normalizedFingerprint;
+        }
+    }
+}

src/App/Platforms/iOS/Info.plist

@@ -11,7 +11,7 @@
 	<key>CFBundleIdentifier</key>
 	<string>com.8bit.bitwarden</string>
 	<key>CFBundleShortVersionString</key>
-	<string>2024.2.2</string>
+	<string>2024.4.1</string>
 	<key>CFBundleVersion</key>
 	<string>1</string>
 	<key>CFBundleIconName</key>

src/App/Platforms/iOS/PrivacyInfo.xcprivacy

@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>NSPrivacyAccessedAPITypes</key>
+    <array>
+        <dict>
+            <key>NSPrivacyAccessedAPIType</key>
+            <string>NSPrivacyAccessedAPICategoryFileTimestamp</string>
+            <key>NSPrivacyAccessedAPITypeReasons</key>
+            <array>
+                <string>C617.1</string>
+            </array>
+        </dict>
+        <dict>
+            <key>NSPrivacyAccessedAPIType</key>
+            <string>NSPrivacyAccessedAPICategorySystemBootTime</string>
+            <key>NSPrivacyAccessedAPITypeReasons</key>
+            <array>
+                <string>35F9.1</string>
+            </array>
+        </dict>
+        <dict>
+            <key>NSPrivacyAccessedAPIType</key>
+            <string>NSPrivacyAccessedAPICategoryDiskSpace</string>
+            <key>NSPrivacyAccessedAPITypeReasons</key>
+            <array>
+                <string>E174.1</string>
+            </array>
+        </dict>
+        <dict>
+            <key>NSPrivacyAccessedAPIType</key>
+            <string>NSPrivacyAccessedAPICategoryUserDefaults</string>
+            <key>NSPrivacyAccessedAPITypeReasons</key>
+            <array>
+                <string>1C8F.1</string>
+            </array>
+        </dict>
+    </array>
+</dict>
+</plist>

src/App/Resources/Raw/fido2_privileged_allow_list.json

@@ -0,0 +1,481 @@
+{
+    "apps": [
+      {
+        "type": "android",
+        "info": {
+          "package_name": "com.android.chrome",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "F0:FD:6C:5B:41:0F:25:CB:25:C3:B5:33:46:C8:97:2F:AE:30:F8:EE:74:11:DF:91:04:80:AD:6B:2D:60:DB:83"
+            },
+            {
+              "build": "userdebug",
+              "cert_fingerprint_sha256": "19:75:B2:F1:71:77:BC:89:A5:DF:F3:1F:9E:64:A6:CA:E2:81:A5:3D:C1:D1:D5:9B:1D:14:7F:E1:C8:2A:FA:00"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "com.chrome.beta",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "DA:63:3D:34:B6:9E:63:AE:21:03:B4:9D:53:CE:05:2F:C5:F7:F3:C5:3A:AB:94:FD:C2:A2:08:BD:FD:14:24:9C"
+            },
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "3D:7A:12:23:01:9A:A3:9D:9E:A0:E3:43:6A:B7:C0:89:6B:FB:4F:B6:79:F4:DE:5F:E7:C2:3F:32:6C:8F:99:4A"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "com.chrome.dev",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "90:44:EE:5F:EE:4B:BC:5E:21:DD:44:66:54:31:C4:EB:1F:1F:71:A3:27:16:A0:BC:92:7B:CB:B3:92:33:CA:BF"
+            },
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "3D:7A:12:23:01:9A:A3:9D:9E:A0:E3:43:6A:B7:C0:89:6B:FB:4F:B6:79:F4:DE:5F:E7:C2:3F:32:6C:8F:99:4A"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "com.chrome.canary",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "20:19:DF:A1:FB:23:EF:BF:70:C5:BC:D1:44:3C:5B:EA:B0:4F:3F:2F:F4:36:6E:9A:C1:E3:45:76:39:A2:4C:FC"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "org.chromium.chrome",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "C6:AD:B8:B8:3C:6D:4C:17:D2:92:AF:DE:56:FD:48:8A:51:D3:16:FF:8F:2C:11:C5:41:02:23:BF:F8:A7:DB:B3"
+            },
+            {
+              "build": "userdebug",
+              "cert_fingerprint_sha256": "19:75:B2:F1:71:77:BC:89:A5:DF:F3:1F:9E:64:A6:CA:E2:81:A5:3D:C1:D1:D5:9B:1D:14:7F:E1:C8:2A:FA:00"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "com.google.android.apps.chrome",
+          "signatures": [
+            {
+              "build": "userdebug",
+              "cert_fingerprint_sha256": "19:75:B2:F1:71:77:BC:89:A5:DF:F3:1F:9E:64:A6:CA:E2:81:A5:3D:C1:D1:D5:9B:1D:14:7F:E1:C8:2A:FA:00"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "org.mozilla.fennec_webauthndebug",
+          "signatures": [
+            {
+              "build": "userdebug",
+              "cert_fingerprint_sha256": "BD:AE:82:02:80:D2:AF:B7:74:94:EF:22:58:AA:78:A9:AE:A1:36:41:7E:8B:C2:3D:C9:87:75:2E:6F:48:E8:48"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "org.mozilla.firefox",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "A7:8B:62:A5:16:5B:44:94:B2:FE:AD:9E:76:A2:80:D2:2D:93:7F:EE:62:51:AE:CE:59:94:46:B2:EA:31:9B:04"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "org.mozilla.firefox_beta",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "A7:8B:62:A5:16:5B:44:94:B2:FE:AD:9E:76:A2:80:D2:2D:93:7F:EE:62:51:AE:CE:59:94:46:B2:EA:31:9B:04"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "org.mozilla.focus",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "62:03:A4:73:BE:36:D6:4E:E3:7F:87:FA:50:0E:DB:C7:9E:AB:93:06:10:AB:9B:9F:A4:CA:7D:5C:1F:1B:4F:FC"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "org.mozilla.fennec_aurora",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "BC:04:88:83:8D:06:F4:CA:6B:F3:23:86:DA:AB:0D:D8:EB:CF:3E:77:30:78:74:59:F6:2F:B3:CD:14:A1:BA:AA"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "org.mozilla.rocket",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "86:3A:46:F0:97:39:32:B7:D0:19:9B:54:91:12:74:1C:2D:27:31:AC:72:EA:11:B7:52:3A:A9:0A:11:BF:56:91"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "com.microsoft.emmx.canary",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "01:E1:99:97:10:A8:2C:27:49:B4:D5:0C:44:5D:C8:5D:67:0B:61:36:08:9D:0A:76:6A:73:82:7C:82:A1:EA:C9"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "com.microsoft.emmx.dev",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "01:E1:99:97:10:A8:2C:27:49:B4:D5:0C:44:5D:C8:5D:67:0B:61:36:08:9D:0A:76:6A:73:82:7C:82:A1:EA:C9"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "com.microsoft.emmx.beta",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "01:E1:99:97:10:A8:2C:27:49:B4:D5:0C:44:5D:C8:5D:67:0B:61:36:08:9D:0A:76:6A:73:82:7C:82:A1:EA:C9"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "com.microsoft.emmx",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "01:E1:99:97:10:A8:2C:27:49:B4:D5:0C:44:5D:C8:5D:67:0B:61:36:08:9D:0A:76:6A:73:82:7C:82:A1:EA:C9"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "com.microsoft.emmx.rolling",
+          "signatures": [
+            {
+              "build": "userdebug",
+              "cert_fingerprint_sha256": "32:A2:FC:74:D7:31:10:58:59:E5:A8:5D:F1:6D:95:F1:02:D8:5B:22:09:9B:80:64:C5:D8:91:5C:61:DA:D1:E0"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "com.microsoft.emmx.local",
+          "signatures": [
+            {
+              "build": "userdebug",
+              "cert_fingerprint_sha256": "32:A2:FC:74:D7:31:10:58:59:E5:A8:5D:F1:6D:95:F1:02:D8:5B:22:09:9B:80:64:C5:D8:91:5C:61:DA:D1:E0"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "com.brave.browser",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "9C:2D:B7:05:13:51:5F:DB:FB:BC:58:5B:3E:DF:3D:71:23:D4:DC:67:C9:4F:FD:30:63:61:C1:D7:9B:BF:18:AC"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "com.brave.browser_beta",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "9C:2D:B7:05:13:51:5F:DB:FB:BC:58:5B:3E:DF:3D:71:23:D4:DC:67:C9:4F:FD:30:63:61:C1:D7:9B:BF:18:AC"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "com.brave.browser_nightly",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "9C:2D:B7:05:13:51:5F:DB:FB:BC:58:5B:3E:DF:3D:71:23:D4:DC:67:C9:4F:FD:30:63:61:C1:D7:9B:BF:18:AC"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "app.vanadium.browser",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "C6:AD:B8:B8:3C:6D:4C:17:D2:92:AF:DE:56:FD:48:8A:51:D3:16:FF:8F:2C:11:C5:41:02:23:BF:F8:A7:DB:B3"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "com.vivaldi.browser",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "E8:A7:85:44:65:5B:A8:C0:98:17:F7:32:76:8F:56:89:B1:66:2E:C4:B2:BC:5A:0B:C0:EC:13:8D:33:CA:3D:1E"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "com.vivaldi.browser.snapshot",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "E8:A7:85:44:65:5B:A8:C0:98:17:F7:32:76:8F:56:89:B1:66:2E:C4:B2:BC:5A:0B:C0:EC:13:8D:33:CA:3D:1E"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "com.vivaldi.browser.sopranos",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "E8:A7:85:44:65:5B:A8:C0:98:17:F7:32:76:8F:56:89:B1:66:2E:C4:B2:BC:5A:0B:C0:EC:13:8D:33:CA:3D:1E"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "com.citrix.Receiver",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "3D:D1:12:67:10:69:AB:36:4E:F9:BE:73:9A:B7:B5:EE:15:E1:CD:E9:D8:75:7B:1B:F0:64:F5:0C:55:68:9A:49"
+            },
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "CE:B2:23:D7:77:09:F2:B6:BC:0B:3A:78:36:F5:A5:AF:4C:E1:D3:55:F4:A7:28:86:F7:9D:F8:0D:C9:D6:12:2E"
+            },
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "AA:D0:D4:57:E6:33:C3:78:25:77:30:5B:C1:B2:D9:E3:81:41:C7:21:DF:0D:AA:6E:29:07:2F:C4:1D:34:F0:AB"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "com.android.browser",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "C9:00:9D:01:EB:F9:F5:D0:30:2B:C7:1B:2F:E9:AA:9A:47:A4:32:BB:A1:73:08:A3:11:1B:75:D7:B2:14:90:25"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "com.sec.android.app.sbrowser",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "C8:A2:E9:BC:CF:59:7C:2F:B6:DC:66:BE:E2:93:FC:13:F2:FC:47:EC:77:BC:6B:2B:0D:52:C1:1F:51:19:2A:B8"
+            },
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "34:DF:0E:7A:9F:1C:F1:89:2E:45:C0:56:B4:97:3C:D8:1C:CF:14:8A:40:50:D1:1A:EA:4A:C5:A6:5F:90:0A:42"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "com.sec.android.app.sbrowser.beta",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "C8:A2:E9:BC:CF:59:7C:2F:B6:DC:66:BE:E2:93:FC:13:F2:FC:47:EC:77:BC:6B:2B:0D:52:C1:1F:51:19:2A:B8"
+            },
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "34:DF:0E:7A:9F:1C:F1:89:2E:45:C0:56:B4:97:3C:D8:1C:CF:14:8A:40:50:D1:1A:EA:4A:C5:A6:5F:90:0A:42"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "com.google.android.gms",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "7C:E8:3C:1B:71:F3:D5:72:FE:D0:4C:8D:40:C5:CB:10:FF:75:E6:D8:7D:9D:F6:FB:D5:3F:04:68:C2:90:50:53"
+            },
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "D2:2C:C5:00:29:9F:B2:28:73:A0:1A:01:0D:E1:C8:2F:BE:4D:06:11:19:B9:48:14:DD:30:1D:AB:50:CB:76:78"
+            },
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "F0:FD:6C:5B:41:0F:25:CB:25:C3:B5:33:46:C8:97:2F:AE:30:F8:EE:74:11:DF:91:04:80:AD:6B:2D:60:DB:83"
+            },
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "19:75:B2:F1:71:77:BC:89:A5:DF:F3:1F:9E:64:A6:CA:E2:81:A5:3D:C1:D1:D5:9B:1D:14:7F:E1:C8:2A:FA:00"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "com.yandex.browser",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "AC:A4:05:DE:D8:B2:5C:B2:E8:C6:DA:69:42:5D:2B:43:07:D0:87:C1:27:6F:C0:6A:D5:94:27:31:CC:C5:1D:BA"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "com.yandex.browser.beta",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "AC:A4:05:DE:D8:B2:5C:B2:E8:C6:DA:69:42:5D:2B:43:07:D0:87:C1:27:6F:C0:6A:D5:94:27:31:CC:C5:1D:BA"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "com.yandex.browser.alpha",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "AC:A4:05:DE:D8:B2:5C:B2:E8:C6:DA:69:42:5D:2B:43:07:D0:87:C1:27:6F:C0:6A:D5:94:27:31:CC:C5:1D:BA"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "com.yandex.browser.corp",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "AC:A4:05:DE:D8:B2:5C:B2:E8:C6:DA:69:42:5D:2B:43:07:D0:87:C1:27:6F:C0:6A:D5:94:27:31:CC:C5:1D:BA"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "com.yandex.browser.canary",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "1D:A9:CB:AE:2D:CC:C6:A5:8D:6C:94:7B:E9:4C:DB:B7:33:D6:5D:A4:D1:77:0F:A1:4A:53:64:CB:4A:28:EB:49"
+            }
+          ]
+        }
+      },
+      {
+        "type": "android",
+        "info": {
+          "package_name": "com.yandex.browser.broteam",
+          "signatures": [
+            {
+              "build": "release",
+              "cert_fingerprint_sha256": "1D:A9:CB:AE:2D:CC:C6:A5:8D:6C:94:7B:E9:4C:DB:B7:33:D6:5D:A4:D1:77:0F:A1:4A:53:64:CB:4A:28:EB:49"
+            }
+          ]
+        }
+      }
+    ]
+  }
+  

