PM-7052 WIP fix theme change on iOS Autofill extension (with ClipLogger activated)

* PM-6798 Force state update when opening the Autofill extension

* PM-6798 Fix InitAppIfNeededAsync to be awaited and also ignored Fido2AuthenticatorException from logging them to AppCenter since they don't add much information and we're logging in other places what we need

.github/CODEOWNERS

@@ -21,6 +21,7 @@ src/App/Platforms/iOS/Info.plist
 
 ## Platform team files ##
 appIcons @bitwarden/team-platform-dev
+build.cake @bitwarden/team-platform-dev
 
 ## Vault team files ##
 src/watchOS @bitwarden/team-vault-dev

.github/workflows/build-beta.yml

@@ -3,348 +3,3 @@ name: Build Beta
 
 on:
   workflow_dispatch:
-    inputs:
-      ref:
-        description: 'Branch or tag to build'
-        required: true
-        default: 'main'
-        type: string
-
-env:
-  main_app_folder_path: src/App
-  main_app_project_path: src/App/App.csproj
-  target-net-version: net8.0
-
-jobs:
-  setup:
-    name: Setup
-    runs-on: ubuntu-22.04
-    outputs:
-      rc_branch_exists: ${{ steps.branch-check.outputs.rc_branch_exists }}
-      hotfix_branch_exists: ${{ steps.branch-check.outputs.hotfix_branch_exists }}
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          submodules: 'true'
-
-      - name: Check if special branches exist
-        id: branch-check
-        run: |
-          if [[ $(git ls-remote --heads origin rc) ]]; then
-            echo "rc_branch_exists=1" >> $GITHUB_OUTPUT
-          else
-            echo "rc_branch_exists=0" >> $GITHUB_OUTPUT
-          fi
-
-          if [[ $(git ls-remote --heads origin hotfix-rc) ]]; then
-            echo "hotfix_branch_exists=1" >> $GITHUB_OUTPUT
-          else
-            echo "hotfix_branch_exists=0" >> $GITHUB_OUTPUT
-          fi
-
-  ios:
-    name: Apple iOS
-    runs-on: macos-13
-    needs: setup
-    env:
-      ios_folder_path: src/App/Platforms/iOS
-      app_output_name: App
-      app_ci_output_filename: App_x64_Debug
-    steps:
-      - name: Set XCode version
-        uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd # v1.6.0
-        with:
-          xcode-version: 15.1
-
-      - name: Setup NuGet
-        uses: nuget/setup-nuget@296fd3ccf8528660c91106efefe2364482f86d6f # v1.2.0
-        with:
-          nuget-version: 6.4.0
-      
-      - name: Set up .NET
-        uses: actions/setup-dotnet@4d6c8fcf3c8f7a60068d26b594648e99df24cee3 # v4.0.0
-        with:
-          dotnet-version: '8.0.x'
-  
-      # This step might be obsolete at some point as .NET MAUI workloads 
-      # are starting to come pre-installed on the GH Actions build agents.
-      - name: Install MAUI Workload
-        run: dotnet workload install maui --ignore-failed-sources
-
-      - name: Print environment
-        run: |
-          nuget help | grep Version
-          dotnet --info
-          echo "GitHub ref: $GITHUB_REF"
-          echo "GitHub event: $GITHUB_EVENT"
-
-      - name: Checkout repo
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          fetch-depth: 0
-          ref: ${{ inputs.ref }}
-          submodules: 'true'
-
-      - name: Login to Azure - CI Subscription
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
-        with:
-          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
-
-      - name: Retrieve secrets
-        id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: "bitwarden-ci"
-          secrets: "appcenter-ios-token"
-
-      - name: Download Provisioning Profiles secrets
-        env:
-          ACCOUNT_NAME: bitwardenci
-          CONTAINER_NAME: profiles
-        run: |
-          mkdir -p $HOME/secrets
-          profiles=(
-              "dist_beta_autofill.mobileprovision"
-              "dist_beta_bitwarden.mobileprovision"
-              "dist_beta_extension.mobileprovision"
-              "dist_beta_share_extension.mobileprovision"
-              "dist_beta_bitwarden_watch_app.mobileprovision"
-              "dist_beta_bitwarden_watch_app_extension.mobileprovision"
-          )
-
-          for FILE in "${profiles[@]}"
-          do
-            az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME --name $FILE \
-              --file $HOME/secrets/$FILE --output none
-          done
-
-      - name: Download Google Services secret
-        env:
-          ACCOUNT_NAME: bitwardenci
-          CONTAINER_NAME: mobile
-          FILE: GoogleService-Info.plist
-        run: |
-          mkdir -p $HOME/secrets
-          az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME --name $FILE \
-            --file $HOME/secrets/$FILE --output none
-
-      - name: Increment version
-        run: |
-          BUILD_NUMBER=$((100 + $GITHUB_RUN_NUMBER))
-          echo "##### Setting CFBundleVersion $BUILD_NUMBER"
-
-          echo "### CFBundleVersion $BUILD_NUMBER" >> $GITHUB_STEP_SUMMARY
-
-          perl -0777 -pi.bak -e 's/<key>CFBundleVersion<\/key>\s*<string>1<\/string>/<key>CFBundleVersion<\/key>\n\t<string>'"$BUILD_NUMBER"'<\/string>/' ./${{ env.ios_folder_path }}/Info.plist
-          perl -0777 -pi.bak -e 's/<key>CFBundleVersion<\/key>\s*<string>1<\/string>/<key>CFBundleVersion<\/key>\n\t<string>'"$BUILD_NUMBER"'<\/string>/' ./src/iOS.Extension/Info.plist
-          perl -0777 -pi.bak -e 's/<key>CFBundleVersion<\/key>\s*<string>1<\/string>/<key>CFBundleVersion<\/key>\n\t<string>'"$BUILD_NUMBER"'<\/string>/' ./src/iOS.Autofill/Info.plist
-          perl -0777 -pi.bak -e 's/<key>CFBundleVersion<\/key>\s*<string>1<\/string>/<key>CFBundleVersion<\/key>\n\t<string>'"$BUILD_NUMBER"'<\/string>/' ./src/iOS.ShareExtension/Info.plist
-          cd src/watchOS/bitwarden
-          agvtool new-version -all  $BUILD_NUMBER
-
-      - name: Update Entitlements
-        run: |
-          echo "##### Updating Entitlements"
-          perl -0777 -pi.bak -e 's/<key>aps-environment<\/key>\s*<string>development<\/string>/<key>aps-environment<\/key>\n\t<string>beta<\/string>/' ./${{ env.ios_folder_path }}/Entitlements.plist
-
-      - name: Get certificates
-        run: |
-          mkdir -p $HOME/certificates
-          az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/ios-distribution |
-            jq -r .value | base64 -d > $HOME/certificates/ios-distribution.p12
-
-      - name: Set up Keychain
-        env:
-          KEYCHAIN_PASSWORD: ${{ secrets.IOS_KEYCHAIN_PASSWORD }}
-          MOBILE_KEY_PASSWORD: ${{ secrets.IOS_KEY_PASSWORD }}
-          DIST_CERT_PASSWORD: ${{ secrets.IOS_DIST_CERT_PASSWORD }}
-        run: |
-          security create-keychain -p $KEYCHAIN_PASSWORD build.keychain
-          security default-keychain -s build.keychain
-          security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain
-          security set-keychain-settings -lut 1200 build.keychain
-
-          security import $HOME/certificates/ios-distribution.p12 -k build.keychain -P "" -T /usr/bin/codesign \
-            -T /usr/bin/security
-          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain
-
-      - name: Set up provisioning profiles
-        run: |
-          AUTOFILL_PROFILE_PATH=$HOME/secrets/dist_beta_autofill.mobileprovision
-          BITWARDEN_PROFILE_PATH=$HOME/secrets/dist_beta_bitwarden.mobileprovision
-          EXTENSION_PROFILE_PATH=$HOME/secrets/dist_beta_extension.mobileprovision
-          SHARE_EXTENSION_PROFILE_PATH=$HOME/secrets/dist_beta_share_extension.mobileprovision
-          WATCH_APP_PROFILE_PATH=$HOME/secrets/dist_beta_bitwarden_watch_app.mobileprovision
-          WATCH_APP_EXTENSION_PROFILE_PATH=$HOME/secrets/dist_beta_bitwarden_watch_app_extension.mobileprovision
-          PROFILES_DIR_PATH=$HOME/Library/MobileDevice/Provisioning\ Profiles
-
-          mkdir -p "$PROFILES_DIR_PATH"
-
-          AUTOFILL_UUID=$(grep UUID -A1 -a $AUTOFILL_PROFILE_PATH | grep -io "[-A-F0-9]\{36\}")
-          cp $AUTOFILL_PROFILE_PATH "$PROFILES_DIR_PATH/$AUTOFILL_UUID.mobileprovision"
-
-          BITWARDEN_UUID=$(grep UUID -A1 -a $BITWARDEN_PROFILE_PATH | grep -io "[-A-F0-9]\{36\}")
-          cp $BITWARDEN_PROFILE_PATH "$PROFILES_DIR_PATH/$BITWARDEN_UUID.mobileprovision"
-
-          EXTENSION_UUID=$(grep UUID -A1 -a $EXTENSION_PROFILE_PATH | grep -io "[-A-F0-9]\{36\}")
-          cp $EXTENSION_PROFILE_PATH "$PROFILES_DIR_PATH/$EXTENSION_UUID.mobileprovision"
-
-          SHARE_EXTENSION_UUID=$(grep UUID -A1 -a $SHARE_EXTENSION_PROFILE_PATH | grep -io "[-A-F0-9]\{36\}")
-          cp $SHARE_EXTENSION_PROFILE_PATH "$PROFILES_DIR_PATH/$SHARE_EXTENSION_UUID.mobileprovision"
-
-          WATCH_APP_UUID=$(grep UUID -A1 -a $WATCH_APP_PROFILE_PATH | grep -io "[-A-F0-9]\{36\}")
-          cp $WATCH_APP_PROFILE_PATH "$PROFILES_DIR_PATH/$WATCH_APP_UUID.mobileprovision"
-
-          WATCH_APP_EXTENSION_UUID=$(grep UUID -A1 -a $WATCH_APP_EXTENSION_PROFILE_PATH | grep -io "[-A-F0-9]\{36\}")
-          cp $WATCH_APP_EXTENSION_PROFILE_PATH "$PROFILES_DIR_PATH/$WATCH_APP_EXTENSION_UUID.mobileprovision"
-
-      - name: Restore packages
-        run: |
-          dotnet restore
-          dotnet tool restore
-
-      - name: Setup iOS build CAKE (Testing)
-        run: dotnet cake build.cake --target iOS --variant beta
-
-      - name: Bulid WatchApp
-        run: |
-          echo "##### Build WatchApp with Release Configuration"
-          xcodebuild archive -workspace ./src/watchOS/bitwarden/bitwarden.xcodeproj/project.xcworkspace -configuration Release -scheme bitwarden\ WatchKit\ App -archivePath ./src/watchOS/bitwarden
-
-          echo "##### Done"
-
-      - name: Archive Build for App Store
-        shell: pwsh
-        run: |
-          Write-Output "##### Archive for Release ios-arm64"
-          dotnet publish ${{ env.main_app_project_path }} -c Release -f ${{ env.target-net-version }}-ios /p:RuntimeIdentifier=ios-arm64 /p:ArchiveOnBuild=true /p:MtouchUseLlvm=false
-
-          Write-Output "##### Done"
-
-      - name: Archive Build for Mobile Automation
-        shell: pwsh
-        run: |
-          Write-Output "##### Archive Debug for iossimulator-x64"
-          dotnet build ${{ env.main_app_project_path }} -c Debug -f ${{ env.target-net-version }}-ios /p:RuntimeIdentifier=iossimulator-x64 /p:ArchiveOnBuild=true /p:MtouchUseLlvm=false
-
-          Write-Output "##### Done"
-          ls ~/Library/Developer/Xcode/Archives
-          
-      - name: Export .ipa for App Store
-        env:
-          EXPORT_OPTIONS_PATH: ./.github/resources/export-options-app-store.plist
-          EXPORT_PATH: ./bitwarden-export
-        run: |
-          ARCHIVE_PATH="$HOME/Library/Developer/Xcode/Archives/*/*.xcarchive"
-
-          xcodebuild -exportArchive -archivePath $ARCHIVE_PATH -exportPath $EXPORT_PATH \
-            -exportOptionsPlist $EXPORT_OPTIONS_PATH
-
-      - name: Export .app for Automation CI
-        env:
-          ARCHIVE_PATH: ./${{ env.main_app_folder_path }}/bin/Debug/${{ env.target-net-version }}-ios/iossimulator-x64
-          EXPORT_PATH: ./bitwarden-export
-        run: |
-          zip -r -q ${{ env.app_ci_output_filename }}.app.zip $ARCHIVE_PATH
-          mv ${{ env.app_ci_output_filename }}.app.zip $EXPORT_PATH
-
-      - name: Show Bitwarden Export
-        shell: bash
-        run:  ls -a -R ./bitwarden-export
-
-      - name: Copy all dSYMs files to upload
-        env:
-          EXPORT_PATH: ./bitwarden-export
-          WATCH_ARCHIVE_DSYMS_PATH: ./src/watchOS/bitwarden.xcarchive/dSYMs/
-          WATCH_DSYMS_EXPORT_PATH: ./bitwarden-export/Watch_dSYMs
-        run: |
-          ARCHIVE_DSYMS_PATH="$HOME/Library/Developer/Xcode/Archives/*/*.xcarchive/dSYMs"
-
-          cp -r -v $ARCHIVE_DSYMS_PATH $EXPORT_PATH
-          mkdir $WATCH_DSYMS_EXPORT_PATH
-          cp -r -v $WATCH_ARCHIVE_DSYMS_PATH $WATCH_DSYMS_EXPORT_PATH
-
-      - name: Upload App Store .ipa & dSYMs artifacts
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
-        with:
-          name: Bitwarden iOS
-          path: |
-            ./bitwarden-export/Bitwarden*.ipa
-            ./bitwarden-export/dSYMs/*.*
-          if-no-files-found: error
-
-      - name: Upload .app file for Automation CI
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
-        with:
-          name: ${{ env.app_ci_output_filename }}.app.zip
-          path: ./bitwarden-export/${{ env.app_ci_output_filename }}.app.zip
-          if-no-files-found: error
-
-      - name: Install AppCenter CLI
-        run: npm install -g appcenter-cli
-
-      - name: Upload dSYMs to App Center
-        env:
-          APPCENTER_IOS_TOKEN: ${{ steps.retrieve-secrets.outputs.appcenter-ios-token }}
-        run: appcenter crashes upload-symbols -a bitwarden/bitwarden -s "./bitwarden-export/dSYMs" --token $APPCENTER_IOS_TOKEN
-
-      - name: Upload Watch dSYMs to Firebase Crashlytics
-        run: |
-          echo "##### Uploading Watch dSYMs to Firebase"
-          find "$HOME/Library/Developer/XCode/DerivedData" -name "upload-symbols" -exec chmod +x {} \; -exec {} -gsp "./src/watchOS/bitwarden/GoogleService-Info.plist" -p ios "./bitwarden-export/Watch_dSYMs" \;
-
-      - name: Validate app in App Store
-        env:
-          APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }}
-          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
-        run: |
-          xcrun altool --validate-app --type ios --file "./bitwarden-export/Bitwarden Beta.ipa" \
-              --username "$APPLE_ID_USERNAME" --password "$APPLE_ID_PASSWORD"
-        shell: bash
-
-      - name: Deploy to App Store
-        env:
-          APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }}
-          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
-        run: |
-          xcrun altool --upload-app --type ios --file "./bitwarden-export/Bitwarden Beta.ipa" \
-              --username "$APPLE_ID_USERNAME" --password "$APPLE_ID_PASSWORD"
-
-  check-failures:
-    name: Check for failures
-    if: always()
-    runs-on: ubuntu-22.04
-    needs:
-      - setup
-      - ios
-    steps:
-      - name: Check if any job failed
-        if: |
-          (github.ref == 'refs/heads/main'
-          || github.ref == 'refs/heads/rc'
-          || github.ref == 'refs/heads/hotfix-rc')
-          && contains(needs.*.result, 'failure')
-        run: exit 1
-
-      - name: Login to Azure - CI Subscription
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
-        if: failure()
-        with:
-          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
-
-      - name: Retrieve secrets
-        id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        if: failure()
-        with:
-          keyvault: "bitwarden-ci"
-          secrets: "devops-alerts-slack-webhook-url"
-
-      - name: Notify Slack on failure
-        uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0
-        if: failure()
-        env:
-          SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }}
-        with:
-          status: ${{ job.status }}

.github/workflows/build.yml

@@ -305,7 +305,7 @@ jobs:
           nuget-version: 6.4.0
 
       - name: Set up .NET
-        uses: actions/setup-dotnet@4d6c8fcf3c8f7a60068d26b594648e99df24cee3 # v4.0.0
+        uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0
         with:
           dotnet-version: '8.0.x'
 
@@ -453,7 +453,7 @@ jobs:
           nuget-version: 6.4.0
 
       - name: Set up .NET
-        uses: actions/setup-dotnet@4d6c8fcf3c8f7a60068d26b594648e99df24cee3 # v4.0.0
+        uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0
         with:
           dotnet-version: '8.0.x'
 

.github/workflows/crowdin-pull.yml

@@ -15,7 +15,7 @@ jobs:
       _CROWDIN_PROJECT_ID: "269690"
     steps:
       - name: Checkout repo
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Login to Azure - CI Subscription
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0

.github/workflows/pr-labeler.yml

@@ -12,6 +12,6 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
+      - uses: actions/labeler@ac9175f8a1f3625fd0d4fb234536d26811351594  # v4.3.0
         with:
           sync-labels: true

.github/workflows/release.yml

@@ -38,7 +38,7 @@ jobs:
           fi
 
       - name: Checkout repo
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Check Release Version
         id: version
@@ -126,7 +126,7 @@ jobs:
     if: inputs.fdroid_publish
     steps:
       - name: Checkout repo
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Download F-Droid .apk artifact
         if: ${{ inputs.release_type != 'Dry Run' }}

.gitignore

@@ -148,6 +148,7 @@ publish/
 
 # NuGet Packages
 *.nupkg
+!**/Xamarin.AndroidX.Credentials.1.0.0.nupkg
 # The packages folder can be ignored because of Package Restore
 **/packages/*
 # except build/, which is used as an MSBuild target.

README.md

@@ -12,7 +12,7 @@ The Bitwarden mobile application is written in C# using .NET MAUI.
 
 # Build/Run
 
-Please refer to the [Mobile section](https://contributing.bitwarden.com/getting-started/mobile/) of the [Contributing Documentation](https://contributing.bitwarden.com/) for build instructions, recommended tooling, code style tips, and lots of other great information to get you started.
+Please refer to the [Mobile section](https://contributing.bitwarden.com/getting-started/clients/mobile/) of the [Contributing Documentation](https://contributing.bitwarden.com/) for build instructions, recommended tooling, code style tips, and lots of other great information to get you started.
 
 # We're Hiring!
 

build.cake

@@ -15,18 +15,16 @@ abstract record VariantConfig(
     string AppName, 
     string AndroidPackageName,
     string iOSBundleId,
-    string ApsEnvironment,
-    string DistProvisioningProfilePrefix
+    string ApsEnvironment
     );
 
 const string BASE_BUNDLE_ID_DROID = "com.x8bit.bitwarden";
 const string BASE_BUNDLE_ID_IOS = "com.8bit.bitwarden";
 
-//NOTE: Beta iOS variants have a different ITSEncryptionExportComplianceCode 
-record Dev(): VariantConfig("Bitwarden Dev", $"{BASE_BUNDLE_ID_DROID}.dev", $"{BASE_BUNDLE_ID_IOS}.dev", "development", "Dist:");
-record QA(): VariantConfig("Bitwarden QA", $"{BASE_BUNDLE_ID_DROID}.qa", $"{BASE_BUNDLE_ID_IOS}.qa", "development", "Dist:");
-record Beta(): VariantConfig("Bitwarden Beta", $"{BASE_BUNDLE_ID_DROID}.beta", $"{BASE_BUNDLE_ID_IOS}.beta", "production", "Dist: Beta");
-record Prod(): VariantConfig("Bitwarden", $"{BASE_BUNDLE_ID_DROID}", $"{BASE_BUNDLE_ID_IOS}", "production", "Dist:");
+record Dev(): VariantConfig("Bitwarden Dev", $"{BASE_BUNDLE_ID_DROID}.dev", $"{BASE_BUNDLE_ID_IOS}.dev", "development");
+record QA(): VariantConfig("Bitwarden QA", $"{BASE_BUNDLE_ID_DROID}.qa", $"{BASE_BUNDLE_ID_IOS}.qa", "development");
+record Beta(): VariantConfig("Bitwarden Beta", $"{BASE_BUNDLE_ID_DROID}.beta", $"{BASE_BUNDLE_ID_IOS}.beta", "production");
+record Prod(): VariantConfig("Bitwarden", $"{BASE_BUNDLE_ID_DROID}", $"{BASE_BUNDLE_ID_IOS}", "production");
 
 VariantConfig GetVariant() => variant.ToLower() switch{
     "qa" => new QA(),
@@ -199,8 +197,7 @@ private void UpdateiOSInfoPlist(string plistPath, VariantConfig buildVariant, Gi
     var prevBundleId = plist["CFBundleIdentifier"];
     var prevBundleName = plist["CFBundleName"];
     //var newVersion = CreateBuildNumber(prevVersion).ToString();
-    // we need to maintain version formatting here composed of one to three period-separated integers, so we cannot use the GetVersionName method as in Android for non-Prod.
-    var newVersionName = prevVersionName;
+    var newVersionName = GetVersionName(prevVersionName, buildVariant, git);
     var newBundleId = GetiOSBundleId(buildVariant, projectType);
     var newBundleName = GetiOSBundleName(buildVariant, projectType);
 
@@ -222,11 +219,6 @@ private void UpdateiOSInfoPlist(string plistPath, VariantConfig buildVariant, Gi
         plist["NSExtension"]["NSExtensionAttributes"]["NSExtensionActivationRule"] = keyText.Replace("com.8bit.bitwarden", buildVariant.iOSBundleId);
     }
 
-    if(buildVariant is Beta)
-    {
-        plist["ITSEncryptionExportComplianceCode"] = "3dd3e32f-efa6-4d99-b410-28aa28b1cb77";
-    }
-
     SerializePlist(plistFile, plist);
 
     Information($"Changed app name from {prevBundleName} to {newBundleName}");
@@ -236,15 +228,12 @@ private void UpdateiOSInfoPlist(string plistPath, VariantConfig buildVariant, Gi
     Information($"{plistPath} updated with success!");
 }
 
-private void UpdateiOSEntitlementsPlist(string entitlementsPath, VariantConfig buildVariant, bool updateApsEnv)
+private void UpdateiOSEntitlementsPlist(string entitlementsPath, VariantConfig buildVariant)
 {
     var EntitlementlistFile = File(entitlementsPath);
     dynamic Entitlements = DeserializePlist(EntitlementlistFile);
 
-    if (updateApsEnv)
-    {
-        Entitlements["aps-environment"] = buildVariant.ApsEnvironment;
-    }
+    Entitlements["aps-environment"] = buildVariant.ApsEnvironment;
     Entitlements["keychain-access-groups"] = new List<string>() { "$(AppIdentifierPrefix)" + buildVariant.iOSBundleId };
     Entitlements["com.apple.security.application-groups"] = new List<string>() { $"group.{buildVariant.iOSBundleId}" };;
 