src/Core/Abstractions/IApiService.cs

@@ -1,9 +1,4 @@
-using System;
-using System.Collections.Generic;
-using System.Net.Http;
-using System.Threading;
-using System.Threading.Tasks;
-using Bit.Core.Enums;
+using Bit.Core.Enums;
 using Bit.Core.Models.Data;
 using Bit.Core.Models.Request;
 using Bit.Core.Models.Response;
@@ -46,6 +41,7 @@ namespace Bit.Core.Abstractions
         Task<CipherResponse> PutShareCipherAsync(string id, CipherShareRequest request);
         Task PutDeleteCipherAsync(string id);
         Task<CipherResponse> PutRestoreCipherAsync(string id);
+        Task<bool> HasUnassignedCiphersAsync();
         Task RefreshIdentityTokenAsync();
         Task<SsoPrevalidateResponse> PreValidateSsoAsync(string identifier);
         Task<TResponse> SendAsync<TRequest, TResponse>(HttpMethod method, string path,
@@ -99,5 +95,6 @@ namespace Bit.Core.Abstractions
         Task<bool> GetDevicesExistenceByTypes(DeviceType[] deviceTypes);
         Task<ConfigResponse> GetConfigsAsync();
         Task<string> GetFastmailAccountIdAsync(string apiKey);
+        Task<List<Utilities.DigitalAssetLinks.Statement>> GetDigitalAssetLinksForRpAsync(string rpId);
     }
 }

src/Core/Abstractions/IAssetLinksService.cs

@@ -0,0 +1,7 @@
+namespace Bit.Core.Services
+{
+    public interface IAssetLinksService
+    {
+        Task<bool> ValidateAssetLinksAsync(string rpId, string packageName, string normalizedFingerprint);
+    }
+}

src/Core/Abstractions/ICipherService.cs

@@ -34,6 +34,8 @@ namespace Bit.Core.Abstractions
         Task<byte[]> DownloadAndDecryptAttachmentAsync(string cipherId, AttachmentView attachment, string organizationId);
         Task SoftDeleteWithServerAsync(string id);
         Task RestoreWithServerAsync(string id);
-        Task<string> CreateNewLoginForPasskeyAsync(string rpId);
+        Task<string> CreateNewLoginForPasskeyAsync(Fido2ConfirmNewCredentialParams newPasskeyParams);
+        Task CopyTotpCodeIfNeededAsync(CipherView cipher);
+        Task<bool> VerifyOrganizationHasUnassignedItemsAsync();
     }
 }

src/Core/Abstractions/IConditionedAwaiterManager.cs

@@ -1,11 +1,10 @@
-using System;
-using System.Threading.Tasks;
-
-namespace Bit.Core.Abstractions
+namespace Bit.Core.Abstractions
 {
     public enum AwaiterPrecondition
     {
-        EnvironmentUrlsInited
+        EnvironmentUrlsInited,
+        AndroidWindowCreated,
+        AutofillIOSExtensionViewDidAppear
     }
 
     public interface IConditionedAwaiterManager
@@ -13,5 +12,6 @@ namespace Bit.Core.Abstractions
         Task GetAwaiterForPrecondition(AwaiterPrecondition awaiterPrecondition);
         void SetAsCompleted(AwaiterPrecondition awaiterPrecondition);
         void SetException(AwaiterPrecondition awaiterPrecondition, Exception ex);
+        void Recreate(AwaiterPrecondition awaiterPrecondition);
     }
 }

src/Core/Abstractions/IDeviceActionService.cs

@@ -1,4 +1,5 @@
 using System.Threading.Tasks;
+using Bit.App.Models;
 using Bit.App.Utilities.Prompts;
 using Bit.Core.Enums;
 using Bit.Core.Models;
@@ -40,6 +41,7 @@ namespace Bit.App.Abstractions
         void OpenCredentialProviderSettings();
         void OpenAutofillSettings();
         long GetActiveTime();
+        Task ExecuteFido2CredentialActionAsync(AppOptions appOptions);
         void CloseMainApp();
         float GetSystemFontSizeScale();
         Task OnAccountSwitchCompleteAsync();

src/Core/Abstractions/IFido2AuthenticationService.cs

@@ -1,9 +0,0 @@
-using Bit.Core.Utilities.Fido2;
-
-namespace Bit.Core.Abstractions
-{
-    public interface IFido2AuthenticationService
-    {
-        Task<Fido2AuthenticatorGetAssertionResult> GetAssertionAsync(Fido2AuthenticatorGetAssertionParams assertionParams);
-    }
-}

src/Core/Abstractions/IFido2AuthenticatorService.cs

@@ -4,9 +4,8 @@ namespace Bit.Core.Abstractions
 {
     public interface IFido2AuthenticatorService
     {
-        void Init(IFido2UserInterface userInterface);
-        Task<Fido2AuthenticatorMakeCredentialResult> MakeCredentialAsync(Fido2AuthenticatorMakeCredentialParams makeCredentialParams);
-        Task<Fido2AuthenticatorGetAssertionResult> GetAssertionAsync(Fido2AuthenticatorGetAssertionParams assertionParams);
+        Task<Fido2AuthenticatorMakeCredentialResult> MakeCredentialAsync(Fido2AuthenticatorMakeCredentialParams makeCredentialParams, IFido2MakeCredentialUserInterface userInterface);
+        Task<Fido2AuthenticatorGetAssertionResult> GetAssertionAsync(Fido2AuthenticatorGetAssertionParams assertionParams, IFido2GetAssertionUserInterface userInterface);
         // TODO: Should this return a List? Or maybe IEnumerable?
         Task<Fido2AuthenticatorDiscoverableCredentialMetadata[]> SilentCredentialDiscoveryAsync(string rpId);
     }

src/Core/Abstractions/IFido2ClientService.cs

@@ -20,8 +20,9 @@ namespace Bit.Core.Abstractions
         /// For more information please see: https://www.w3.org/TR/webauthn-3/#sctn-createCredential
         /// </summary>
         /// <param name="createCredentialParams">The parameters for the credential creation operation</param>
+        /// <param name="extraParams">Extra parameters for the credential creation operation</param>
         /// <returns>The new credential</returns>
-        Task<Fido2ClientCreateCredentialResult> CreateCredentialAsync(Fido2ClientCreateCredentialParams createCredentialParams);
+        Task<Fido2ClientCreateCredentialResult> CreateCredentialAsync(Fido2ClientCreateCredentialParams createCredentialParams, Fido2ExtraCreateCredentialParams extraParams);
 
         /// <summary>
         /// Allows WebAuthn Relying Party scripts to discover and use an existing public key credential, with the user’s consent.
@@ -29,7 +30,8 @@ namespace Bit.Core.Abstractions
         /// For more information please see: https://www.w3.org/TR/webauthn-3/#sctn-getAssertion
         /// </summary>
         /// <param name="assertCredentialParams">The parameters for the credential assertion operation</param>
+        /// <param name="extraParams">Extra parameters for the credential assertion operation</param>
         /// <returns>The asserted credential</returns>
-        Task<Fido2ClientAssertCredentialResult> AssertCredentialAsync(Fido2ClientAssertCredentialParams assertCredentialParams);
+        Task<Fido2ClientAssertCredentialResult> AssertCredentialAsync(Fido2ClientAssertCredentialParams assertCredentialParams, Fido2ExtraAssertCredentialParams extraParams);
     }
 }

src/Core/Abstractions/IFido2GetAssertionUserInterface.cs

@@ -0,0 +1,20 @@
+using Bit.Core.Utilities.Fido2;
+
+namespace Bit.Core.Abstractions 
+{
+    public struct Fido2GetAssertionUserInterfaceCredential
+    {
+        public string CipherId { get; set; }
+        public Fido2UserVerificationPreference UserVerificationPreference { get; set; }
+    }
+
+    public interface IFido2GetAssertionUserInterface : IFido2UserInterface
+    {
+        /// <summary>
+        /// Ask the user to pick a credential from a list of existing credentials.
+        /// </summary>
+        /// <param name="credentials">The credentials that the user can pick from, and if the user must be verified before completing the operation</param>
+        /// <returns>The ID of the cipher that contains the credentials the user picked, and if the user was verified before completing the operation</returns>
+        Task<(string CipherId, bool UserVerified)> PickCredentialAsync(Fido2GetAssertionUserInterfaceCredential[] credentials);
+    }
+}