@@ -283,10 +272,9 @@ private void UpdateWatchPbxproj(string pbxprojPath, string newVersion)
     const string pattern = @"MARKETING_VERSION = [^;]*;";
 
     fileText = Regex.Replace(fileText, pattern, $"MARKETING_VERSION = {newVersion};");
-    
-    FileWriteText(pbxprojPath, fileText);
 
-    Information($"{pbxprojPath} modified Marketing Version successfully.");
+    FileWriteText(pbxprojPath, fileText);
+    Information($"{pbxprojPath} modified successfully.");
 }
 
 /// <summary>
@@ -339,7 +327,7 @@ Task("UpdateiOSPlist")
         var infoPath = Path.Combine(_slnPath, "src", "App", "Platforms", "iOS", "Info.plist");
         var entitlementsPath = Path.Combine(_slnPath, "src", "App", "Platforms", "iOS", "Entitlements.plist");
         UpdateiOSInfoPlist(infoPath, buildVariant, _gitVersion, iOSProjectType.MainApp);
-        UpdateiOSEntitlementsPlist(entitlementsPath, buildVariant, true);
+        UpdateiOSEntitlementsPlist(entitlementsPath, buildVariant);
     });
 
 Task("UpdateiOSAutofillPlist")
@@ -350,7 +338,7 @@ Task("UpdateiOSAutofillPlist")
         var infoPath = Path.Combine(_slnPath, "src", "iOS.Autofill", "Info.plist");
         var entitlementsPath = Path.Combine(_slnPath, "src", "iOS.Autofill", "Entitlements.plist");
         UpdateiOSInfoPlist(infoPath, buildVariant, _gitVersion, iOSProjectType.Autofill);
-        UpdateiOSEntitlementsPlist(entitlementsPath, buildVariant, false);
+        UpdateiOSEntitlementsPlist(entitlementsPath, buildVariant);
     });
 
 Task("UpdateiOSExtensionPlist")
@@ -361,7 +349,7 @@ Task("UpdateiOSExtensionPlist")
         var infoPath = Path.Combine(_slnPath, "src", "iOS.Extension", "Info.plist");
         var entitlementsPath = Path.Combine(_slnPath, "src", "iOS.Extension", "Entitlements.plist");
         UpdateiOSInfoPlist(infoPath, buildVariant, _gitVersion, iOSProjectType.Extension);
-        UpdateiOSEntitlementsPlist(entitlementsPath, buildVariant, false);
+        UpdateiOSEntitlementsPlist(entitlementsPath, buildVariant);
     });
 
 Task("UpdateiOSShareExtensionPlist")
@@ -372,7 +360,7 @@ Task("UpdateiOSShareExtensionPlist")
         var infoPath = Path.Combine(_slnPath, "src", "iOS.ShareExtension", "Info.plist");
         var entitlementsPath = Path.Combine(_slnPath, "src", "iOS.ShareExtension", "Entitlements.plist");
         UpdateiOSInfoPlist(infoPath, buildVariant, _gitVersion, iOSProjectType.ShareExtension);
-        UpdateiOSEntitlementsPlist(entitlementsPath, buildVariant, false);
+        UpdateiOSEntitlementsPlist(entitlementsPath, buildVariant);
     });
 
 Task("UpdateiOSCodeFiles")
@@ -409,22 +397,6 @@ Task("UpdateWatchKitAppInfoPlist")
         UpdateWatchKitAppInfoPlist(infoPath, buildVariant);
     });
 
-Task("UpdateDistProfiles")
-    .IsDependentOn("UpdateiOSCodeFiles")
-    .Does(()=> {
-        var buildVariant = GetVariant();
-    
-        var filesToReplace = new string[] {
-            Path.Combine(".github", "resources", "export-options-app-store.plist"),
-            Path.Combine(_slnPath, "src", "watchOS", "bitwarden", "bitwarden.xcodeproj", "project.pbxproj")
-        };
-
-        foreach(string path in filesToReplace)
-        {
-            ReplaceInFile(path, "Dist:", buildVariant.DistProvisioningProfilePrefix);
-        }
-    });
-
 #endregion iOS
 
 #region Main Tasks
@@ -446,7 +418,6 @@ Task("iOS")
     .IsDependentOn("UpdateiOSCodeFiles")
     .IsDependentOn("UpdateWatchProject")
     .IsDependentOn("UpdateWatchKitAppInfoPlist")
-    .IsDependentOn("UpdateDistProfiles")
     .Does(()=>
     {
         Information("iOS app updated");
@@ -466,4 +437,4 @@ Options:
     });
 #endregion Main Tasks
 
-RunTarget(target);
+RunTarget(target);

lib/android/Xamarin.AndroidX.Credentials/net8.0-android/Xamarin.AndroidX.Credentials.xml

@@ -0,0 +1,8 @@
+<?xml version="1.0"?>
+<doc>
+    <assembly>
+        <name>Xamarin.AndroidX.Credentials</name>
+    </assembly>
+    <members>
+    </members>
+</doc>

nuget.config

@@ -2,5 +2,6 @@
 <configuration>
     <packageSources>
         <add key="MAUI Nightly builds" value="https://pkgs.dev.azure.com/xamarin/public/_packaging/maui-nightly/nuget/v3/index.json" />
+        <add key="Local AndroidX Credentials" value="lib/android/Xamarin.AndroidX.Credentials" />
     </packageSources>
 </configuration>

src/App/App.csproj

@@ -121,6 +121,7 @@
 	<ItemGroup Condition="$([MSBuild]::GetTargetPlatformIdentifier('$(TargetFramework)')) == 'android'">
 	  <PackageReference Include="Xamarin.AndroidX.AutoFill" Version="1.1.0.18" />
 	  <PackageReference Include="Xamarin.AndroidX.Activity.Ktx" Version="1.7.2.1" />
+      <PackageReference Include="Xamarin.AndroidX.Credentials" Version="1.0.0" />
 	</ItemGroup>
 	<ItemGroup Condition="$([MSBuild]::GetTargetPlatformIdentifier('$(TargetFramework)')) == 'android' AND !$(DefineConstants.Contains(FDROID))">
 	  <PackageReference Include="Xamarin.GooglePlayServices.SafetyNet" Version="118.0.1.5" />

src/App/Platforms/Android/AndroidManifest.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<manifest xmlns:android="http://schemas.android.com/apk/res/android" xmlns:tools="http://schemas.android.com/tools" android:versionCode="1" android:versionName="2024.4.0" android:installLocation="internalOnly" package="com.x8bit.bitwarden">
+<manifest xmlns:android="http://schemas.android.com/apk/res/android" xmlns:tools="http://schemas.android.com/tools" android:versionCode="1" android:versionName="2024.3.3" android:installLocation="internalOnly" package="com.x8bit.bitwarden">
 	<uses-sdk android:minSdkVersion="21" android:targetSdkVersion="34" />
 	<uses-permission android:name="android.permission.INTERNET" />
 	<uses-permission android:name="android.permission.NFC" />

src/App/Platforms/Android/Autofill/CredentialProviderConstants.cs

@@ -0,0 +1,9 @@
+namespace Bit.Droid.Autofill
+{
+    public class CredentialProviderConstants
+    {
+        public const string CredentialProviderCipherId = "credentialProviderCipherId";
+        public const string CredentialDataIntentExtra = "CREDENTIAL_DATA";
+        public const string CredentialIdIntentExtra = "credId";
+    }
+}

src/App/Platforms/Android/Autofill/CredentialProviderSelectionActivity.cs

@@ -0,0 +1,65 @@
+using System.Threading.Tasks;
+using Android.App;
+using Android.Content.PM;
+using Android.OS;
+using AndroidX.Credentials.Provider;
+using AndroidX.Credentials.WebAuthn;
+using Bit.Core.Abstractions;
+using Bit.Core.Utilities;
+using Bit.App.Droid.Utilities;
+
+namespace Bit.Droid.Autofill
+{
+    [Activity(
+        NoHistory = true,
+        LaunchMode = LaunchMode.SingleTop)]
+    public class CredentialProviderSelectionActivity : MauiAppCompatActivity
+    {
+        protected override void OnCreate(Bundle bundle)
+        {
+            Intent?.Validate();
+            base.OnCreate(bundle);
+
+            var cipherId = Intent?.GetStringExtra(CredentialProviderConstants.CredentialProviderCipherId);
+            if (string.IsNullOrEmpty(cipherId))
+            {
+                SetResult(Result.Canceled);
+                Finish();
+                return;
+            }
+
+            GetCipherAndPerformPasskeyAuthAsync(cipherId).FireAndForget();
+        }
+
+        private async Task GetCipherAndPerformPasskeyAuthAsync(string cipherId)
+        {
+            // TODO this is a work in progress
+            // https://developer.android.com/training/sign-in/credential-provider#passkeys-implement
+
+            var getRequest = PendingIntentHandler.RetrieveProviderGetCredentialRequest(Intent);
+            // var publicKeyRequest = getRequest?.CredentialOptions as PublicKeyCredentialRequestOptions;
+
+            var requestInfo = Intent.GetBundleExtra(CredentialProviderConstants.CredentialDataIntentExtra);
+            var credIdEnc = requestInfo?.GetString(CredentialProviderConstants.CredentialIdIntentExtra);
+
+            var cipherService = ServiceContainer.Resolve<ICipherService>();
+            var cipher = await cipherService.GetAsync(cipherId);
+            var decCipher = await cipher.DecryptAsync();
+
+            var passkey = decCipher.Login.Fido2Credentials.Find(f => f.CredentialId == credIdEnc);
+
+            var credId = Convert.FromBase64String(credIdEnc);
+            // var privateKey = Convert.FromBase64String(passkey.PrivateKey);
+            // var uid = Convert.FromBase64String(passkey.uid);
+
+            var origin = getRequest?.CallingAppInfo.Origin;
+            var packageName = getRequest?.CallingAppInfo.PackageName;
+
+            // --- continue WIP here (save TOTP copy as last step) ---
+
+            // Copy TOTP if needed
+            var autofillHandler = ServiceContainer.Resolve<IAutofillHandler>();
+            autofillHandler.Autofill(decCipher);
+        }
+    }
+}