src/Core/Abstractions/IFido2MakeCredentialConfirmationUserInterface.cs

@@ -0,0 +1,66 @@
+using Bit.Core.Utilities.Fido2;
+
+namespace Bit.Core.Abstractions
+{
+    public interface IFido2MakeCredentialConfirmationUserInterface : IFido2MakeCredentialUserInterface
+    {
+        /// <summary>
+        /// Call this method after the user chose where to save the new Fido2 credential.
+        /// </summary>
+        /// <param name="cipherId">
+        /// Cipher ID where to save the new credential.
+        /// If <c>null</c> a new default passkey cipher item will be created
+        /// </param>
+        /// <param name="userVerified">
+        /// Whether the user has been verified or not.
+        /// If <c>null</c> verification has not taken place yet.
+        /// </param>
+        void Confirm(string cipherId, bool? userVerified);
+
+        /// <summary>
+        /// Call this method after the user chose where to save the new Fido2 credential.
+        /// </summary>
+        /// <param name="cipherId">
+        /// Cipher ID where to save the new credential.
+        /// If <c>null</c> a new default passkey cipher item will be created
+        /// </param>
+        /// <param name="alreadyHasFido2Credential">
+        /// If the cipher corresponding to the <paramref name="cipherId"/> already has a Fido2 credential.
+        /// </param>
+        /// <param name="userVerified">
+        /// Whether the user has been verified or not.
+        /// If <c>null</c> verification has not taken place yet.
+        /// </param>
+        Task ConfirmAsync(string cipherId, bool alreadyHasFido2Credential, bool? userVerified);
+
+        /// <summary>
+        /// Cancels the current flow to make a credential
+        /// </summary>
+        void Cancel();
+
+        /// <summary>
+        /// Call this if an exception needs to happen on the credential making process
+        /// </summary>
+        void OnConfirmationException(Exception ex);
+
+        
+        /// <summary>
+        /// True if we are already confirming a new credential.
+        /// </summary>
+        bool IsConfirmingNewCredential { get; }
+
+        /// <summary>
+        /// Call this after the vault was unlocked so that Fido2 credential creation can proceed.
+        /// </summary>
+        void ConfirmVaultUnlocked();
+
+        /// <summary>
+        /// True if we are waiting for the vault to be unlocked.
+        /// </summary>
+        bool IsWaitingUnlockVault { get; }
+
+        Fido2UserVerificationOptions? GetCurrentUserVerificationOptions();
+
+        void SetCheckHasVaultBeenUnlockedInThisTransaction(Func<bool> checkHasVaultBeenUnlockedInThisTransaction);
+    }
+}

src/Core/Abstractions/IFido2MakeCredentialUserInterface.cs

@@ -0,0 +1,44 @@
+using Bit.Core.Utilities.Fido2;
+
+namespace Bit.Core.Abstractions 
+{
+    public struct Fido2ConfirmNewCredentialParams
+    {
+        ///<summary>
+        /// The name of the credential.
+        ///</summary>
+        public string CredentialName { get; set; }
+
+        ///<summary>
+        /// The name of the user.
+        ///</summary>
+        public string UserName { get; set; }
+
+        /// <summary>
+        /// The preference to whether or not the user must be verified before completing the operation.
+        /// </summary>
+        public Fido2UserVerificationPreference UserVerificationPreference { get; set; }
+
+        /// <summary>
+        /// The relying party identifier
+        /// </summary>
+        public string RpId { get; set; }
+    }
+
+    public interface IFido2MakeCredentialUserInterface : IFido2UserInterface
+    {
+        /// <summary>
+        /// Inform the user that the operation was cancelled because their vault contains excluded credentials.
+        /// </summary>
+        /// <param name="existingCipherIds">The IDs of the excluded credentials.</param>
+        /// <returns>When user has confirmed the message</returns>
+        Task InformExcludedCredentialAsync(string[] existingCipherIds);
+
+        /// <summary>
+        /// Ask the user to confirm the creation of a new credential.
+        /// </summary>
+        /// <param name="confirmNewCredentialParams">The parameters to use when asking the user to confirm the creation of a new credential.</param>
+        /// <returns>The ID of the cipher where the new credential should be saved, and if the user was verified before completing the operation</returns>
+        Task<(string CipherId, bool UserVerified)> ConfirmNewCredentialAsync(Fido2ConfirmNewCredentialParams confirmNewCredentialParams);
+    }
+}

src/Core/Abstractions/IFido2MediatorService.cs

@@ -0,0 +1,14 @@
+using Bit.Core.Utilities.Fido2;
+
+namespace Bit.Core.Abstractions
+{
+    public interface IFido2MediatorService
+    {
+        Task<Fido2ClientCreateCredentialResult> CreateCredentialAsync(Fido2ClientCreateCredentialParams createCredentialParams, Fido2ExtraCreateCredentialParams extraParams);
+        Task<Fido2ClientAssertCredentialResult> AssertCredentialAsync(Fido2ClientAssertCredentialParams assertCredentialParams, Fido2ExtraAssertCredentialParams extraParams);
+
+        Task<Fido2AuthenticatorMakeCredentialResult> MakeCredentialAsync(Fido2AuthenticatorMakeCredentialParams makeCredentialParams, IFido2MakeCredentialUserInterface userInterface);
+        Task<Fido2AuthenticatorGetAssertionResult> GetAssertionAsync(Fido2AuthenticatorGetAssertionParams assertionParams, IFido2GetAssertionUserInterface userInterface);
+        Task<Fido2AuthenticatorDiscoverableCredentialMetadata[]> SilentCredentialDiscoveryAsync(string rpId);
+    }
+}

src/Core/Abstractions/IFido2UserInterface.cs

@@ -1,94 +1,11 @@
-using Bit.Core.Utilities.Fido2;
-
 namespace Bit.Core.Abstractions
 {
-    /// <summary>
-    /// Parameters used to ask the user to pick a credential from a list of existing credentials.
-    /// </summary>
-    public struct Fido2PickCredentialParams
-    {
-        /// <summary>
-        /// The IDs of the credentials that the user can pick from.
-        /// </summary>
-        public string[] CipherIds { get; set; }
-
-        /// <summary>
-        /// Whether or not the user must be verified before completing the operation.
-        /// </summary>
-        public bool UserVerification { get; set; }
-    }
-
-    /// <summary>
-    /// The result of asking the user to pick a credential from a list of existing credentials.
-    /// </summary>
-    public struct Fido2PickCredentialResult
-    {
-        /// <summary>
-        /// The ID of the cipher that contains the credentials the user picked.
-        /// </summary>
-        public string CipherId { get; set; }
-
-        /// <summary>
-        /// Whether or not the user was verified before completing the operation.
-        /// </summary>
-        public bool UserVerified { get; set; }
-    }
-
-    public struct Fido2ConfirmNewCredentialParams
-    {
-        ///<summary>
-        /// The name of the credential.
-        ///</summary>
-        public string CredentialName { get; set; }
-
-        ///<summary>
-        /// The name of the user.
-        ///</summary>
-        public string UserName { get; set; }
-
-        /// <summary>
-        /// Whether or not the user must be verified before completing the operation.
-        /// </summary>
-        public bool UserVerification { get; set; }
-
-        public string RpId { get; set; }
-    }
-
-    public struct Fido2ConfirmNewCredentialResult
-    {
-        /// <summary>
-        /// The name of the user.
-        /// </summary>
-        public string CipherId { get; set; }
-
-        /// <summary>
-        /// Whether or not the user was verified.
-        /// </summary>
-        public bool UserVerified { get; set; }
-    }
-
     public interface IFido2UserInterface
     {
         /// <summary>
-        /// Ask the user to pick a credential from a list of existing credentials.
+        /// Whether the vault has been unlocked during this transaction
         /// </summary>
-        /// <param name="pickCredentialParams">The parameters to use when asking the user to pick a credential.</param>
-        /// <returns>The ID of the cipher that contains the credentials the user picked.</returns>
-        Task<Fido2PickCredentialResult> PickCredentialAsync(Fido2PickCredentialParams pickCredentialParams);
-
-        /// <summary>
-        /// Inform the user that the operation was cancelled because their vault contains excluded credentials.
-        /// </summary>
-        /// <param name="existingCipherIds">The IDs of the excluded credentials.</param>
-        /// <returns>When user has confirmed the message</returns>
-        Task InformExcludedCredential(string[] existingCipherIds);
-
-        /// <summary>
-        /// Ask the user to confirm the creation of a new credential.
-        /// </summary>
-        /// <param name="confirmNewCredentialParams">The parameters to use when asking the user to confirm the creation of a new credential.</param>
-        /// <returns>The ID of the cipher where the new credential should be saved.</returns>
-        Task<Fido2ConfirmNewCredentialResult> ConfirmNewCredentialAsync(Fido2ConfirmNewCredentialParams confirmNewCredentialParams);
+        bool HasVaultBeenUnlockedInThisTransaction { get; }
 
         /// <summary>
         /// Make sure that the vault is unlocked.

src/Core/Abstractions/IPasswordRepromptService.cs

@@ -1,5 +1,4 @@
-using System.Threading.Tasks;
-using Bit.Core.Enums;
+using Bit.Core.Enums;
 
 namespace Bit.App.Abstractions
 {
@@ -10,5 +9,7 @@ namespace Bit.App.Abstractions
         Task<bool> PromptAndCheckPasswordIfNeededAsync(CipherRepromptType repromptType = CipherRepromptType.Password);
 
         Task<(string password, bool valid)> ShowPasswordPromptAndGetItAsync();
+
+        Task<bool> ShouldByPassMasterPasswordRepromptAsync();
     }
 }

src/Core/Abstractions/IPlatformUtilsService.cs

@@ -1,7 +1,4 @@
-using System;
-using System.Collections.Generic;
-using System.Threading.Tasks;
-using Bit.Core.Enums;
+using Bit.Core.Enums;
 
 namespace Bit.Core.Abstractions
 {
@@ -29,7 +26,7 @@ namespace Bit.Core.Abstractions
         bool SupportsDuo();
         Task<bool> SupportsBiometricAsync();
         Task<bool> IsBiometricIntegrityValidAsync(string bioIntegritySrcKey = null);
-        Task<bool> AuthenticateBiometricAsync(string text = null, string fallbackText = null, Action fallback = null, bool logOutOnTooManyAttempts = false);
+        Task<bool?> AuthenticateBiometricAsync(string text = null, string fallbackText = null, Action fallback = null, bool logOutOnTooManyAttempts = false, bool allowAlternativeAuthentication = false);
         long GetActiveTime();
     }
 }

src/Core/Abstractions/IStateService.cs

@@ -186,6 +186,9 @@ namespace Bit.Core.Abstractions
         Task<BwRegion?> GetActiveUserRegionAsync();
         Task<BwRegion?> GetPreAuthRegionAsync();
         Task SetPreAuthRegionAsync(BwRegion value);
+        Task ReloadStateAsync();
+        Task<bool> GetShouldCheckOrganizationUnassignedItemsAsync(string userId = null);
+        Task SetShouldCheckOrganizationUnassignedItemsAsync(bool shouldCheck, string userId = null);
         [Obsolete("Use GetPinKeyEncryptedUserKeyAsync instead, left for migration purposes")]
         Task<string> GetPinProtectedAsync(string userId = null);
         [Obsolete("Use SetPinKeyEncryptedUserKeyAsync instead, left for migration purposes")]

src/Core/Abstractions/IUserPinService.cs

@@ -1,9 +1,12 @@
-using System.Threading.Tasks;
+using Bit.Core.Services;
 
 namespace Bit.Core.Abstractions
 {
     public interface IUserPinService
     {
+        Task<bool> IsPinLockEnabledAsync();
         Task SetupPinAsync(string pin, bool requireMasterPasswordOnRestart);
+        Task<bool> VerifyPinAsync(string inputPin);
+        Task<bool> VerifyPinAsync(string inputPin, string email, KdfConfig kdfConfig, PinLockType pinLockType);
     }
 }

src/Core/Abstractions/IUserVerificationMediatorService.cs

@@ -0,0 +1,28 @@
+using Bit.Core.Utilities;
+using Bit.Core.Utilities.Fido2;
+
+namespace Bit.Core.Abstractions
+{
+    public interface IUserVerificationMediatorService
+    {
+        Task<CancellableResult<bool>> VerifyUserForFido2Async(Fido2UserVerificationOptions options);
+        Task<bool> CanPerformUserVerificationPreferredAsync(Fido2UserVerificationOptions options);
+        Task<bool> ShouldPerformMasterPasswordRepromptAsync(Fido2UserVerificationOptions options);
+        Task<bool> ShouldEnforceFido2RequiredUserVerificationAsync(Fido2UserVerificationOptions options);
+        Task<CancellableResult<UVResult>> PerformOSUnlockAsync();
+        Task<CancellableResult<UVResult>> VerifyPinCodeAsync();
+        Task<CancellableResult<UVResult>> VerifyMasterPasswordAsync(bool isMasterPasswordReprompt);
+
+        public struct UVResult
+        {
+            public UVResult(bool canPerform, bool isVerified)
+            {
+                CanPerform = canPerform;
+                IsVerified = isVerified;
+            }
+
+            public bool CanPerform { get; set; }
+            public bool IsVerified { get; set; }
+        }
+    }
+}

src/Core/Abstractions/IUserVerificationService.cs

@@ -1,11 +1,11 @@
-using System.Threading.Tasks;
-using Bit.Core.Enums;
+using Bit.Core.Enums;
 
 namespace Bit.Core.Abstractions
 {
     public interface IUserVerificationService
     {
         Task<bool> VerifyUser(string secret, VerificationType verificationType);
+        Task<bool> VerifyMasterPasswordAsync(string masterPassword);
         Task<bool> HasMasterPasswordAsync(bool checkMasterKeyHash = false);
     }
 }

src/Core/App.xaml.cs

@@ -9,10 +9,12 @@ using Bit.Core;
 using Bit.Core.Abstractions;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data;
+using Bit.Core.Models.Domain;
 using Bit.Core.Models.Response;
 using Bit.Core.Pages;
 using Bit.Core.Services;
 using Bit.Core.Utilities;
+using Bit.Core.Utilities.Fido2;
 