src/App/Platforms/Android/Autofill/CredentialProviderService.cs

@@ -0,0 +1,147 @@
+using Android;
+using Android.App;
+using Android.Content;
+using Android.Graphics.Drawables;
+using Android.OS;
+using Android.Runtime;
+using AndroidX.Credentials.Provider;
+using Bit.Core.Abstractions;
+using Bit.Core.Utilities;
+using AndroidX.Credentials.Exceptions;
+using AndroidX.Credentials.WebAuthn;
+using Bit.Core.Models.View;
+using Resource = Microsoft.Maui.Resource;
+
+namespace Bit.Droid.Autofill
+{
+    [Service(Permission = Manifest.Permission.BindCredentialProviderService, Label = "Bitwarden", Exported = true)]
+    [IntentFilter(new string[] { "android.service.credentials.CredentialProviderService" })]
+    [MetaData("android.credentials.provider", Resource = "@xml/provider")]
+    [Register("com.x8bit.bitwarden.Autofill.CredentialProviderService")]
+    public class CredentialProviderService : AndroidX.Credentials.Provider.CredentialProviderService
+    {
+        private const string GetPasskeyIntentAction = "PACKAGE_NAME.GET_PASSKEY";
+        private const int UniqueRequestCode = 94556023;
+
+        private ICipherService _cipherService;
+        private IUserVerificationService _userVerificationService;
+        private IVaultTimeoutService _vaultTimeoutService;
+        private LazyResolve<ILogger> _logger = new LazyResolve<ILogger>("logger");
+
+        public override async void OnBeginCreateCredentialRequest(BeginCreateCredentialRequest request,
+            CancellationSignal cancellationSignal, IOutcomeReceiver callback) => throw new NotImplementedException();
+
+        public override async void OnBeginGetCredentialRequest(BeginGetCredentialRequest request,
+            CancellationSignal cancellationSignal, IOutcomeReceiver callback)
+        {
+            try
+            {
+                _vaultTimeoutService ??= ServiceContainer.Resolve<IVaultTimeoutService>();
+
+                await _vaultTimeoutService.CheckVaultTimeoutAsync();
+                var locked = await _vaultTimeoutService.IsLockedAsync();
+                if (!locked)
+                {
+                    var response = await ProcessGetCredentialsRequestAsync(request);
+                    callback.OnResult(response);
+                }
+                // TODO handle auth/unlock account flow
+            }
+            catch (GetCredentialException e)
+            {
+                _logger.Value.Exception(e);
+                callback.OnError(e.ErrorMessage ?? "Error getting credentials");
+            }
+            catch (Exception e)
+            {
+                _logger.Value.Exception(e);
+                throw;
+            }
+        }
+
+        private async Task<BeginGetCredentialResponse> ProcessGetCredentialsRequestAsync(
+            BeginGetCredentialRequest request)
+        {
+            IList<CredentialEntry> credentialEntries = null;
+
+            foreach (var option in request.BeginGetCredentialOptions)
+            {
+                var credentialOption = option as BeginGetPublicKeyCredentialOption;
+                if (credentialOption != null)
+                {
+                    credentialEntries ??= new List<CredentialEntry>();
+                    ((List<CredentialEntry>)credentialEntries).AddRange(
+                        await PopulatePasskeyDataAsync(request.CallingAppInfo, credentialOption));
+                }
+            }
+
+            if (credentialEntries == null)
+            {
+                return new BeginGetCredentialResponse();
+            }
+
+            return new BeginGetCredentialResponse.Builder()
+                .SetCredentialEntries(credentialEntries)
+                .Build();
+        }
+
+        private async Task<List<CredentialEntry>> PopulatePasskeyDataAsync(CallingAppInfo callingAppInfo,
+            BeginGetPublicKeyCredentialOption option)
+        {
+            var packageName = callingAppInfo.PackageName;
+            var origin = callingAppInfo.Origin;
+            var signingInfo = callingAppInfo.SigningInfo;
+
+            var request = new PublicKeyCredentialRequestOptions(option.RequestJson);
+
+            var passkeyEntries = new List<CredentialEntry>();
+
+            _cipherService ??= ServiceContainer.Resolve<ICipherService>();
+            var ciphers = await _cipherService.GetAllDecryptedForUrlAsync(origin);
+            if (ciphers == null)
+            {
+                return passkeyEntries;
+            }
+
+            var passkeyCiphers = ciphers.Where(cipher => cipher.HasFido2Credential).ToList();
+            if (!passkeyCiphers.Any())
+            {
+                return passkeyEntries;
+            }
+
+            foreach (var cipher in passkeyCiphers)
+            {
+                var passkeyEntry = GetPasskey(cipher, option);
+                passkeyEntries.Add(passkeyEntry);
+            }
+
+            return passkeyEntries;
+        }
+
+        private PublicKeyCredentialEntry GetPasskey(CipherView cipher, BeginGetPublicKeyCredentialOption option)
+        {
+            var credDataBundle = new Bundle();
+            credDataBundle.PutString(CredentialProviderConstants.CredentialIdIntentExtra,
+                cipher.Login.MainFido2Credential.CredentialId);
+
+            var intent = new Intent(ApplicationContext, typeof(CredentialProviderSelectionActivity))
+                .SetAction(GetPasskeyIntentAction).SetPackage(Constants.PACKAGE_NAME);
+            intent.PutExtra(CredentialProviderConstants.CredentialDataIntentExtra, credDataBundle);
+            intent.PutExtra(CredentialProviderConstants.CredentialProviderCipherId, cipher.Id);
+            var pendingIntent = PendingIntent.GetActivity(ApplicationContext, UniqueRequestCode, intent,
+                PendingIntentFlags.Mutable | PendingIntentFlags.UpdateCurrent);
+
+            return new PublicKeyCredentialEntry.Builder(
+                    ApplicationContext,
+                    cipher.Login.Username ?? "No username",
+                    pendingIntent,
+                    option)
+                .SetDisplayName(cipher.Name)
+                .SetIcon(Icon.CreateWithResource(ApplicationContext, Resource.Drawable.icon))
+                .Build();
+        }
+
+        public override void OnClearCredentialStateRequest(ProviderClearCredentialStateRequest request,
+            CancellationSignal cancellationSignal, IOutcomeReceiver callback) => throw new NotImplementedException();
+    }
+}

src/App/Platforms/Android/MainApplication.cs

@@ -85,6 +85,12 @@ namespace Bit.Droid
                     ServiceContainer.Resolve<IWatchDeviceService>(),
                     ServiceContainer.Resolve<IConditionedAwaiterManager>());
                 ServiceContainer.Register<IAccountsManager>("accountsManager", accountsManager);
+
+                var userPinService = new UserPinService(
+                    ServiceContainer.Resolve<IStateService>(),
+                    ServiceContainer.Resolve<ICryptoService>(),
+                    ServiceContainer.Resolve<IVaultTimeoutService>());
+                ServiceContainer.Register<IUserPinService>(userPinService);
             }
 #if !FDROID
             if (Build.VERSION.SdkInt <= BuildVersionCodes.Kitkat)
@@ -160,7 +166,6 @@ namespace Bit.Droid
             var cryptoFunctionService = new PclCryptoFunctionService(cryptoPrimitiveService);
             var cryptoService = new CryptoService(stateService, cryptoFunctionService, logger);
             var biometricService = new BiometricService(stateService, cryptoService);
-            var userPinService = new UserPinService(stateService, cryptoService);
             var passwordRepromptService = new MobilePasswordRepromptService(platformUtilsService, cryptoService, stateService);
 
             ServiceContainer.Register<ISynchronousStorageService>(preferencesStorage);
@@ -184,7 +189,6 @@ namespace Bit.Droid
             ServiceContainer.Register<ICryptoService>("cryptoService", cryptoService);
             ServiceContainer.Register<IPasswordRepromptService>("passwordRepromptService", passwordRepromptService);
             ServiceContainer.Register<IAvatarImageSourcePool>("avatarImageSourcePool", new AvatarImageSourcePool());
-            ServiceContainer.Register<IUserPinService>(userPinService);
 
             // Push
 #if FDROID

src/App/Platforms/Android/Resources/xml/provider.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<credential-provider xmlns:android="http://schemas.android.com/apk/res/android">
+    <capabilities>
+        <capability name="androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" />
+    </capabilities>
+</credential-provider>

src/App/Platforms/Android/Services/AutofillHandler.cs

@@ -37,6 +37,23 @@ namespace Bit.Droid.Services
             _eventService = eventService;
         }
 
+        public bool CredentialProviderServiceEnabled()
+        {
+            if (Build.VERSION.SdkInt < BuildVersionCodes.UpsideDownCake)
+            {
+                return false;
+            }
+            try
+            {
+                // TODO - find a way to programmatically check if the credential provider service is enabled
+                return false;
+            }
+            catch
+            {
+                return false;
+            }
+        }
+
         public bool AutofillServiceEnabled()
         {
             if (Build.VERSION.SdkInt < BuildVersionCodes.O)
@@ -163,7 +180,14 @@ namespace Bit.Droid.Services
             return Accessibility.AccessibilityHelpers.OverlayPermitted();
         }
 
-        
+        public void DisableCredentialProviderService()
+        {
+            try
+            {
+                // TODO - find a way to programmatically disable the provider service, or take the user to the settings page where they can do it
+            }
+            catch { }
+        }
 
         public void DisableAutofillService()
         {

src/App/Platforms/Android/Services/DeviceActionService.cs

@@ -11,6 +11,7 @@ using Android.Text.Method;
 using Android.Views;
 using Android.Views.InputMethods;
 using Android.Widget;
+using AndroidX.Credentials;
 using Bit.App.Abstractions;
 using Bit.Core.Resources.Localization;
 using Bit.App.Utilities;
@@ -501,6 +502,27 @@ namespace Bit.Droid.Services
             }
         }
 
+        public void OpenCredentialProviderSettings()
+        {
+            var activity = (MainActivity)Microsoft.Maui.ApplicationModel.Platform.CurrentActivity;
+            try
+            {
+                var pendingIntent = CredentialManager.Create(activity).CreateSettingsPendingIntent();
+                pendingIntent.Send();
+            }
+            catch (ActivityNotFoundException)
+            {
+                var alertBuilder = new AlertDialog.Builder(activity);
+                alertBuilder.SetMessage(AppResources.BitwardenCredentialProviderGoToSettings);
+                alertBuilder.SetCancelable(true);
+                alertBuilder.SetPositiveButton(AppResources.Ok, (sender, args) =>
+                {
+                    (sender as AlertDialog)?.Cancel();
+                });
+                alertBuilder.Create().Show();
+            }
+        }
+
         public void OpenAccessibilitySettings()
         {
             try
@@ -559,6 +581,8 @@ namespace Bit.Droid.Services
             return true;
         }
 
+        public bool SupportsCredentialProviderService() => Build.VERSION.SdkInt >= BuildVersionCodes.UpsideDownCake;
+
         public bool SupportsAutofillServices() => Build.VERSION.SdkInt >= BuildVersionCodes.O;
 
         public bool SupportsInlineAutofill() => Build.VERSION.SdkInt >= BuildVersionCodes.R;

src/App/Platforms/iOS/AppDelegate.cs

@@ -88,7 +88,7 @@ namespace Bit.iOS
                                 Core.Constants.AutofillNeedsIdentityReplacementKey);
                             if (needsAutofillReplacement.GetValueOrDefault())
                             {
-                                await ASHelpers.ReplaceAllIdentities();
+                                await ASHelpers.ReplaceAllIdentitiesAsync();
                             }
                         }
                         else if (message.Command == "showAppExtension")
@@ -102,7 +102,7 @@ namespace Bit.iOS
                                 var success = value as bool?;
                                 if (success.GetValueOrDefault() && _deviceActionService.SystemMajorVersion() >= 12)
                                 {
-                                    await ASHelpers.ReplaceAllIdentities();
+                                    await ASHelpers.ReplaceAllIdentitiesAsync();
                                 }
                             }
                         }
@@ -114,22 +114,21 @@ namespace Bit.iOS
                                 return;
                             }
 
-                            if (await ASHelpers.IdentitiesCanIncremental())
+                            if (await ASHelpers.IdentitiesSupportIncrementalAsync())
                             {
                                 var cipherId = message.Data as string;
                                 if (message.Command == "addedCipher" && !string.IsNullOrWhiteSpace(cipherId))
                                 {
-                                    var identity = await ASHelpers.GetCipherIdentityAsync(cipherId);
+                                    var identity = await ASHelpers.GetCipherPasswordIdentityAsync(cipherId);
                                     if (identity == null)
                                     {
                                         return;
                                     }
-                                    await ASCredentialIdentityStore.SharedStore?.SaveCredentialIdentitiesAsync(
-                                        new ASPasswordCredentialIdentity[] { identity });
+                                    await ASCredentialIdentityStoreExtensions.SaveCredentialIdentitiesAsync(identity);
                                     return;
                                 }
                             }
-                            await ASHelpers.ReplaceAllIdentities();
+                            await ASHelpers.ReplaceAllIdentitiesAsync();
                         }
                         else if (message.Command == "deletedCipher" || message.Command == "softDeletedCipher")
                         {
@@ -138,28 +137,27 @@ namespace Bit.iOS
                                 return;
                             }
 