 [assembly: XamlCompilation(XamlCompilationOptions.Compile)]
 namespace Bit.App
@@ -36,6 +38,9 @@ namespace Bit.App
         private readonly IPushNotificationService _pushNotificationService;
         private readonly IConfigService _configService;
         private readonly ILogger _logger;
+#if ANDROID
+        private LazyResolve<IFido2MakeCredentialConfirmationUserInterface> _fido2MakeCredentialConfirmationUserInterface = new LazyResolve<IFido2MakeCredentialConfirmationUserInterface>();
+#endif
 
         private static bool _isResumed;
         // these variables are static because the app is launching new activities on notification click, creating new instances of App. 
@@ -46,7 +51,6 @@ namespace Bit.App
         // This queue keeps those actions so that when the app has resumed they can still be executed.
         // Links: https://github.com/dotnet/maui/issues/11501 and https://bitwarden.atlassian.net/wiki/spaces/NMME/pages/664862722/MainPage+Assignments+not+working+on+Android+on+Background+or+App+resume
         private readonly Queue<Action> _onResumeActions = new Queue<Action>();
-        private bool _hasNavigatedToAutofillWindow;
 
 #if ANDROID
 
@@ -104,7 +108,10 @@ namespace Bit.App
                 Options.MyVaultTile = appOptions.MyVaultTile;
                 Options.GeneratorTile = appOptions.GeneratorTile;
                 Options.FromAutofillFramework = appOptions.FromAutofillFramework;
+                Options.FromFido2Framework = appOptions.FromFido2Framework;
+                Options.Fido2CredentialAction = appOptions.Fido2CredentialAction;
                 Options.CreateSend = appOptions.CreateSend;
+                Options.HasUnlockedInThisTransaction = appOptions.HasUnlockedInThisTransaction;
             }
         }
 
@@ -120,41 +127,17 @@ namespace Bit.App
                 return new Window(new NavigationPage()); //No actual page needed. Only used for auto-filling the fields directly (externally)
             }
 
-            //"Internal" Autofill and Uri/Otp/CreateSend. This is where we create the autofill specific Window
-            if (Options != null && (Options.FromAutofillFramework || Options.Uri != null || Options.OtpData != null || Options.CreateSend != null))
+            //When executing from CredentialProviderSelectionActivity we don't have "Options" so we need to filter "manually"
+            //In the CredentialProviderSelectionActivity we don't need to show any Page, so we just create a "dummy" Window with a NavigationPage to avoid crashing.
+            if (activationState != null 
+                && activationState.State.ContainsKey("CREDENTIAL_DATA") 
+                && activationState.State.ContainsKey("credentialProviderCipherId"))
             {
-                _isResumed = true; //Specifically for the Autofill scenario we need to manually set the _isResumed here
-                _hasNavigatedToAutofillWindow = true;
-                return new AutoFillWindow(new NavigationPage(new AndroidNavigationRedirectPage()));
+                return new Window(new NavigationPage()); //No actual page needed. Only used for auto-filling the fields directly (externally)
             }
 
-            var homePage = new HomePage(Options);
-            // WORKAROUND: If the user autofills with Accessibility Services enabled and goes back to the application then there is currently an issue
-            // where this method is called again
-            // thus it goes through here and the user goes to HomePage as we see here.
-            // So to solve this, the next flag check has been added which then turns on a flag on the home page
-            // that will trigger a navigation on the accounts manager when it loads; workarounding this behavior and navigating the user
-            // to the proper page depending on its state.
-            // WARNING: this doens't navigate the user to where they were but it acts as if the user had changed their account.
-            if(_hasNavigatedToAutofillWindow)
-            {
-                homePage.PerformNavigationOnAccountChangedOnLoad = true;
-                // this is needed because when coming back from AutofillWindow OnResume won't be called and we need this flag
-                // so that void Navigate(NavigationTarget navTarget, INavigationParams navParams) doesn't enqueue the navigation
-                // and it performs it directly.
-                _isResumed = true; 
-                _hasNavigatedToAutofillWindow = false;
-            }
-
-            //If we have an existing MainAppWindow we can use that one
-            var mainAppWindow = Windows.OfType<MainAppWindow>().FirstOrDefault();
-            if (mainAppWindow != null)
-            {
-                mainAppWindow.PendingPage = new NavigationPage(homePage);
-            }
-
-            //Create new main window
-            return new MainAppWindow(new NavigationPage(homePage));
+            _isResumed = true;
+            return new ResumeWindow(new NavigationPage(new AndroidNavigationRedirectPage(Options)));
         }
 #else
         //iOS doesn't use the CreateWindow override used in Android so we just set the Application.Current.MainPage directly
@@ -171,7 +154,7 @@ namespace Bit.App
                     Application.Current.MainPage = value;
                 }
             }
-        }   
+        }
 #endif
 
         public App() : this(null)
@@ -201,132 +184,182 @@ namespace Bit.App
 
             _accountsManager.Init(() => Options, this);
 
+            _broadcasterService.Subscribe(nameof(App), BroadcastServiceMessageCallbackAsync);
+
             Bootstrap();
-            _broadcasterService.Subscribe(nameof(App), async (message) =>
-            {
-                try
+        }
+
+        private async void BroadcastServiceMessageCallbackAsync(Message message)
+        {
+           try
+           {
+                ArgumentNullException.ThrowIfNull(message);
+                if (message.Command == "showDialog")
                 {
-                    if (message.Command == "showDialog")
+                    var details = message.Data as DialogDetails;
+                    ArgumentNullException.ThrowIfNull(details);
+                    
+                    var confirmed = true;
+                    var confirmText = string.IsNullOrWhiteSpace(details.ConfirmText) ?
+                        AppResources.Ok : details.ConfirmText;
+                    await MainThread.InvokeOnMainThreadAsync(ShowDialogAction);
+                    async Task ShowDialogAction()
                     {
-                        var details = message.Data as DialogDetails;
-                        var confirmed = true;
-                        var confirmText = string.IsNullOrWhiteSpace(details.ConfirmText) ?
-                            AppResources.Ok : details.ConfirmText;
-                        await MainThread.InvokeOnMainThreadAsync(async () =>
+                        if (!string.IsNullOrWhiteSpace(details.CancelText))
                         {
-                            if (!string.IsNullOrWhiteSpace(details.CancelText))
-                            {
-                                confirmed = await MainPage.DisplayAlert(details.Title, details.Text, confirmText,
-                                    details.CancelText);
-                            }
-                            else
-                            {
-                                await MainPage.DisplayAlert(details.Title, details.Text, confirmText);
-                            }
-                            _messagingService.Send("showDialogResolve", new Tuple<int, bool>(details.DialogId, confirmed));
-                        });
+                            ArgumentNullException.ThrowIfNull(MainPage);
+
+                            confirmed = await MainPage.DisplayAlert(details.Title, details.Text, confirmText,
+                                details.CancelText);
+                        }
+                        else
+                        {
+                            await _deviceActionService.DisplayAlertAsync(details.Title, details.Text, confirmText);
+                        }
+                        _messagingService.Send("showDialogResolve", new Tuple<int, bool>(details.DialogId, confirmed));
                     }
+                }
 #if IOS
-                    else if (message.Command == AppHelpers.RESUMED_MESSAGE_COMMAND)
+                else if (message.Command == AppHelpers.RESUMED_MESSAGE_COMMAND)
+                {
+                    ResumedAsync().FireAndForget();
+                }
+                else if (message.Command == "slept")
+                {
+                    await SleptAsync();
+                }
+#endif
+                else if (message.Command == "migrated")
+                {
+                    await Task.Delay(1000);
+                    await _accountsManager.NavigateOnAccountChangeAsync();
+                }
+                else if (message.Command == POP_ALL_AND_GO_TO_TAB_GENERATOR_MESSAGE ||
+                         message.Command == POP_ALL_AND_GO_TO_TAB_MYVAULT_MESSAGE ||
+                         message.Command == POP_ALL_AND_GO_TO_TAB_SEND_MESSAGE ||
+                         message.Command == POP_ALL_AND_GO_TO_AUTOFILL_CIPHERS_MESSAGE ||
+                         message.Command == DeepLinkContext.NEW_OTP_MESSAGE)
+                {
+                    if (message.Command == DeepLinkContext.NEW_OTP_MESSAGE)
                     {
-                        ResumedAsync().FireAndForget();
+                        Options.OtpData = new OtpData((string)message.Data);
                     }
-                    else if (message.Command == "slept")
+
+                    await MainThread.InvokeOnMainThreadAsync(ExecuteNavigationAction);
+                    async Task ExecuteNavigationAction()
                     {
-                        await SleptAsync();
+                        if (MainPage is TabsPage tabsPage)
+                        {
+                            ArgumentNullException.ThrowIfNull(tabsPage.Navigation);
+                            ArgumentNullException.ThrowIfNull(tabsPage.Navigation.ModalStack);
+                            while (tabsPage.Navigation.ModalStack.Count > 0)
+                            {
+                                await tabsPage.Navigation.PopModalAsync(false);
+                            }
+
+                            if (message.Command == POP_ALL_AND_GO_TO_AUTOFILL_CIPHERS_MESSAGE)
+                            {
+                                MainPage = new NavigationPage(new CipherSelectionPage(Options));
+                            }
+                            else if (message.Command == POP_ALL_AND_GO_TO_TAB_MYVAULT_MESSAGE)
+                            {
+                                Options.MyVaultTile = false;
+                                tabsPage.ResetToVaultPage();
+                            }
+                            else if (message.Command == POP_ALL_AND_GO_TO_TAB_GENERATOR_MESSAGE)
+                            {
+                                Options.GeneratorTile = false;
+                                tabsPage.ResetToGeneratorPage();
+                            }
+                            else if (message.Command == POP_ALL_AND_GO_TO_TAB_SEND_MESSAGE)
+                            {
+                                tabsPage.ResetToSendPage();
+                            }
+                            else if (message.Command == DeepLinkContext.NEW_OTP_MESSAGE)
+                            {
+                                tabsPage.ResetToVaultPage();
+                                ArgumentNullException.ThrowIfNull(tabsPage.Navigation);
+                                await tabsPage.Navigation.PushModalAsync(new NavigationPage(new CipherSelectionPage(Options)));
+                            }
+                        }
+                    }
+                }
+                else if (message.Command == Constants.CredentialNavigateToAutofillCipherMessageCommand && message.Data is Fido2ConfirmNewCredentialParams createParams)
+                {
+                    ArgumentNullException.ThrowIfNull(MainPage);
+                    ArgumentNullException.ThrowIfNull(Options);
+                    await MainThread.InvokeOnMainThreadAsync(NavigateToCipherSelectionPageAction);
+                    void NavigateToCipherSelectionPageAction()
+                    {
+                        Options.Uri = createParams.RpId;
+                        Options.SaveUsername = createParams.UserName;
+                        Options.SaveName = createParams.CredentialName;
+                        MainPage = new NavigationPage(new CipherSelectionPage(Options));
+                    }
+                }
+                else if (message.Command == "convertAccountToKeyConnector")
+                {
+                    ArgumentNullException.ThrowIfNull(MainPage);
+                    await MainThread.InvokeOnMainThreadAsync(NavigateToRemoveMasterPasswordPageAction);
+                    async Task NavigateToRemoveMasterPasswordPageAction()
+                    {
+                        await MainPage.Navigation.PushModalAsync(
+                            new NavigationPage(new RemoveMasterPasswordPage()));
+                    }
+                }
+                else if (message.Command == Constants.ForceUpdatePassword)
+                {
+                    ArgumentNullException.ThrowIfNull(MainPage);
+                    await MainThread.InvokeOnMainThreadAsync(NavigateToUpdateTempPasswordPageAction);
+                    async Task NavigateToUpdateTempPasswordPageAction()
+                    {
+                        await MainPage.Navigation.PushModalAsync(
+                            new NavigationPage(new UpdateTempPasswordPage()));
+                    }
+                }
+                else if (message.Command == Constants.ForceSetPassword)
+                {
+                    ArgumentNullException.ThrowIfNull(MainPage);
+                    await MainThread.InvokeOnMainThreadAsync(NavigateToSetPasswordPageAction);
+                    void NavigateToSetPasswordPageAction()
+                    {
+                        MainPage.Navigation.PushModalAsync(
+                            new NavigationPage(new SetPasswordPage(orgIdentifier: (string)message.Data)));
+                    }
+                }
+                else if (message.Command == "syncCompleted")
+                {
+                    await _configService.GetAsync(true);
+                }
+                else if (message.Command == Constants.PasswordlessLoginRequestKey
+                    || message.Command == "unlocked"
+                    || message.Command == AccountsManagerMessageCommands.ACCOUNT_SWITCH_COMPLETED)
+                {
+#if ANDROID
+                    if (message.Command == AccountsManagerMessageCommands.ACCOUNT_SWITCH_COMPLETED && _fido2MakeCredentialConfirmationUserInterface.Value.IsConfirmingNewCredential)
+                    {
+                        _fido2MakeCredentialConfirmationUserInterface.Value.OnConfirmationException(new AccountSwitchedException());
                     }
 #endif
-                    else if (message.Command == "migrated")
-                    {
-                        await Task.Delay(1000);
-                        await _accountsManager.NavigateOnAccountChangeAsync();
-                    }
-                    else if (message.Command == POP_ALL_AND_GO_TO_TAB_GENERATOR_MESSAGE ||
-                        message.Command == POP_ALL_AND_GO_TO_TAB_MYVAULT_MESSAGE ||
-                        message.Command == POP_ALL_AND_GO_TO_TAB_SEND_MESSAGE ||
-                        message.Command == POP_ALL_AND_GO_TO_AUTOFILL_CIPHERS_MESSAGE ||
-                        message.Command == DeepLinkContext.NEW_OTP_MESSAGE)
-                    {
-                        if (message.Command == DeepLinkContext.NEW_OTP_MESSAGE)
-                        {
-                            Options.OtpData = new OtpData((string)message.Data);
-                        }
 
-                        await MainThread.InvokeOnMainThreadAsync(async () =>
-                        {
-                            if (MainPage is TabsPage tabsPage)
-                            {
-                                while (tabsPage.Navigation.ModalStack.Count > 0)
-                                {
-                                    await tabsPage.Navigation.PopModalAsync(false);
-                                }
-                                if (message.Command == POP_ALL_AND_GO_TO_AUTOFILL_CIPHERS_MESSAGE)
-                                {
-                                    MainPage = new NavigationPage(new CipherSelectionPage(Options));
-                                }
-                                else if (message.Command == POP_ALL_AND_GO_TO_TAB_MYVAULT_MESSAGE)
-                                {
-                                    Options.MyVaultTile = false;
-                                    tabsPage.ResetToVaultPage();
-                                }
-                                else if (message.Command == POP_ALL_AND_GO_TO_TAB_GENERATOR_MESSAGE)
-                                {
-                                    Options.GeneratorTile = false;
-                                    tabsPage.ResetToGeneratorPage();
-                                }
-                                else if (message.Command == POP_ALL_AND_GO_TO_TAB_SEND_MESSAGE)
-                                {
-                                    tabsPage.ResetToSendPage();
-                                }
-                                else if (message.Command == DeepLinkContext.NEW_OTP_MESSAGE)
-                                {
-                                    tabsPage.ResetToVaultPage();
-                                    await tabsPage.Navigation.PushModalAsync(new NavigationPage(new CipherSelectionPage(Options)));
-                                }
-                            }
-                        });
-                    }
-                    else if (message.Command == "convertAccountToKeyConnector")
+                    lock (_processingLoginRequestLock)
                     {
-                        await MainThread.InvokeOnMainThreadAsync(async () =>
-                        {
-                            await MainPage.Navigation.PushModalAsync(
-                                new NavigationPage(new RemoveMasterPasswordPage()));
-                        });
-                    }
-                    else if (message.Command == Constants.ForceUpdatePassword)
-                    {
-                        await MainThread.InvokeOnMainThreadAsync(async () =>
-                        {
-                            await MainPage.Navigation.PushModalAsync(
-                                new NavigationPage(new UpdateTempPasswordPage()));
-                        });
-                    }
-                    else if (message.Command == Constants.ForceSetPassword)
-                    {
-                        await MainThread.InvokeOnMainThreadAsync(() => MainPage.Navigation.PushModalAsync(
-                                new NavigationPage(new SetPasswordPage(orgIdentifier: (string)message.Data))));
-                    }
-                    else if (message.Command == "syncCompleted")
-                    {
-                        await _configService.GetAsync(true);
-                    }
-                    else if (message.Command == Constants.PasswordlessLoginRequestKey
-                        || message.Command == "unlocked"
-                        || message.Command == AccountsManagerMessageCommands.ACCOUNT_SWITCH_COMPLETED)
-                    {
-                        lock (_processingLoginRequestLock)
-                        {
-                            // lock doesn't allow for async execution
-                            CheckPasswordlessLoginRequestsAsync().Wait();
-                        }
+                        // lock doesn't allow for async execution
+                        CheckPasswordlessLoginRequestsAsync().Wait();
                     }
                 }
-                catch (Exception ex)
+                else if (message.Command == Constants.NavigateToMessageCommand && message.Data is NavigationTarget navigationTarget)
                 {
-                    LoggerHelper.LogEvenIfCantBeResolved(ex);
+                    await MainThread.InvokeOnMainThreadAsync(() =>
+                    {
+                        Navigate(navigationTarget, null);
+                    });
                 }
-            });
+           }
+           catch (Exception ex)
+           {
+               LoggerHelper.LogEvenIfCantBeResolved(ex);
+           }
         }
 
         private async Task CheckPasswordlessLoginRequestsAsync()
@@ -341,7 +374,6 @@ namespace Bit.App
             {
                 return;
             }
-
             var notification = await _stateService.GetPasswordlessLoginNotificationAsync();
             if (notification == null)
             {
@@ -693,6 +725,15 @@ namespace Bit.App
             // If we are in background we add the Navigation Actions to a queue to execute when the app resumes.
             // Links: https://github.com/dotnet/maui/issues/11501 and https://bitwarden.atlassian.net/wiki/spaces/NMME/pages/664862722/MainPage+Assignments+not+working+on+Android+on+Background+or+App+resume
 #if ANDROID
+            if (_fido2MakeCredentialConfirmationUserInterface != null && _fido2MakeCredentialConfirmationUserInterface.Value.IsConfirmingNewCredential)
+            {
+                // if it's creating passkey
+                // and we have an active pending TaskCompletionSource
+                // then we let the Fido2 Authenticator flow manage the navigation to avoid issues
+                // like duplicated navigation to lock page.
+                return;
+            }
+
             if (!_isResumed)
             {
                 _onResumeActions.Enqueue(() => NavigateImpl(navTarget, navParams));

src/Core/Constants.cs

@@ -46,7 +46,11 @@ namespace Bit.Core
         public const string PreLoginEmailKey = "preLoginEmailKey";
         public const string ConfigsKey = "configsKey";
         public const string DisplayEuEnvironmentFlag = "display-eu-environment";
+        public const string UnassignedItemsBannerFlag = "unassigned-items-banner";
         public const string RegionEnvironment = "regionEnvironment";
+        public const string DuoCallback = "bitwarden://duo-callback";
+        public const string NavigateToMessageCommand = "navigateTo";
+        public const string CredentialNavigateToAutofillCipherMessageCommand = "credentialNavigateToAutofillCipher";
 
         /// <summary>
         /// This key is used to store the value of "ShouldConnectToWatch" of the last user that had logged in
@@ -135,6 +139,7 @@ namespace Bit.Core
         public static string ShouldConnectToWatchKey(string userId) => $"shouldConnectToWatch_{userId}";
         public static string ScreenCaptureAllowedKey(string userId) => $"screenCaptureAllowed_{userId}";
         public static string PendingAdminAuthRequest(string userId) => $"pendingAdminAuthRequest_{userId}";
+        public static string ShouldCheckOrganizationUnassignedItemsKey(string userId) => $"shouldCheckOrganizationUnassignedItems_{userId}";
         [Obsolete]
         public static string KeyKey(string userId) => $"key_{userId}";
         [Obsolete]

src/Core/Controls/CipherViewCell/BaseCipherViewCell.cs

@@ -53,12 +53,13 @@ namespace Bit.App.Controls
             if (BindingContext is CipherItemViewModel cipherItemVM)
             {
                 cipherItemVM.IconImageSuccesfullyLoaded = true;
+
+                MainThread.BeginInvokeOnMainThread(() =>
+                {
+                    Icon.IsVisible = cipherItemVM.ShowIconImage;
+                    IconPlaceholder.IsVisible = !cipherItemVM.ShowIconImage;
+                });
             }
-            MainThread.BeginInvokeOnMainThread(() =>
-            {
-                Icon.IsVisible = true;
-                IconPlaceholder.IsVisible = false;
-            });
         }
 
         public void Icon_Error(object sender, FFImageLoading.Maui.CachedImageEvents.ErrorEventArgs e)

src/Core/Controls/CipherViewCell/CipherViewCell.xaml

@@ -50,7 +50,7 @@
         HorizontalOptions="Center"
         VerticalOptions="Center"
         StyleClass="list-icon, list-icon-platform"
-        Text="{Binding Cipher, Converter={StaticResource iconGlyphConverter}}"
+        Text="{Binding ., Converter={StaticResource iconGlyphConverter}}"
         ShouldUpdateFontSizeDynamicallyForAccesibility="True"
         AutomationProperties.IsInAccessibleTree="False"
         AutomationId="CipherTypeIcon" />

src/Core/Controls/Settings/ExternalLinkSubtitleItemView.xaml

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<controls:BaseSettingItemView
+    xmlns="http://schemas.microsoft.com/dotnet/2021/maui"
+    xmlns:x="http://schemas.microsoft.com/winfx/2009/xaml"
+    xmlns:controls="clr-namespace:Bit.App.Controls" 
+    xmlns:core="clr-namespace:Bit.Core"
+    x:Class="Bit.App.Controls.ExternalLinkSubtitleItemView"
+    x:Name="_contentView"
+    ControlTemplate="{StaticResource SettingControlTemplate}">
+    <controls:BaseSettingItemView.GestureRecognizers>
+        <TapGestureRecognizer Tapped="ContentView_Tapped" />
+    </controls:BaseSettingItemView.GestureRecognizers>
+
+    <controls:IconLabel
+        Text="{Binding Source={x:Static core:BitwardenIcons.ExternalLink}}"
+        TextColor="{DynamicResource TextColor}"
+        FontSize="25"
+        Margin="6,0,7,0"
+        HorizontalOptions="End"
+        VerticalOptions="Center"
+        SemanticProperties.Description="{Binding Title, Mode=OneWay, Source={x:Reference _contentView}}" />
+</controls:BaseSettingItemView>