-                            if (await ASHelpers.IdentitiesCanIncremental())
+                            if (await ASHelpers.IdentitiesSupportIncrementalAsync())
                             {
-                                var identity = ASHelpers.ToCredentialIdentity(
+                                var identity = ASHelpers.ToPasswordCredentialIdentity(
                                     message.Data as Bit.Core.Models.View.CipherView);
                                 if (identity == null)
                                 {
                                     return;
                                 }
-                                await ASCredentialIdentityStore.SharedStore?.RemoveCredentialIdentitiesAsync(
-                                    new ASPasswordCredentialIdentity[] { identity });
+                                await ASCredentialIdentityStoreExtensions.RemoveCredentialIdentitiesAsync(identity);
                                 return;
                             }
-                            await ASHelpers.ReplaceAllIdentities();
+                            await ASHelpers.ReplaceAllIdentitiesAsync();
                         }
                         else if (message.Command == "logout" && UIDevice.CurrentDevice.CheckSystemVersion(12, 0))
                         {
-                            await ASCredentialIdentityStore.SharedStore?.RemoveAllCredentialIdentitiesAsync();
+                            await ASCredentialIdentityStore.SharedStore.RemoveAllCredentialIdentitiesAsync();
                         }
                         else if ((message.Command == "softDeletedCipher" || message.Command == "restoredCipher")
                             && UIDevice.CurrentDevice.CheckSystemVersion(12, 0))
                         {
-                            await ASHelpers.ReplaceAllIdentities();
+                            await ASHelpers.ReplaceAllIdentitiesAsync();
                         }
                         else if (message.Command == AppHelpers.VAULT_TIMEOUT_ACTION_CHANGED_MESSAGE_COMMAND)
                         {
@@ -168,12 +166,12 @@ namespace Bit.iOS
                             {
                                 if (UIDevice.CurrentDevice.CheckSystemVersion(12, 0))
                                 {
-                                    await ASCredentialIdentityStore.SharedStore?.RemoveAllCredentialIdentitiesAsync();
+                                    await ASCredentialIdentityStore.SharedStore.RemoveAllCredentialIdentitiesAsync();
                                 }
                             }
                             else
                             {
-                                await ASHelpers.ReplaceAllIdentities();
+                                await ASHelpers.ReplaceAllIdentitiesAsync();
                             }
                         }
                     }

src/App/Platforms/iOS/Info.plist

@@ -11,7 +11,7 @@
 	<key>CFBundleIdentifier</key>
 	<string>com.8bit.bitwarden</string>
 	<key>CFBundleShortVersionString</key>
-	<string>2024.4.0</string>
+	<string>2024.3.3</string>
 	<key>CFBundleVersion</key>
 	<string>1</string>
 	<key>CFBundleIconName</key>

src/Core/Abstractions/IApiService.cs

@@ -46,7 +46,6 @@ namespace Bit.Core.Abstractions
         Task<CipherResponse> PutShareCipherAsync(string id, CipherShareRequest request);
         Task PutDeleteCipherAsync(string id);
         Task<CipherResponse> PutRestoreCipherAsync(string id);
-        Task<bool> HasUnassignedCiphersAsync();
         Task RefreshIdentityTokenAsync();
         Task<SsoPrevalidateResponse> PreValidateSsoAsync(string identifier);
         Task<TResponse> SendAsync<TRequest, TResponse>(HttpMethod method, string path,

src/Core/Abstractions/IAutofillHandler.cs

@@ -4,6 +4,7 @@ namespace Bit.Core.Abstractions
 {
     public interface IAutofillHandler
     {
+        bool CredentialProviderServiceEnabled();
         bool AutofillServicesEnabled();
         bool SupportsAutofillService();
         void Autofill(CipherView cipher);
@@ -11,6 +12,7 @@ namespace Bit.Core.Abstractions
         bool AutofillAccessibilityServiceRunning();
         bool AutofillAccessibilityOverlayPermitted();
         bool AutofillServiceEnabled();
+        void DisableCredentialProviderService();
         void DisableAutofillService();
     }
 }

src/Core/Abstractions/ICipherService.cs

@@ -1,7 +1,4 @@
-using System;
-using System.Collections.Generic;
-using System.Threading.Tasks;
-using Bit.Core.Enums;
+using Bit.Core.Enums;
 using Bit.Core.Models.Data;
 using Bit.Core.Models.Domain;
 using Bit.Core.Models.View;
@@ -37,6 +34,7 @@ namespace Bit.Core.Abstractions
         Task<byte[]> DownloadAndDecryptAttachmentAsync(string cipherId, AttachmentView attachment, string organizationId);
         Task SoftDeleteWithServerAsync(string id);
         Task RestoreWithServerAsync(string id);
-        Task<bool> VerifyOrganizationHasUnassignedItemsAsync();
+        Task<string> CreateNewLoginForPasskeyAsync(Fido2ConfirmNewCredentialParams newPasskeyParams);
+        Task CopyTotpCodeIfNeededAsync(CipherView cipher);
     }
 }

src/Core/Abstractions/IConditionedAwaiterManager.cs

@@ -1,12 +1,10 @@
-using System;
-using System.Threading.Tasks;
-
-namespace Bit.Core.Abstractions
+namespace Bit.Core.Abstractions
 {
     public enum AwaiterPrecondition
     {
         EnvironmentUrlsInited,
-        AndroidWindowCreated
+        AndroidWindowCreated,
+        AutofillIOSExtensionViewDidAppear
     }
 
     public interface IConditionedAwaiterManager
@@ -14,5 +12,6 @@ namespace Bit.Core.Abstractions
         Task GetAwaiterForPrecondition(AwaiterPrecondition awaiterPrecondition);
         void SetAsCompleted(AwaiterPrecondition awaiterPrecondition);
         void SetException(AwaiterPrecondition awaiterPrecondition, Exception ex);
+        void Recreate(AwaiterPrecondition awaiterPrecondition);
     }
 }

src/Core/Abstractions/ICryptoFunctionService.cs

@@ -1,6 +1,7 @@
 using System;
 using System.Threading.Tasks;
 using Bit.Core.Enums;
+using Bit.Core.Models.Domain;
 
 namespace Bit.Core.Abstractions
 {

src/Core/Abstractions/IDeviceActionService.cs

@@ -28,6 +28,7 @@ namespace Bit.App.Abstractions
         bool SupportsNfc();
         bool SupportsCamera();
         bool SupportsFido2();
+        bool SupportsCredentialProviderService();
         bool SupportsAutofillServices();
         bool SupportsInlineAutofill();
         bool SupportsDrawOver();
@@ -36,6 +37,7 @@ namespace Bit.App.Abstractions
         void RateApp();
         void OpenAccessibilitySettings();
         void OpenAccessibilityOverlayPermissionSettings();
+        void OpenCredentialProviderSettings();
         void OpenAutofillSettings();
         long GetActiveTime();
         void CloseMainApp();

src/Core/Abstractions/IFido2AuthenticatorService.cs

@@ -0,0 +1,12 @@
+using Bit.Core.Utilities.Fido2;
+
+namespace Bit.Core.Abstractions
+{
+    public interface IFido2AuthenticatorService
+    {
+        Task<Fido2AuthenticatorMakeCredentialResult> MakeCredentialAsync(Fido2AuthenticatorMakeCredentialParams makeCredentialParams, IFido2MakeCredentialUserInterface userInterface);
+        Task<Fido2AuthenticatorGetAssertionResult> GetAssertionAsync(Fido2AuthenticatorGetAssertionParams assertionParams, IFido2GetAssertionUserInterface userInterface);
+        // TODO: Should this return a List? Or maybe IEnumerable?
+        Task<Fido2AuthenticatorDiscoverableCredentialMetadata[]> SilentCredentialDiscoveryAsync(string rpId);
+    }
+}

src/Core/Abstractions/IFido2ClientService.cs

@@ -0,0 +1,35 @@
+using Bit.Core.Utilities.Fido2;
+
+namespace Bit.Core.Abstractions
+{
+    /// <summary>
+    /// This class represents an abstraction of the WebAuthn Client as described by W3C:
+    /// https://www.w3.org/TR/webauthn-3/#webauthn-client
+    ///
+    /// The WebAuthn Client is an intermediary entity typically implemented in the user agent
+    /// (in whole, or in part). Conceptually, it underlies the Web Authentication API and embodies
+    /// the implementation of the Web Authentication API's operations.
+    ///
+    /// It is responsible for both marshalling the inputs for the underlying authenticator operations,
+    /// and for returning the results of the latter operations to the Web Authentication API's callers.
+    /// </summary>
+    public interface IFido2ClientService
+    {
+        /// <summary>
+        /// Allows WebAuthn Relying Party scripts to request the creation of a new public key credential source.
+        /// For more information please see: https://www.w3.org/TR/webauthn-3/#sctn-createCredential
+        /// </summary>
+        /// <param name="createCredentialParams">The parameters for the credential creation operation</param>
+        /// <returns>The new credential</returns>
+        Task<Fido2ClientCreateCredentialResult> CreateCredentialAsync(Fido2ClientCreateCredentialParams createCredentialParams);
+
+        /// <summary>
+        /// Allows WebAuthn Relying Party scripts to discover and use an existing public key credential, with the user’s consent.
+        /// Relying Party script can optionally specify some criteria to indicate what credential sources are acceptable to it.
+        /// For more information please see: https://www.w3.org/TR/webauthn-3/#sctn-getAssertion
+        /// </summary>
+        /// <param name="assertCredentialParams">The parameters for the credential assertion operation</param>
+        /// <returns>The asserted credential</returns>
+        Task<Fido2ClientAssertCredentialResult> AssertCredentialAsync(Fido2ClientAssertCredentialParams assertCredentialParams);
+    }
+}

src/Core/Abstractions/IFido2GetAssertionUserInterface.cs

@@ -0,0 +1,20 @@
+using Bit.Core.Utilities.Fido2;
+
+namespace Bit.Core.Abstractions 
+{
+    public struct Fido2GetAssertionUserInterfaceCredential
+    {
+        public string CipherId { get; set; }
+        public Fido2UserVerificationPreference UserVerificationPreference { get; set; }
+    }
+
+    public interface IFido2GetAssertionUserInterface : IFido2UserInterface
+    {
+        /// <summary>
+        /// Ask the user to pick a credential from a list of existing credentials.
+        /// </summary>
+        /// <param name="credentials">The credentials that the user can pick from, and if the user must be verified before completing the operation</param>
+        /// <returns>The ID of the cipher that contains the credentials the user picked, and if the user was verified before completing the operation</returns>
+        Task<(string CipherId, bool UserVerified)> PickCredentialAsync(Fido2GetAssertionUserInterfaceCredential[] credentials);
+    }
+}

src/Core/Abstractions/IFido2MakeCredentialUserInterface.cs

@@ -0,0 +1,44 @@
+using Bit.Core.Utilities.Fido2;
+
+namespace Bit.Core.Abstractions 
+{
+    public struct Fido2ConfirmNewCredentialParams
+    {
+        ///<summary>
+        /// The name of the credential.
+        ///</summary>
+        public string CredentialName { get; set; }
+
+        ///<summary>
+        /// The name of the user.
+        ///</summary>
+        public string UserName { get; set; }
+
+        /// <summary>
+        /// The preference to whether or not the user must be verified before completing the operation.
+        /// </summary>
+        public Fido2UserVerificationPreference UserVerificationPreference { get; set; }
+
+        /// <summary>
+        /// The relying party identifier
+        /// </summary>
+        public string RpId { get; set; }
+    }
+
+    public interface IFido2MakeCredentialUserInterface : IFido2UserInterface
+    {
+        /// <summary>
+        /// Inform the user that the operation was cancelled because their vault contains excluded credentials.
+        /// </summary>
+        /// <param name="existingCipherIds">The IDs of the excluded credentials.</param>
+        /// <returns>When user has confirmed the message</returns>
+        Task InformExcludedCredentialAsync(string[] existingCipherIds);
+
+        /// <summary>
+        /// Ask the user to confirm the creation of a new credential.
+        /// </summary>
+        /// <param name="confirmNewCredentialParams">The parameters to use when asking the user to confirm the creation of a new credential.</param>
+        /// <returns>The ID of the cipher where the new credential should be saved, and if the user was verified before completing the operation</returns>
+        Task<(string CipherId, bool UserVerified)> ConfirmNewCredentialAsync(Fido2ConfirmNewCredentialParams confirmNewCredentialParams);
+    }
+}