src/Core/Controls/Settings/ExternalLinkSubtitleItemView.xaml.cs

@@ -0,0 +1,26 @@
+using System.Windows.Input;
+
+namespace Bit.App.Controls
+{
+    public partial class ExternalLinkSubtitleItemView : BaseSettingItemView
+    {
+        public static readonly BindableProperty GoToLinkCommandProperty = BindableProperty.Create(
+            nameof(GoToLinkCommand), typeof(ICommand), typeof(ExternalLinkSubtitleItemView));
+
+        public ExternalLinkSubtitleItemView()
+        {
+            InitializeComponent();
+        }
+
+        public ICommand GoToLinkCommand
+        {
+            get => GetValue(GoToLinkCommandProperty) as ICommand;
+            set => SetValue(GoToLinkCommandProperty, value);
+        }
+
+        void ContentView_Tapped(System.Object sender, System.EventArgs e)
+        {
+            GoToLinkCommand?.Execute(null);
+        }
+    }
+}

src/Core/Core.csproj

@@ -80,11 +80,11 @@
     <Folder Include="Utilities\Fido2\" />
     <Folder Include="Controls\Picker\" />
     <Folder Include="Controls\Avatar\" />
+    <Folder Include="Services\UserVerification\" />
+    <Folder Include="Utilities\WebAuthenticatorMAUI\" />
+    <Folder Include="Resources\Images\" />
   </ItemGroup>
 	<ItemGroup>
-	  <MauiImage Include="Resources\Images\dotnet_bot.svg">
-	    <BaseSize>168,208</BaseSize>
-	  </MauiImage>
 	  <MauiAsset Include="Resources\Raw\**" LogicalName="%(RecursiveDir)%(Filename)%(Extension)" />
 		<MauiFont Include="Resources\Fonts\*" />
 	</ItemGroup>
@@ -93,6 +93,9 @@
       <LastGenOutput>AppResources.Designer.cs</LastGenOutput>
       <Generator>PublicResXFileCodeGenerator</Generator>
     </EmbeddedResource>
+		<Compile Update="Controls\Settings\ExternalLinkSubtitleItemView.xaml.cs">
+		  <DependentUpon>ExternalLinkSubtitleItemView.xaml</DependentUpon>
+		</Compile>
 		<Compile Update="Pages\AndroidNavigationRedirectPage.xaml.cs">
 		  <DependentUpon>AndroidNavigationRedirectPage.xaml</DependentUpon>
 		</Compile>
@@ -103,6 +106,9 @@
     </Compile>
 	</ItemGroup>
 	<ItemGroup>
+	  <MauiXaml Update="Controls\Settings\ExternalLinkSubtitleItemView.xaml">
+	    <Generator>MSBuild:Compile</Generator>
+	  </MauiXaml>
 	  <MauiXaml Update="Pages\AndroidNavigationRedirectPage.xaml">
 	    <Generator>MSBuild:Compile</Generator>
 	  </MauiXaml>
@@ -111,5 +117,14 @@
 	  <None Remove="Utilities\Fido2\" />
 	  <None Remove="Controls\Picker\" />
 	  <None Remove="Controls\Avatar\" />
+	  <None Remove="Services\UserVerification\" />
+	  <None Remove="Utilities\WebAuthenticatorMAUI\" />
+	  <None Remove="Resources\Images\" />
+	  <None Remove="Resources\Images\empty_items_state_dark.svg" />
+	  <None Remove="Resources\Images\empty_items_state.svg" />
+	</ItemGroup>
+	<ItemGroup Condition="$([MSBuild]::GetTargetPlatformIdentifier('$(TargetFramework)')) == 'android'">
+	  <MauiImage Include="Resources\Images\empty_items_state.svg" />
+	  <MauiImage Include="Resources\Images\empty_items_state_dark.svg" />
 	</ItemGroup>
 </Project>

src/Core/Exceptions/ValidationException.cs

@@ -0,0 +1,10 @@
+namespace Bit.Core.Exceptions
+{
+    public class ValidationException : Exception
+    {
+        public ValidationException(string localizedMessage)
+            : base(localizedMessage)
+        {
+        }
+    }
+}

src/Core/Models/AppOptions.cs

@@ -1,5 +1,4 @@
-using System;
-using Bit.Core.Enums;
+using Bit.Core.Enums;
 using Bit.Core.Utilities;
 
 namespace Bit.App.Models
@@ -9,6 +8,8 @@ namespace Bit.App.Models
         public bool MyVaultTile { get; set; }
         public bool GeneratorTile { get; set; }
         public bool FromAutofillFramework { get; set; }
+        public bool FromFido2Framework { get; set; }
+        public string Fido2CredentialAction { get; set; }
         public CipherType? FillType { get; set; }
         public string Uri { get; set; }
         public CipherType? SaveType { get; set; }
@@ -25,6 +26,8 @@ namespace Bit.App.Models
         public bool CopyInsteadOfShareAfterSaving { get; set; }
         public bool HideAccountSwitcher { get; set; }
         public OtpData? OtpData { get; set; }
+        public bool HasUnlockedInThisTransaction { get; set; }
+        public bool HasJustLoggedInOrUnlocked { get; set; }
 
         public void SetAllFrom(AppOptions o)
         {
@@ -35,6 +38,7 @@ namespace Bit.App.Models
             MyVaultTile = o.MyVaultTile;
             GeneratorTile = o.GeneratorTile;
             FromAutofillFramework = o.FromAutofillFramework;
+            Fido2CredentialAction = o.Fido2CredentialAction;
             FillType = o.FillType;
             Uri = o.Uri;
             SaveType = o.SaveType;
@@ -51,6 +55,7 @@ namespace Bit.App.Models
             CopyInsteadOfShareAfterSaving = o.CopyInsteadOfShareAfterSaving;
             HideAccountSwitcher = o.HideAccountSwitcher;
             OtpData = o.OtpData;
+            HasUnlockedInThisTransaction = o.HasUnlockedInThisTransaction;
         }
     }
 }

src/Core/Models/Domain/SymmetricCryptoKey.cs

@@ -1,5 +1,4 @@
-using System;
-using Bit.Core.Enums;
+using Bit.Core.Enums;
 
 namespace Bit.Core.Models.Domain
 {
@@ -9,7 +8,7 @@ namespace Bit.Core.Models.Domain
         {
             if (key == null)
             {
-                throw new Exception("Must provide key.");
+                throw new ArgumentKeyNullException(nameof(key));
             }
 
             if (encType == null)
@@ -24,7 +23,7 @@ namespace Bit.Core.Models.Domain
                 }
                 else
                 {
-                    throw new Exception("Unable to determine encType.");
+                    throw new InvalidKeyOperationException("Unable to determine encType.");
                 }
             }
 
@@ -48,7 +47,7 @@ namespace Bit.Core.Models.Domain
             }
             else
             {
-                throw new Exception("Unsupported encType/key length.");
+                throw new InvalidKeyOperationException("Unsupported encType/key length.");
             }
 
             if (Key != null)
@@ -72,6 +71,32 @@ namespace Bit.Core.Models.Domain
         public string KeyB64 { get; set; }
         public string EncKeyB64 { get; set; }
         public string MacKeyB64 { get; set; }
+
+        public class ArgumentKeyNullException : ArgumentNullException
+        {
+            public ArgumentKeyNullException(string paramName) : base(paramName)
+            {
+            }
+
+            public ArgumentKeyNullException(string message, Exception innerException) : base(message, innerException)
+            {
+            }
+
+            public ArgumentKeyNullException(string paramName, string message) : base(paramName, message)
+            {
+            }
+        }
+
+        public class InvalidKeyOperationException : InvalidOperationException
+        {
+            public InvalidKeyOperationException(string message) : base(message)
+            {
+            }
+
+            public InvalidKeyOperationException(string message, Exception innerException) : base(message, innerException)
+            {
+            }
+        }
     }
 
     public class UserKey : SymmetricCryptoKey

src/Core/Models/View/CipherView.cs

@@ -1,5 +1,7 @@
 using Bit.Core.Enums;
 using Bit.Core.Models.Domain;
+using Bit.Core.Resources.Localization;
+using Bit.Core.Utilities;
 
 namespace Bit.Core.Models.View
 {
@@ -49,7 +51,7 @@ namespace Bit.Core.Models.View
         public DateTime? DeletedDate { get; set; }
         public CipherRepromptType Reprompt { get; set; }
         public CipherKey Key { get; set; }
-
+        
         public ItemView Item
         {
             get
@@ -119,5 +121,14 @@ namespace Bit.Core.Models.View
         public bool IsClonable => OrganizationId is null;
 
         public bool HasFido2Credential => Type == CipherType.Login && Login?.HasFido2Credentials == true;
+
+        public string GetMainFido2CredentialUsername()
+        {
+            return Login?.MainFido2Credential?.UserName
+                    .FallbackOnNullOrWhiteSpace(Login?.MainFido2Credential?.UserDisplayName)
+                    .FallbackOnNullOrWhiteSpace(Login?.Username)
+                    .FallbackOnNullOrWhiteSpace(Name)
+                    .FallbackOnNullOrWhiteSpace(AppResources.UnknownAccount);
+        }
     }
 }

src/Core/Models/View/Fido2CredentialView.cs

@@ -51,12 +51,14 @@ namespace Bit.Core.Models.View
         [JsonIgnore]
         public bool DiscoverableValue {
             get => bool.TryParse(Discoverable, out var discoverable) && discoverable;
-            set => Discoverable = value.ToString().ToLower(); // must be lowercase so it can be parsed in the current version of clients
+            set => Discoverable = value.ToString().ToLower();
         }
 
         [JsonIgnore]
         public override string SubTitle => UserName;
+        
         public override List<KeyValuePair<string, LinkedIdType>> LinkedFieldOptions => new List<KeyValuePair<string, LinkedIdType>>();
+        
         [JsonIgnore]
         public bool CanLaunch => !string.IsNullOrEmpty(RpId);
         [JsonIgnore]

src/Core/Models/View/LoginView.cs

@@ -1,7 +1,4 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using Bit.Core.Enums;
+using Bit.Core.Enums;
 using Bit.Core.Models.Domain;
 
 namespace Bit.Core.Models.View

src/Core/Pages/Accounts/EnvironmentPage.xaml

@@ -21,10 +21,6 @@
     <ScrollView>
         <StackLayout Spacing="20">
             <StackLayout StyleClass="box">
-                <StackLayout StyleClass="box-row-header">
-                    <Label Text="MAUI APP"
-                           StyleClass="box-header, box-header-platform" />
-                </StackLayout>
                 <StackLayout StyleClass="box-row-header">
                     <Label Text="{u:I18n SelfHostedEnvironment, Header=True}"
                            StyleClass="box-header, box-header-platform" />

src/Core/Pages/Accounts/EnvironmentPage.xaml.cs

@@ -1,6 +1,7 @@
 using Bit.Core.Abstractions;
 using Bit.Core.Resources.Localization;
 using Bit.Core.Utilities;
+using Microsoft.Maui.Platform;
 
 namespace Bit.App.Pages
 {
@@ -26,7 +27,7 @@ namespace Bit.App.Pages
             _apiEntry.ReturnCommand = new Command(() => _identityEntry.Focus());
             _identityEntry.ReturnType = ReturnType.Next;
             _identityEntry.ReturnCommand = new Command(() => _iconsEntry.Focus());
-            _vm.SubmitSuccessAction = () => MainThread.BeginInvokeOnMainThread(async () => await SubmitSuccessAsync());
+            _vm.SubmitSuccessTask = () => MainThread.InvokeOnMainThreadAsync(SubmitSuccessAsync);
             _vm.CloseAction = async () =>
             {
                 await Navigation.PopModalAsync();
@@ -37,6 +38,12 @@ namespace Bit.App.Pages
         {
             _platformUtilsService.ShowToast("success", null, AppResources.EnvironmentSaved);
             await Navigation.PopModalAsync();
+#if ANDROID
+            if (Platform.CurrentActivity.CurrentFocus != null)
+            {
+                Platform.CurrentActivity.HideKeyboard(Platform.CurrentActivity.CurrentFocus);
+            }
+#endif
         }
 
         private void Close_Clicked(object sender, EventArgs e)

src/Core/Pages/Accounts/EnvironmentPageViewModel.cs

@@ -44,7 +44,7 @@ namespace Bit.App.Pages
         public string WebVaultUrl { get; set; }
         public string IconsUrl { get; set; }
         public string NotificationsUrls { get; set; }
-        public Action SubmitSuccessAction { get; set; }
+        public Func<Task> SubmitSuccessTask { get; set; }
         public Action CloseAction { get; set; }
 
         public async Task SubmitAsync()
@@ -73,7 +73,10 @@ namespace Bit.App.Pages
             IconsUrl = resUrls.Icons;
             NotificationsUrls = resUrls.Notifications;
 
-            SubmitSuccessAction?.Invoke();
+            if (SubmitSuccessTask != null)
+            {
+                await SubmitSuccessTask();
+            }
         }
 
         public bool ValidateUrls()

src/Core/Pages/Accounts/HomePage.xaml.cs

@@ -12,12 +12,14 @@ namespace Bit.App.Pages
         private readonly HomeViewModel _vm;
         private readonly AppOptions _appOptions;
         private IBroadcasterService _broadcasterService;
+        private IConditionedAwaiterManager _conditionedAwaiterManager;
 
         readonly LazyResolve<ILogger> _logger = new LazyResolve<ILogger>();
 
         public HomePage(AppOptions appOptions = null)
         {
             _broadcasterService = ServiceContainer.Resolve<IBroadcasterService>();
+            _conditionedAwaiterManager = ServiceContainer.Resolve<IConditionedAwaiterManager>();
             _appOptions = appOptions;
             InitializeComponent();
             _vm = BindingContext as HomeViewModel;
@@ -56,6 +58,8 @@ namespace Bit.App.Pages
                 PerformNavigationOnAccountChangedOnLoad = false;
                 accountsManager.NavigateOnAccountChangeAsync().FireAndForget();
             }
+
+            _conditionedAwaiterManager.SetAsCompleted(AwaiterPrecondition.AndroidWindowCreated);
 #endif
         }
 

src/Core/Pages/Accounts/LockPage.xaml.cs

@@ -168,7 +168,7 @@ namespace Bit.App.Pages
                 var tasks = Task.Run(async () =>
                 {
                     await Task.Delay(50);
-                    MainThread.BeginInvokeOnMainThread(async () => await _vm.SubmitAsync());
+                    _vm.SubmitCommand.Execute(null);
                 });
             }
         }
@@ -233,6 +233,7 @@ namespace Bit.App.Pages
             }
             var previousPage = await AppHelpers.ClearPreviousPage();
 
+            _appOptions.HasJustLoggedInOrUnlocked = true;
             App.MainPage = new TabsPage(_appOptions, previousPage);
         }
     }

src/Core/Pages/Accounts/LockPageViewModel.cs

@@ -1,5 +1,6 @@
 using System;
 using System.Threading.Tasks;
+using System.Windows.Input;
 using Bit.App.Abstractions;
 using Bit.App.Controls;
 using Bit.Core.Resources.Localization;
@@ -73,7 +74,7 @@ namespace Bit.App.Pages
 
             PageTitle = AppResources.VerifyMasterPassword;
             TogglePasswordCommand = new Command(TogglePassword);
-            SubmitCommand = new Command(async () => await SubmitAsync());
+            SubmitCommand = CreateDefaultAsyncRelayCommand(SubmitAsync, onException: _logger.Exception, allowsMultipleExecutions: false);
 
             AccountSwitchingOverlayViewModel =
                 new AccountSwitchingOverlayViewModel(_stateService, _messagingService, _logger)
@@ -157,7 +158,7 @@ namespace Bit.App.Pages
 
         public AccountSwitchingOverlayViewModel AccountSwitchingOverlayViewModel { get; }
 
-        public Command SubmitCommand { get; }
+        public ICommand SubmitCommand { get; }
         public Command TogglePasswordCommand { get; }
 
         public string ShowPasswordIcon => ShowPassword ? BitwardenIcons.EyeSlash : BitwardenIcons.Eye;
@@ -233,8 +234,8 @@ namespace Bit.App.Pages
                 }
                 BiometricButtonVisible = true;
                 BiometricButtonText = AppResources.UseBiometricsToUnlock;
-                // TODO Xamarin.Forms.Device.RuntimePlatform is no longer supported. Use Microsoft.Maui.Devices.DeviceInfo.Platform instead. For more details see https://learn.microsoft.com/en-us/dotnet/maui/migration/forms-projects#device-changes
-                if (Device.RuntimePlatform == Device.iOS)
+
+                if (DeviceInfo.Platform == DevicePlatform.iOS)
                 {
                     var supportsFace = await _deviceActionService.SupportsFaceBiometricAsync();
                     BiometricButtonText = supportsFace ? AppResources.UseFaceIDToUnlock :
@@ -330,6 +331,7 @@ namespace Bit.App.Pages
                     Pin = string.Empty;
                     await AppHelpers.ResetInvalidUnlockAttemptsAsync();
                     await SetUserKeyAndContinueAsync(userKey);
+                    await Task.Delay(150); //Workaround Delay to avoid "duplicate" execution of SubmitAsync on Android when invoked from the ReturnCommand
                 }
             }
             catch (LegacyUserException)
@@ -418,6 +420,7 @@ namespace Bit.App.Pages
                 var userKey = await _cryptoService.DecryptUserKeyWithMasterKeyAsync(masterKey);
                 await _cryptoService.SetMasterKeyAsync(masterKey);
                 await SetUserKeyAndContinueAsync(userKey);
+                await Task.Delay(150); //Workaround Delay to avoid "duplicate" execution of SubmitAsync on Android when invoked from the ReturnCommand
 
                 // Re-enable biometrics
                 if (BiometricEnabled & !BiometricIntegrityValid)
@@ -515,7 +518,7 @@ namespace Bit.App.Pages
                 var success = await _platformUtilsService.AuthenticateBiometricAsync(null,
                     PinEnabled ? AppResources.PIN : AppResources.MasterPassword,
                     () => _secretEntryFocusWeakEventManager.RaiseEvent((int?)null, nameof(FocusSecretEntry)),
-                    !PinEnabled && !HasMasterPassword);
+                    !PinEnabled && !HasMasterPassword) ?? false;
 
                 await _stateService.SetBiometricLockedAsync(!success);
                 if (success)

src/Core/Pages/Accounts/LoginApproveDevicePage.xaml.cs

@@ -35,6 +35,8 @@ namespace Bit.App.Pages
             {
                 return;
             }
+            
+            _appOptions.HasJustLoggedInOrUnlocked = true;
             var previousPage = await AppHelpers.ClearPreviousPage();
             App.MainPage = new TabsPage(_appOptions, previousPage);
         }

src/Core/Pages/Accounts/LoginPage.xaml.cs

@@ -195,6 +195,8 @@ namespace Bit.App.Pages
                 {
                     return;
                 }
+                
+                _appOptions.HasJustLoggedInOrUnlocked = true;
                 var previousPage = await AppHelpers.ClearPreviousPage();
                 App.MainPage = new TabsPage(_appOptions, previousPage);
             }

src/Core/Pages/Accounts/LoginPasswordlessPage.xaml

@@ -39,7 +39,7 @@
                     FontSize="Small"
                     FontAttributes="Bold"/>
                 <controls:MonoLabel
-                    FormattedText="{Binding LoginRequest.FingerprintPhrase}"
+                    Text="{Binding LoginRequest.FingerprintPhrase}"
                     FontSize="Medium"
                     TextColor="{DynamicResource FingerprintPhrase}"
                     Margin="0,0,0,27"
@@ -85,7 +85,6 @@
         <Button
                 Text="{u:I18n DenyLogIn}"
                 Command="{Binding RejectRequestCommand}"
-                StyleClass="btn-secundary"
                 AutomationId="DenyLoginButton" />
 
     </StackLayout>

src/Core/Pages/Accounts/LoginPasswordlessRequestPage.xaml

@@ -41,7 +41,7 @@
                 FontSize="Small"
                 FontAttributes="Bold" />
             <controls:MonoLabel
-                FormattedText="{Binding FingerprintPhrase}"
+                Text="{Binding FingerprintPhrase}"
                 FontSize="Small"
                 TextColor="{DynamicResource FingerprintPhrase}"
                 AutomationId="FingerprintPhraseValue" />

src/Core/Pages/Accounts/LoginPasswordlessRequestPage.xaml.cs

@@ -55,6 +55,8 @@ namespace Bit.App.Pages
                 {
                     return;
                 }
+                
+                _appOptions.HasJustLoggedInOrUnlocked = true;
                 var previousPage = await AppHelpers.ClearPreviousPage();
                 App.MainPage = new TabsPage(_appOptions, previousPage);
             }

src/Core/Pages/Accounts/LoginSsoPage.xaml.cs

@@ -21,6 +21,7 @@ namespace Bit.App.Pages
             InitializeComponent();
             _vm = BindingContext as LoginSsoPageViewModel;
             _vm.Page = this;
+            _vm.FromIosExtension = _appOptions?.IosExtension ?? false;
             _vm.StartTwoFactorAction = () => MainThread.BeginInvokeOnMainThread(async () => await StartTwoFactorAsync());
             _vm.StartSetPasswordAction = () =>
                 MainThread.BeginInvokeOnMainThread(async () => await StartSetPasswordAsync());

src/Core/Pages/Accounts/LoginSsoPageViewModel.cs

@@ -15,6 +15,16 @@ using Bit.Core.Utilities;
 using Microsoft.Maui.Authentication;
 using Microsoft.Maui.Networking;
 using NetworkAccess = Microsoft.Maui.Networking.NetworkAccess;
+using Org.BouncyCastle.Asn1.Ocsp;
+
+#if IOS
+using AuthenticationServices;
+using Foundation;
+using UIKit;
+using WebAuthenticator = Bit.Core.Utilities.MAUI.WebAuthenticator;
+using WebAuthenticatorResult = Bit.Core.Utilities.MAUI.WebAuthenticatorResult;
+using WebAuthenticatorOptions = Bit.Core.Utilities.MAUI.WebAuthenticatorOptions;
+#endif
 
 namespace Bit.App.Pages
 {
@@ -64,6 +74,8 @@ namespace Bit.App.Pages
             set => SetProperty(ref _orgIdentifier, value);
         }
 