src/Core/Abstractions/IFido2MediatorService.cs

@@ -0,0 +1,14 @@
+using Bit.Core.Utilities.Fido2;
+
+namespace Bit.Core.Abstractions
+{
+    public interface IFido2MediatorService
+    {
+        Task<Fido2ClientCreateCredentialResult> CreateCredentialAsync(Fido2ClientCreateCredentialParams createCredentialParams);
+        Task<Fido2ClientAssertCredentialResult> AssertCredentialAsync(Fido2ClientAssertCredentialParams assertCredentialParams);
+
+        Task<Fido2AuthenticatorMakeCredentialResult> MakeCredentialAsync(Fido2AuthenticatorMakeCredentialParams makeCredentialParams, IFido2MakeCredentialUserInterface userInterface);
+        Task<Fido2AuthenticatorGetAssertionResult> GetAssertionAsync(Fido2AuthenticatorGetAssertionParams assertionParams, IFido2GetAssertionUserInterface userInterface);
+        Task<Fido2AuthenticatorDiscoverableCredentialMetadata[]> SilentCredentialDiscoveryAsync(string rpId);
+    }
+}

src/Core/Abstractions/IFido2UserInterface.cs

@@ -0,0 +1,17 @@
+namespace Bit.Core.Abstractions
+{
+    public interface IFido2UserInterface
+    {
+        /// <summary>
+        /// Whether the vault has been unlocked during this transaction
+        /// </summary>
+        bool HasVaultBeenUnlockedInThisTransaction { get; }
+
+        /// <summary>
+        /// Make sure that the vault is unlocked.
+        /// This should open a window and ask the user to login or unlock the vault if necessary.
+        /// </summary>
+        /// <returns>When vault has been unlocked.</returns>
+        Task EnsureUnlockedVaultAsync();
+    }
+}

src/Core/Abstractions/IPasswordRepromptService.cs

@@ -1,5 +1,4 @@
-using System.Threading.Tasks;
-using Bit.Core.Enums;
+using Bit.Core.Enums;
 
 namespace Bit.App.Abstractions
 {
@@ -10,5 +9,7 @@ namespace Bit.App.Abstractions
         Task<bool> PromptAndCheckPasswordIfNeededAsync(CipherRepromptType repromptType = CipherRepromptType.Password);
 
         Task<(string password, bool valid)> ShowPasswordPromptAndGetItAsync();
+
+        Task<bool> ShouldByPassMasterPasswordRepromptAsync();
     }
 }

src/Core/Abstractions/IPlatformUtilsService.cs

@@ -1,7 +1,4 @@
-using System;
-using System.Collections.Generic;
-using System.Threading.Tasks;
-using Bit.Core.Enums;
+using Bit.Core.Enums;
 
 namespace Bit.Core.Abstractions
 {
@@ -29,7 +26,7 @@ namespace Bit.Core.Abstractions
         bool SupportsDuo();
         Task<bool> SupportsBiometricAsync();
         Task<bool> IsBiometricIntegrityValidAsync(string bioIntegritySrcKey = null);
-        Task<bool> AuthenticateBiometricAsync(string text = null, string fallbackText = null, Action fallback = null, bool logOutOnTooManyAttempts = false);
+        Task<bool?> AuthenticateBiometricAsync(string text = null, string fallbackText = null, Action fallback = null, bool logOutOnTooManyAttempts = false, bool allowAlternativeAuthentication = false);
         long GetActiveTime();
     }
 }

src/Core/Abstractions/IStateService.cs

@@ -186,8 +186,7 @@ namespace Bit.Core.Abstractions
         Task<BwRegion?> GetActiveUserRegionAsync();
         Task<BwRegion?> GetPreAuthRegionAsync();
         Task SetPreAuthRegionAsync(BwRegion value);
-        Task<bool> GetShouldCheckOrganizationUnassignedItemsAsync(string userId = null);
-        Task SetShouldCheckOrganizationUnassignedItemsAsync(bool shouldCheck, string userId = null);
+        Task ReloadStateAsync();
         [Obsolete("Use GetPinKeyEncryptedUserKeyAsync instead, left for migration purposes")]
         Task<string> GetPinProtectedAsync(string userId = null);
         [Obsolete("Use SetPinKeyEncryptedUserKeyAsync instead, left for migration purposes")]

src/Core/Abstractions/IUserPinService.cs

@@ -1,9 +1,12 @@
-using System.Threading.Tasks;
+using Bit.Core.Services;
 
 namespace Bit.Core.Abstractions
 {
     public interface IUserPinService
     {
+        Task<bool> IsPinLockEnabledAsync();
         Task SetupPinAsync(string pin, bool requireMasterPasswordOnRestart);
+        Task<bool> VerifyPinAsync(string inputPin);
+        Task<bool> VerifyPinAsync(string inputPin, string email, KdfConfig kdfConfig, PinLockType pinLockType);
     }
 }

src/Core/Abstractions/IUserVerificationMediatorService.cs

@@ -0,0 +1,28 @@
+using Bit.Core.Utilities;
+using Bit.Core.Utilities.Fido2;
+
+namespace Bit.Core.Abstractions
+{
+    public interface IUserVerificationMediatorService
+    {
+        Task<CancellableResult<bool>> VerifyUserForFido2Async(Fido2UserVerificationOptions options);
+        Task<bool> CanPerformUserVerificationPreferredAsync(Fido2UserVerificationOptions options);
+        Task<bool> ShouldPerformMasterPasswordRepromptAsync(Fido2UserVerificationOptions options);
+        Task<bool> ShouldEnforceFido2RequiredUserVerificationAsync(Fido2UserVerificationOptions options);
+        Task<CancellableResult<UVResult>> PerformOSUnlockAsync();
+        Task<CancellableResult<UVResult>> VerifyPinCodeAsync();
+        Task<CancellableResult<UVResult>> VerifyMasterPasswordAsync(bool isMasterPasswordReprompt);
+
+        public struct UVResult
+        {
+            public UVResult(bool canPerform, bool isVerified)
+            {
+                CanPerform = canPerform;
+                IsVerified = isVerified;
+            }
+
+            public bool CanPerform { get; set; }
+            public bool IsVerified { get; set; }
+        }
+    }
+}

src/Core/Abstractions/IUserVerificationService.cs

@@ -1,11 +1,11 @@
-using System.Threading.Tasks;
-using Bit.Core.Enums;
+using Bit.Core.Enums;
 
 namespace Bit.Core.Abstractions
 {
     public interface IUserVerificationService
     {
         Task<bool> VerifyUser(string secret, VerificationType verificationType);
+        Task<bool> VerifyMasterPasswordAsync(string masterPassword);
         Task<bool> HasMasterPasswordAsync(bool checkMasterKeyHash = false);
     }
 }

src/Core/Constants.cs

@@ -46,7 +46,6 @@ namespace Bit.Core
         public const string PreLoginEmailKey = "preLoginEmailKey";
         public const string ConfigsKey = "configsKey";
         public const string DisplayEuEnvironmentFlag = "display-eu-environment";
-        public const string UnassignedItemsBannerFlag = "unassigned-items-banner";
         public const string RegionEnvironment = "regionEnvironment";
         public const string DuoCallback = "bitwarden://duo-callback";
 
@@ -137,7 +136,6 @@ namespace Bit.Core
         public static string ShouldConnectToWatchKey(string userId) => $"shouldConnectToWatch_{userId}";
         public static string ScreenCaptureAllowedKey(string userId) => $"screenCaptureAllowed_{userId}";
         public static string PendingAdminAuthRequest(string userId) => $"pendingAdminAuthRequest_{userId}";
-        public static string ShouldCheckOrganizationUnassignedItemsKey(string userId) => $"shouldCheckOrganizationUnassignedItems_{userId}";
         [Obsolete]
         public static string KeyKey(string userId) => $"key_{userId}";
         [Obsolete]

src/Core/Core.csproj

@@ -34,6 +34,7 @@
 	  <PackageReference Include="CsvHelper" Version="30.0.1" />
 	  <PackageReference Include="LiteDB" Version="5.0.17" />
 	  <PackageReference Include="PCLCrypto" Version="2.1.40-alpha" />
+	  <PackageReference Include="System.Formats.Cbor" Version="8.0.0" />
 	  <PackageReference Include="zxcvbn-core" Version="7.0.92" />
 	  <PackageReference Include="MessagePack.MSBuild.Tasks" Version="2.5.124">
 	    <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
@@ -52,6 +53,7 @@
 	<ItemGroup Condition="$([MSBuild]::GetTargetPlatformIdentifier('$(TargetFramework)')) == 'android'">
 	  <PackageReference Include="Xamarin.AndroidX.AutoFill" Version="1.1.0.18" />
 	  <PackageReference Include="Xamarin.AndroidX.Activity.Ktx" Version="1.7.2.1" />
+      <PackageReference Include="Xamarin.AndroidX.Credentials" Version="1.0.0" />
 	</ItemGroup>
 	<ItemGroup Condition="$([MSBuild]::GetTargetPlatformIdentifier('$(TargetFramework)')) == 'android' AND !$(DefineConstants.Contains(FDROID))">
 	  <PackageReference Include="Xamarin.GooglePlayServices.SafetyNet" Version="118.0.1.5" />
@@ -75,8 +77,10 @@
     <Folder Include="Utilities\Automation\" />
     <Folder Include="Utilities\Prompts\" />
     <Folder Include="Resources\Localization\" />
+    <Folder Include="Utilities\Fido2\" />
     <Folder Include="Controls\Picker\" />
     <Folder Include="Controls\Avatar\" />
+    <Folder Include="Services\UserVerification\" />
     <Folder Include="Utilities\WebAuthenticatorMAUI\" />
   </ItemGroup>
 	<ItemGroup>
@@ -106,8 +110,10 @@
 	  </MauiXaml>
 	</ItemGroup>
 	<ItemGroup>
+	  <None Remove="Utilities\Fido2\" />
 	  <None Remove="Controls\Picker\" />
 	  <None Remove="Controls\Avatar\" />
+	  <None Remove="Services\UserVerification\" />
 	  <None Remove="Utilities\WebAuthenticatorMAUI\" />
 	</ItemGroup>
 </Project>

src/Core/Models/Api/Fido2CredentialApi.cs

@@ -1,5 +1,4 @@
-using System;
-using Bit.Core.Models.Domain;
+using Bit.Core.Models.Domain;
 
 namespace Bit.Core.Models.Api
 {
@@ -21,6 +20,7 @@ namespace Bit.Core.Models.Api
             RpName = fido2Key.RpName?.EncryptedString;
             UserHandle = fido2Key.UserHandle?.EncryptedString;
             UserName = fido2Key.UserName?.EncryptedString;
+            UserDisplayName = fido2Key.UserDisplayName?.EncryptedString;
             Counter = fido2Key.Counter?.EncryptedString;
             CreationDate = fido2Key.CreationDate;
         }
@@ -35,6 +35,7 @@ namespace Bit.Core.Models.Api
         public string RpName { get; set; }
         public string UserHandle { get; set; }
         public string UserName { get; set; }
+        public string UserDisplayName { get; set; }
         public string Counter { get; set; }
         public DateTime CreationDate { get; set; }
     }

src/Core/Models/AppOptions.cs

@@ -25,7 +25,6 @@ namespace Bit.App.Models
         public bool CopyInsteadOfShareAfterSaving { get; set; }
         public bool HideAccountSwitcher { get; set; }
         public OtpData? OtpData { get; set; }
-        public bool HasJustLoggedInOrUnlocked { get; set; }
 
         public void SetAllFrom(AppOptions o)
         {

src/Core/Models/Data/Fido2CredentialData.cs

@@ -19,6 +19,7 @@ namespace Bit.Core.Models.Data
             RpName = apiData.RpName;
             UserHandle = apiData.UserHandle;
             UserName = apiData.UserName;
+            UserDisplayName = apiData.UserDisplayName;
             Counter = apiData.Counter;
             CreationDate = apiData.CreationDate;
         }
@@ -33,6 +34,7 @@ namespace Bit.Core.Models.Data
         public string RpName { get; set; }
         public string UserHandle { get; set; }
         public string UserName { get; set; }
+        public string UserDisplayName { get; set; }
         public string Counter { get; set; }
         public DateTime CreationDate { get; set; }
     }

src/Core/Models/Domain/Fido2Credential.cs

@@ -1,8 +1,4 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Threading.Tasks;
-using Bit.Core.Models.Data;
+using Bit.Core.Models.Data;
 using Bit.Core.Models.View;
 
 namespace Bit.Core.Models.Domain
@@ -21,6 +17,7 @@ namespace Bit.Core.Models.Domain
             nameof(RpName),
             nameof(UserHandle),
             nameof(UserName),
+            nameof(UserDisplayName),
             nameof(Counter)
         };
 