+        public bool FromIosExtension { get; set; }
+
         public ICommand LogInCommand { get; }
         public Action StartTwoFactorAction { get; set; }
         public Action StartSetPasswordAction { get; set; }
@@ -153,6 +165,9 @@ namespace Bit.App.Pages
                     CallbackUrl = new Uri(REDIRECT_URI),
                     Url = new Uri(url),
                     PrefersEphemeralWebBrowserSession = _useEphemeralWebBrowserSession,
+#if IOS
+                    ShouldUseSharedApplicationKeyWindow = FromIosExtension
+#endif
                 });
 
                 var code = GetResultCode(authResult, state);

src/Core/Pages/Accounts/SetPasswordPage.xaml.cs

@@ -71,6 +71,8 @@ namespace Bit.App.Pages
                 {
                     return;
                 }
+                
+                _appOptions.HasJustLoggedInOrUnlocked = true;
                 var previousPage = await AppHelpers.ClearPreviousPage();
                 App.MainPage = new TabsPage(_appOptions, previousPage);
             }

src/Core/Pages/Accounts/TwoFactorPage.xaml

@@ -132,14 +132,26 @@
                     </StackLayout>
                 </StackLayout>
             </StackLayout>
-            <StackLayout Spacing="0" Padding="0" IsVisible="{Binding DuoMethod, Mode=OneWay}"
-                         VerticalOptions="StartAndExpand">
+            <StackLayout
+                Spacing="0"
+                Padding="0"
+                IsVisible="{Binding DuoMethod, Mode=OneWay}"
+                VerticalOptions="FillAndExpand">
+                <Label
+                    StyleClass="box"
+                    Text="{Binding DuoFramelessLabel}"
+                    HorizontalOptions="StartAndExpand" 
+                    Margin="10,21"
+                    IsVisible="{Binding IsDuoFrameless}"/>
                 <controls:HybridWebView
                     x:Name="_duoWebView"
                     HorizontalOptions="FillAndExpand"
                     VerticalOptions="FillAndExpand"
-                    HeightRequest="{Binding DuoWebViewHeight, Mode=OneWay}" />
-                <StackLayout StyleClass="box" VerticalOptions="End">
+                    HeightRequest="{Binding DuoWebViewHeight, Mode=OneWay}"
+                    IsVisible="{Binding IsDuoFrameless, Converter={StaticResource inverseBool}}"/>
+                <StackLayout
+                    StyleClass="box"
+                    VerticalOptions="End">
                     <StackLayout StyleClass="box-row, box-row-switch">
                         <Label
                             Text="{u:I18n RememberMe}"
@@ -151,6 +163,12 @@
                             HorizontalOptions="End" />
                     </StackLayout>
                 </StackLayout>
+                <Button Text="{u:I18n LaunchDuo}"
+                    Margin="10,21"
+                    StyleClass="btn-primary"
+                    Command="{Binding AuthenticateWithDuoFramelessCommand}"
+                    AutomationId="DuoFramelessButton"
+                    IsVisible="{Binding IsDuoFrameless}"/>
             </StackLayout>
             <StackLayout
                 Spacing="0"

src/Core/Pages/Accounts/TwoFactorPage.xaml.cs

@@ -206,6 +206,8 @@ namespace Bit.App.Pages
             {
                 return;
             }
+
+            _appOptions.HasJustLoggedInOrUnlocked = true;
             var previousPage = await AppHelpers.ClearPreviousPage();
             App.MainPage = new TabsPage(_appOptions, previousPage);
         }

src/Core/Pages/Accounts/TwoFactorPageViewModel.cs

@@ -2,6 +2,7 @@
 using System.Windows.Input;
 using Bit.App.Abstractions;
 using Bit.App.Utilities;
+using Bit.Core;
 using Bit.Core.Abstractions;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -34,6 +35,7 @@ namespace Bit.App.Pages
         private string _webVaultUrl = "https://vault.bitwarden.com";
         private bool _enableContinue = false;
         private bool _showContinue = true;
+        private bool _isDuoFrameless = false;
         private double _duoWebViewHeight;
 
         public TwoFactorPageViewModel()
@@ -56,6 +58,7 @@ namespace Bit.App.Pages
             PageTitle = AppResources.TwoStepLogin;
             SubmitCommand = CreateDefaultAsyncRelayCommand(() => MainThread.InvokeOnMainThreadAsync(async () => await SubmitAsync()), allowsMultipleExecutions: false);
             MoreCommand = CreateDefaultAsyncRelayCommand(MoreAsync, onException: _logger.Exception, allowsMultipleExecutions: false);
+            AuthenticateWithDuoFramelessCommand = CreateDefaultAsyncRelayCommand(DuoFramelessAuthenticateAsync, allowsMultipleExecutions: false);
         }
 
         public string TotpInstruction
@@ -103,6 +106,16 @@ namespace Bit.App.Pages
             set => SetProperty(ref _enableContinue, value);
         }
 
+        public bool IsDuoFrameless
+        {
+            get => _isDuoFrameless;
+            set => SetProperty(ref _isDuoFrameless, value, additionalPropertyNames: new string[] { nameof(DuoFramelessLabel) });
+        }
+
+        public string DuoFramelessLabel => SelectedProviderType == TwoFactorProviderType.OrganizationDuo ?
+            $"{AppResources.DuoTwoStepLoginIsRequiredForYourAccount} {AppResources.FollowTheStepsFromDuoToFinishLoggingIn}" :
+            AppResources.FollowTheStepsFromDuoToFinishLoggingIn;
+
 #if IOS
         public string YubikeyInstruction => AppResources.YubiKeyInstructionIos;
 #else
@@ -125,6 +138,7 @@ namespace Bit.App.Pages
         }
         public ICommand SubmitCommand { get; }
         public ICommand MoreCommand { get; }
+        public ICommand AuthenticateWithDuoFramelessCommand { get; }
         public Action TwoFactorAuthSuccessAction { get; set; }
         public Action LockAction { get; set; }
         public Action StartDeviceApprovalOptionsAction { get; set; }
@@ -179,15 +193,29 @@ namespace Bit.App.Pages
                     break;
                 case TwoFactorProviderType.Duo:
                 case TwoFactorProviderType.OrganizationDuo:
-                    SetDuoWebViewHeight();
-                    var host = WebUtility.UrlEncode(providerData["Host"] as string);
-                    var req = WebUtility.UrlEncode(providerData["Signature"] as string);
-                    page.DuoWebView.Uri = $"{_webVaultUrl}/duo-connector.html?host={host}&request={req}";
-                    page.DuoWebView.RegisterAction(sig =>
+                    IsDuoFrameless = providerData.ContainsKey("AuthUrl");
+                    if (!IsDuoFrameless)
                     {
-                        Token = sig;
-                        SubmitCommand.Execute(null);
-                    });
+                        SetDuoWebViewHeight();
+                        var host = WebUtility.UrlEncode(providerData["Host"] as string);
+                        var req = WebUtility.UrlEncode(providerData["Signature"] as string);
+                        page.DuoWebView.Uri = $"{_webVaultUrl}/duo-connector.html?host={host}&request={req}";
+                        page.DuoWebView.RegisterAction(sig =>
+                        {
+                            Token = sig;
+                            MainThread.BeginInvokeOnMainThread(async () =>
+                            {
+                                try
+                                {
+                                    await SubmitAsync();
+                                }
+                                catch (Exception ex)
+                                {
+                                    HandleException(ex);
+                                }
+                            });
+                        });
+                    }
                     break;
                 case TwoFactorProviderType.Email:
                     TotpInstruction = string.Format(AppResources.EnterVerificationCodeEmail,
@@ -211,6 +239,77 @@ namespace Bit.App.Pages
             ShowContinue = !(SelectedProviderType == null || DuoMethod || Fido2Method);
         }
 
+        private async Task DuoFramelessAuthenticateAsync()
+        {
+            await _deviceActionService.ShowLoadingAsync(AppResources.Validating);
+
+            if (!_authService.TwoFactorProvidersData.TryGetValue(SelectedProviderType.Value, out var providerData) ||
+                !providerData.TryGetValue("AuthUrl", out var urlObject))
+            {
+                throw new InvalidOperationException("Duo authentication error: Could not get ProviderData or AuthUrl");
+            }
+
+            var url = urlObject as string;
+            if (string.IsNullOrWhiteSpace(url))
+            {
+                throw new ArgumentNullException("Duo authentication error: Could not get valid auth url");
+            }
+
+            WebAuthenticatorResult authResult;
+            try
+            {
+                authResult = await WebAuthenticator.AuthenticateAsync(new WebAuthenticatorOptions
+                {
+                    Url = new Uri(url),
+                    CallbackUrl = new Uri(Constants.DuoCallback)
+                });
+            }
+            catch (TaskCanceledException)
+            {
+                // user canceled
+                await _deviceActionService.HideLoadingAsync();
+                return;
+            }
+
+            await _deviceActionService.HideLoadingAsync();
+            if (authResult == null || authResult.Properties == null)
+            {
+                throw new InvalidOperationException("Duo authentication error: Could not get result from authentication");
+            }
+
+            if (authResult.Properties.TryGetValue("error", out var resultError))
+            {
+                _logger.Error(resultError);
+                await _platformUtilsService.ShowDialogAsync(AppResources.AnErrorHasOccurred, AppResources.Ok);
+                return;
+            }
+
+            string code = null;
+            if (authResult.Properties.TryGetValue("code", out var resultCodeData))
+            {
+                code = Uri.UnescapeDataString(resultCodeData);
+            }
+
+            if (string.IsNullOrWhiteSpace(code))
+            {
+                throw new ArgumentException("Duo authentication error: response code is null or empty/whitespace");
+            }
+
+            string state = null;
+            if (authResult.Properties.TryGetValue("state", out var resultStateData))
+            {
+                state = Uri.UnescapeDataString(resultStateData);
+            }
+
+            if (string.IsNullOrWhiteSpace(state))
+            {
+                throw new ArgumentException("Duo authentication error: response state is null or empty/whitespace");
+            }
+
+            Token = $"{code}|{state}";
+            await SubmitAsync(true);
+        }
+        
         public void SetDuoWebViewHeight()
         {
             var screenHeight = DeviceDisplay.MainDisplayInfo.Height / DeviceDisplay.MainDisplayInfo.Density;

src/Core/Pages/AndroidNavigationRedirectPage.xaml.cs

@@ -1,20 +1,40 @@
 using Bit.App.Abstractions;
+using Bit.App.Models;
+using Bit.App.Pages;
+using Bit.Core.Abstractions;
+using Bit.Core.Services;
 using Bit.Core.Utilities;
 
 namespace Bit.Core.Pages;
 
 public partial class AndroidNavigationRedirectPage : ContentPage
 {
-    private readonly IAccountsManager _accountsManager;
-
-	public AndroidNavigationRedirectPage()
+    private AppOptions _options;
+	public AndroidNavigationRedirectPage(AppOptions options)
     {
-        _accountsManager = ServiceContainer.Resolve<IAccountsManager>("accountsManager");
+        _options = options ?? new AppOptions();
+
 		InitializeComponent();
 	}
 
     private void AndroidNavigationRedirectPage_OnLoaded(object sender, EventArgs e)
     {
-        _accountsManager.NavigateOnAccountChangeAsync().FireAndForget();
+        if (ServiceContainer.TryResolve<IAccountsManager>(out var accountsManager))
+        {
+            accountsManager.NavigateOnAccountChangeAsync().FireAndForget();
+        }
+        else
+        {
+            Bit.App.App.MainPage = new NavigationPage(new HomePage(_options)); //Fallback scenario to load HomePage just in case something goes wrong when resolving IAccountsManager
+        }
+
+        if (ServiceContainer.TryResolve<IConditionedAwaiterManager>(out var conditionedAwaiterManager))
+        {
+            conditionedAwaiterManager?.SetAsCompleted(AwaiterPrecondition.AndroidWindowCreated);
+        }
+        else
+        {
+            LoggerHelper.LogEvenIfCantBeResolved(new InvalidOperationException("ConditionedAwaiterManager can't be resolved on Android Navigation redirection"));
+        }
     }
 }

src/Core/Pages/Send/SendAddEditPage.xaml

@@ -266,6 +266,8 @@
                                 AutomationId="SendShowHideOptionsButton" />
                             <controls:IconButton
                                 x:Name="_btnOptionsUp"
+                                InputTransparent="True"
+                                MinimumWidthRequest="25"
                                 Text="{Binding Source={x:Static core:BitwardenIcons.ChevronUp}}"
                                 StyleClass="box-row-button"
                                 TextColor="{DynamicResource PrimaryColor}"
@@ -274,6 +276,8 @@
                                 AutomationId="SendOptionsDisplayed" />
                             <controls:IconButton
                                 x:Name="_btnOptionsDown"
+                                InputTransparent="True"
+                                MinimumWidthRequest="25"
                                 Text="{Binding Source={x:Static core:BitwardenIcons.AngleDown}}"
                                 StyleClass="box-row-button"
                                 TextColor="{DynamicResource PrimaryColor}"