@@ -48,6 +45,7 @@ namespace Bit.Core.Models.Domain
         public EncString RpName { get; set; }
         public EncString UserHandle { get; set; }
         public EncString UserName { get; set; }
+        public EncString UserDisplayName { get; set; }
         public EncString Counter { get; set; }
         public DateTime CreationDate { get; set; }
 

src/Core/Models/Domain/SymmetricCryptoKey.cs

@@ -1,5 +1,4 @@
-using System;
-using Bit.Core.Enums;
+using Bit.Core.Enums;
 
 namespace Bit.Core.Models.Domain
 {
@@ -9,7 +8,7 @@ namespace Bit.Core.Models.Domain
         {
             if (key == null)
             {
-                throw new Exception("Must provide key.");
+                throw new ArgumentKeyNullException(nameof(key));
             }
 
             if (encType == null)
@@ -24,7 +23,7 @@ namespace Bit.Core.Models.Domain
                 }
                 else
                 {
-                    throw new Exception("Unable to determine encType.");
+                    throw new InvalidKeyOperationException("Unable to determine encType.");
                 }
             }
 
@@ -48,7 +47,7 @@ namespace Bit.Core.Models.Domain
             }
             else
             {
-                throw new Exception("Unsupported encType/key length.");
+                throw new InvalidKeyOperationException("Unsupported encType/key length.");
             }
 
             if (Key != null)
@@ -72,6 +71,32 @@ namespace Bit.Core.Models.Domain
         public string KeyB64 { get; set; }
         public string EncKeyB64 { get; set; }
         public string MacKeyB64 { get; set; }
+
+        public class ArgumentKeyNullException : ArgumentNullException
+        {
+            public ArgumentKeyNullException(string paramName) : base(paramName)
+            {
+            }
+
+            public ArgumentKeyNullException(string message, Exception innerException) : base(message, innerException)
+            {
+            }
+
+            public ArgumentKeyNullException(string paramName, string message) : base(paramName, message)
+            {
+            }
+        }
+
+        public class InvalidKeyOperationException : InvalidOperationException
+        {
+            public InvalidKeyOperationException(string message) : base(message)
+            {
+            }
+
+            public InvalidKeyOperationException(string message, Exception innerException) : base(message, innerException)
+            {
+            }
+        }
     }
 
     public class UserKey : SymmetricCryptoKey

src/Core/Models/View/CipherView.cs

@@ -1,7 +1,4 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using Bit.Core.Enums;
+using Bit.Core.Enums;
 using Bit.Core.Models.Domain;
 
 namespace Bit.Core.Models.View

src/Core/Models/View/Fido2CredentialView.cs

@@ -1,7 +1,7 @@
-using System;
-using System.Collections.Generic;
+using System.Text.Json.Serialization;
 using Bit.Core.Enums;
 using Bit.Core.Models.Domain;
+using Bit.Core.Utilities;
 
 namespace Bit.Core.Models.View
 {
@@ -26,13 +26,42 @@ namespace Bit.Core.Models.View
         public string RpName { get; set; }
         public string UserHandle { get; set; }
         public string UserName { get; set; }
+        public string UserDisplayName { get; set; }
         public string Counter { get; set; }
         public DateTime CreationDate { get; set; }
 
+        [JsonIgnore]
+        public int CounterValue {
+            get => int.TryParse(Counter, out var counter) ? counter : 0;
+            set => Counter = value.ToString();
+        }
+
+        [JsonIgnore]
+        public byte[] UserHandleValue {
+            get => UserHandle == null ? null : CoreHelpers.Base64UrlDecode(UserHandle);
+            set => UserHandle = value == null ? null : CoreHelpers.Base64UrlEncode(value);
+        }
+
+        [JsonIgnore]
+        public byte[] KeyBytes {
+            get => KeyValue == null ? null : CoreHelpers.Base64UrlDecode(KeyValue);
+            set => KeyValue = value == null ? null : CoreHelpers.Base64UrlEncode(value);
+        }
+
+        [JsonIgnore]
+        public bool DiscoverableValue {
+            get => bool.TryParse(Discoverable, out var discoverable) && discoverable;
+            set => Discoverable = value.ToString().ToLower();
+        }
+
+        [JsonIgnore]
         public override string SubTitle => UserName;
+        
         public override List<KeyValuePair<string, LinkedIdType>> LinkedFieldOptions => new List<KeyValuePair<string, LinkedIdType>>();
-        public bool IsDiscoverable => !string.IsNullOrWhiteSpace(Discoverable);
+        
+        [JsonIgnore]
         public bool CanLaunch => !string.IsNullOrEmpty(RpId);
+        [JsonIgnore]
         public string LaunchUri => $"https://{RpId}";
 
         public bool IsUniqueAgainst(Fido2CredentialView fido2View) => fido2View?.RpId != RpId || fido2View?.UserName != UserName;

src/Core/Models/View/LoginView.cs

@@ -1,8 +1,7 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using Bit.Core.Enums;
+using Bit.Core.Enums;
 using Bit.Core.Models.Domain;
+using Bit.Core.Resources.Localization;
+using Bit.Core.Utilities;
 
 namespace Bit.Core.Models.View
 {
@@ -40,4 +39,15 @@ namespace Bit.Core.Models.View
             };
         }
     }
+
+    public static class LoginViewExtensions
+    {
+        public static string GetMainFido2CredentialUsername(this LoginView loginView)
+        {
+            return loginView.MainFido2Credential.UserName
+                    .FallbackOnNullOrWhiteSpace(loginView.MainFido2Credential.UserDisplayName)
+                    .FallbackOnNullOrWhiteSpace(loginView.Username)
+                    .FallbackOnNullOrWhiteSpace(AppResources.UnknownAccount);
+        }
+    }
 }

src/Core/Pages/Accounts/EnvironmentPage.xaml

@@ -21,6 +21,10 @@
     <ScrollView>
         <StackLayout Spacing="20">
             <StackLayout StyleClass="box">
+                <StackLayout StyleClass="box-row-header">
+                    <Label Text="MAUI APP"
+                           StyleClass="box-header, box-header-platform" />
+                </StackLayout>
                 <StackLayout StyleClass="box-row-header">
                     <Label Text="{u:I18n SelfHostedEnvironment, Header=True}"
                            StyleClass="box-header, box-header-platform" />

src/Core/Pages/Accounts/LockPage.xaml.cs

@@ -233,7 +233,6 @@ namespace Bit.App.Pages
             }
             var previousPage = await AppHelpers.ClearPreviousPage();
 
-            _appOptions.HasJustLoggedInOrUnlocked = true;
             App.MainPage = new TabsPage(_appOptions, previousPage);
         }
     }

src/Core/Pages/Accounts/LockPageViewModel.cs

@@ -515,7 +515,7 @@ namespace Bit.App.Pages
                 var success = await _platformUtilsService.AuthenticateBiometricAsync(null,
                     PinEnabled ? AppResources.PIN : AppResources.MasterPassword,
                     () => _secretEntryFocusWeakEventManager.RaiseEvent((int?)null, nameof(FocusSecretEntry)),
-                    !PinEnabled && !HasMasterPassword);
+                    !PinEnabled && !HasMasterPassword) ?? false;
 
                 await _stateService.SetBiometricLockedAsync(!success);
                 if (success)

src/Core/Pages/Accounts/LoginApproveDevicePage.xaml.cs

@@ -35,8 +35,6 @@ namespace Bit.App.Pages
             {
                 return;
             }
-            
-            _appOptions.HasJustLoggedInOrUnlocked = true;
             var previousPage = await AppHelpers.ClearPreviousPage();
             App.MainPage = new TabsPage(_appOptions, previousPage);
         }

src/Core/Pages/Accounts/LoginPage.xaml.cs

@@ -195,8 +195,6 @@ namespace Bit.App.Pages
                 {
                     return;
                 }
-                
-                _appOptions.HasJustLoggedInOrUnlocked = true;
                 var previousPage = await AppHelpers.ClearPreviousPage();
                 App.MainPage = new TabsPage(_appOptions, previousPage);
             }

src/Core/Pages/Accounts/LoginPasswordlessRequestPage.xaml.cs

@@ -55,8 +55,6 @@ namespace Bit.App.Pages
                 {
                     return;
                 }
-                
-                _appOptions.HasJustLoggedInOrUnlocked = true;
                 var previousPage = await AppHelpers.ClearPreviousPage();
                 App.MainPage = new TabsPage(_appOptions, previousPage);
             }

src/Core/Pages/Accounts/SetPasswordPage.xaml.cs

@@ -71,8 +71,6 @@ namespace Bit.App.Pages
                 {
                     return;
                 }
-                
-                _appOptions.HasJustLoggedInOrUnlocked = true;
                 var previousPage = await AppHelpers.ClearPreviousPage();
                 App.MainPage = new TabsPage(_appOptions, previousPage);
             }

src/Core/Pages/Accounts/TwoFactorPage.xaml.cs

@@ -206,8 +206,6 @@ namespace Bit.App.Pages
             {
                 return;
             }
-
-            _appOptions.HasJustLoggedInOrUnlocked = true;
             var previousPage = await AppHelpers.ClearPreviousPage();
             App.MainPage = new TabsPage(_appOptions, previousPage);
         }

src/Core/Pages/Settings/AboutSettingsPageViewModel.cs

@@ -68,7 +68,8 @@ namespace Bit.App.Pages
         {
             get
             {
-                var appInfo = string.Format("{0}: {1} ({2})",
+                // TODO: REMOVE WHEN MERGED INTO MAIN BRANCH
+                var appInfo = string.Format("MAUI {0}: {1} ({2})",
                     AppResources.Version,
                     _platformUtilsService.GetApplicationVersion(),
                     _deviceActionService.GetBuildNumber());

src/Core/Pages/Settings/AutofillPage.xaml

@@ -5,7 +5,7 @@
     x:Class="Bit.App.Pages.AutofillPage"
     xmlns:pages="clr-namespace:Bit.App.Pages"
     xmlns:u="clr-namespace:Bit.App.Utilities"
-    Title="{u:I18n PasswordAutofill}">
+    Title="{u:I18n SetUpAutofill}">
 
     <ContentPage.ToolbarItems>
         <ToolbarItem Text="{u:I18n Close}" Clicked="Close_Clicked" Order="Primary" Priority="-1" />
@@ -15,26 +15,22 @@
         <StackLayout Spacing="5"
                  Padding="20, 20, 20, 30"
                  VerticalOptions="FillAndExpand">
-            <Label Text="{u:I18n ExtensionInstantAccess}"
+            <Label Text="{u:I18n GetInstantAccessToYourPasswordsAndPasskeys}"
                    HorizontalOptions="Center"
                    HorizontalTextAlignment="Center"
                    LineBreakMode="WordWrap"
                    StyleClass="text-lg"
                    Margin="0, 0, 0, 15" />
-            <Label Text="{u:I18n AutofillTurnOn}"
+            <Label Text="{u:I18n SetUpAutoFillDescriptionLong}"
                    HorizontalOptions="Center"
                    HorizontalTextAlignment="Center"
                    LineBreakMode="WordWrap"
                    Margin="0, 0, 0, 15" />
-            <Label Text="{u:I18n AutofillTurnOn1}"
+            <Label Text="{u:I18n FirstDotGoToYourDeviceSettingsPasswordsPasswordOptions}"
                    LineBreakMode="WordWrap" />
-            <Label Text="{u:I18n AutofillTurnOn2}"
+            <Label Text="{u:I18n SecondDotTurnOnAutoFill}"
                    LineBreakMode="WordWrap" />
-            <Label Text="{u:I18n AutofillTurnOn3}"
-                   LineBreakMode="WordWrap" />
-            <Label Text="{u:I18n AutofillTurnOn4}"
-                   LineBreakMode="WordWrap" />
-            <Label Text="{u:I18n AutofillTurnOn5}"
+            <Label Text="{u:I18n ThirdDotSelectBitwardenToUseForPasswordsAndPasskeys}"
                    LineBreakMode="WordWrap" />
             <Image Source="autofill-kb.png"
                    VerticalOptions="CenterAndExpand"

src/Core/Pages/Settings/AutofillSettingsPage.xaml

@@ -19,6 +19,15 @@
                 Text="{u:I18n Autofill}"
                 StyleClass="settings-header" />
 
+            <controls:SwitchItemView
+                Title="{u:I18n CredentialProviderService}"
+                Subtitle="{u:I18n CredentialProviderServiceExplanationLong}"
+                IsVisible="{Binding SupportsCredentialProviderService}"
+                IsToggled="{Binding UseCredentialProviderService}"
+                AutomationId="CredentialProviderServiceSwitch"
+                StyleClass="settings-item-view"
+                HorizontalOptions="FillAndExpand" />
+
             <controls:SwitchItemView
                 Title="{u:I18n AutofillServices}"
                 Subtitle="{u:I18n AutofillServicesExplanationLong}"

src/Core/Pages/Settings/AutofillSettingsPageViewModel.android.cs

@@ -6,12 +6,27 @@ namespace Bit.App.Pages
 {
     public partial class AutofillSettingsPageViewModel
     {
+        private bool _useCredentialProviderService;
         private bool _useAutofillServices;
         private bool _useInlineAutofill;
         private bool _useAccessibility;
         private bool _useDrawOver;
         private bool _askToAddLogin;
 
+        public bool SupportsCredentialProviderService => DeviceInfo.Platform == DevicePlatform.Android && _deviceActionService.SupportsCredentialProviderService();
+
+        public bool UseCredentialProviderService
+        {
+            get => _useCredentialProviderService;
+            set
+            {
+                if (SetProperty(ref _useCredentialProviderService, value))
+                {
+                    ((ICommand)ToggleUseCredentialProviderServiceCommand).Execute(null);
+                }
+            }
+        }
+
         public bool SupportsAndroidAutofillServices => DeviceInfo.Platform == DevicePlatform.Android && _deviceActionService.SupportsAutofillServices();
 
         public bool UseAutofillServices
@@ -84,6 +99,7 @@ namespace Bit.App.Pages
             }
         }
 
+        public AsyncRelayCommand ToggleUseCredentialProviderServiceCommand { get; private set; }
         public AsyncRelayCommand ToggleUseAutofillServicesCommand { get; private set; }
         public AsyncRelayCommand ToggleUseInlineAutofillCommand { get; private set; }
         public AsyncRelayCommand ToggleUseAccessibilityCommand { get; private set; }
@@ -93,6 +109,7 @@ namespace Bit.App.Pages
 
         private void InitAndroidCommands()
         {
+            ToggleUseCredentialProviderServiceCommand = CreateDefaultAsyncRelayCommand(() => MainThread.InvokeOnMainThreadAsync(() => ToggleUseCredentialProviderService()), () => _inited, allowsMultipleExecutions: false);
             ToggleUseAutofillServicesCommand = CreateDefaultAsyncRelayCommand(() => MainThread.InvokeOnMainThreadAsync(() => ToggleUseAutofillServices()), () => _inited, allowsMultipleExecutions: false);
             ToggleUseInlineAutofillCommand = CreateDefaultAsyncRelayCommand(() => MainThread.InvokeOnMainThreadAsync(() => ToggleUseInlineAutofillEnabledAsync()), () => _inited, allowsMultipleExecutions: false);
             ToggleUseAccessibilityCommand = CreateDefaultAsyncRelayCommand(ToggleUseAccessibilityAsync, () => _inited, allowsMultipleExecutions: false);
@@ -115,6 +132,9 @@ namespace Bit.App.Pages
 
         private async Task UpdateAndroidAutofillSettingsAsync()
         {
+            // TODO - uncomment once _autofillHandler.CredentialProviderServiceEnabled() returns a real value
+            // _useCredentialProviderService = 
+            //     SupportsCredentialProviderService && _autofillHandler.CredentialProviderServiceEnabled();
             _useAutofillServices =
                 _autofillHandler.SupportsAutofillService() && _autofillHandler.AutofillServiceEnabled();
             _useAccessibility = _autofillHandler.AutofillAccessibilityServiceRunning();
@@ -123,6 +143,7 @@ namespace Bit.App.Pages
 
             await MainThread.InvokeOnMainThreadAsync(() =>
             {
+                TriggerPropertyChanged(nameof(UseCredentialProviderService));
                 TriggerPropertyChanged(nameof(UseAutofillServices));
                 TriggerPropertyChanged(nameof(UseAccessibility));
                 TriggerPropertyChanged(nameof(UseDrawOver));
@@ -130,6 +151,18 @@ namespace Bit.App.Pages
             });
         }
 
+        private void ToggleUseCredentialProviderService()
+        {
+            if (UseCredentialProviderService)
+            {
+                _deviceActionService.OpenCredentialProviderSettings();
+            }
+            else
+            {
+                _autofillHandler.DisableCredentialProviderService();
+            }
+        }
+
         private void ToggleUseAutofillServices()
         {
             if (UseAutofillServices)

src/Core/Pages/Settings/SecuritySettingsPageViewModel.cs

@@ -370,7 +370,7 @@ namespace Bit.App.Pages
 
             if (!_supportsBiometric
                 ||
-                !await _platformUtilsService.AuthenticateBiometricAsync(null, DeviceInfo.Platform == DevicePlatform.Android ? "." : null))
+                await _platformUtilsService.AuthenticateBiometricAsync(null, DeviceInfo.Platform == DevicePlatform.Android ? "." : null) != true)
             {
                 _canUnlockWithBiometrics = false;
                 MainThread.BeginInvokeOnMainThread(() => TriggerPropertyChanged(nameof(CanUnlockWithBiometrics)));

src/Core/Pages/TabsPage.cs

@@ -33,7 +33,7 @@ namespace Bit.App.Pages
             _keyConnectorService = ServiceContainer.Resolve<IKeyConnectorService>("keyConnectorService");
             _stateService = ServiceContainer.Resolve<IStateService>();
 
-            _groupingsPage = new NavigationPage(new GroupingsPage(true, previousPage: previousPage, appOptions: appOptions))
+            _groupingsPage = new NavigationPage(new GroupingsPage(true, previousPage: previousPage))
             {
                 Title = AppResources.MyVault,
                 IconImageSource = "lock.png"

src/Core/Pages/Vault/GroupingsPage/GroupingsPage.xaml.cs

@@ -1,6 +1,5 @@
 using Bit.App.Abstractions;
 using Bit.App.Controls;
-using Bit.App.Models;
 using Bit.Core.Abstractions;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data;
@@ -28,7 +27,7 @@ namespace Bit.App.Pages
 
         public GroupingsPage(bool mainPage, CipherType? type = null, string folderId = null,
             string collectionId = null, string pageTitle = null, string vaultFilterSelection = null,
-            PreviousPageInfo previousPage = null, bool deleted = false, bool showTotp = false, AppOptions appOptions = null)
+            PreviousPageInfo previousPage = null, bool deleted = false, bool showTotp = false)
         {
             _pageName = string.Concat(nameof(GroupingsPage), "_", DateTime.UtcNow.Ticks);
             InitializeComponent();
@@ -51,7 +50,6 @@ namespace Bit.App.Pages
             _vm.CollectionId = collectionId;
             _vm.Deleted = deleted;
             _vm.ShowTotp = showTotp;
-            _vm.AppOptions = appOptions;
             _previousPage = previousPage;
             if (pageTitle != null)
             {
@@ -162,8 +160,6 @@ namespace Bit.App.Pages
                     return;
                 }
 
-                await _vm.CheckOrganizationUnassignedItemsAsync();
-
                 // Push registration
                 var lastPushRegistration = await _stateService.GetPushLastRegistrationDateAsync();
                 lastPushRegistration = lastPushRegistration.GetValueOrDefault(DateTime.MinValue);

src/Core/Pages/Vault/GroupingsPage/GroupingsPageViewModel.cs

@@ -1,7 +1,6 @@
 using System.Windows.Input;
 using Bit.App.Abstractions;
 using Bit.App.Controls;
-using Bit.App.Models;
 using Bit.App.Utilities;
 using Bit.Core.Abstractions;
 using Bit.Core.Enums;
@@ -46,8 +45,6 @@ namespace Bit.App.Pages
         private readonly IPasswordRepromptService _passwordRepromptService;
         private readonly IOrganizationService _organizationService;
         private readonly IPolicyService _policyService;
-        private readonly IConfigService _configService;
-        private readonly IEnvironmentService _environmentService;
         private readonly ILogger _logger;
 
         public GroupingsPageViewModel()
@@ -64,8 +61,6 @@ namespace Bit.App.Pages
             _passwordRepromptService = ServiceContainer.Resolve<IPasswordRepromptService>("passwordRepromptService");
             _organizationService = ServiceContainer.Resolve<IOrganizationService>("organizationService");
             _policyService = ServiceContainer.Resolve<IPolicyService>("policyService");
-            _configService = ServiceContainer.Resolve<IConfigService>();
-            _environmentService = ServiceContainer.Resolve<IEnvironmentService>();
             _logger = ServiceContainer.Resolve<ILogger>("logger");
 
             Loading = true;
@@ -109,7 +104,6 @@ namespace Bit.App.Pages
         public List<Core.Models.View.CollectionView> Collections { get; set; }
         public List<TreeNode<Core.Models.View.CollectionView>> NestedCollections { get; set; }
 
-        public AppOptions AppOptions { get; internal set; }
         protected override ICipherService cipherService => _cipherService;
         protected override IPolicyService policyService => _policyService;
         protected override IOrganizationService organizationService => _organizationService;
@@ -705,59 +699,5 @@ namespace Bit.App.Pages
             var folders = decFolders.Where(f => _allCiphers.Any(c => c.FolderId == f.Id)).ToList();
             return folders.Any() ? folders : null;
         }
-
-        internal async Task CheckOrganizationUnassignedItemsAsync()
-        {
-            try
-            {
-                if (AppOptions?.HasJustLoggedInOrUnlocked != true)
-                {
-                    return;
-                }
-
-                AppOptions.HasJustLoggedInOrUnlocked = false;
-
-                if (!await _configService.GetFeatureFlagBoolAsync(Core.Constants.UnassignedItemsBannerFlag)
-                    ||
-                    !await _stateService.GetShouldCheckOrganizationUnassignedItemsAsync())
-                {
-                    return;
-                }
-
-                var waitSyncTask = Task.Run(async () =>
-                {
-                    while (_syncService.SyncInProgress)
-                    {
-                        await Task.Delay(100);
-                    }
-                });
-                await waitSyncTask.WaitAsync(TimeSpan.FromMinutes(5));
-
-                if (!await _cipherService.VerifyOrganizationHasUnassignedItemsAsync())
-                {
-                    return;
-                }
-
-                var message = _environmentService.SelectedRegion == Core.Enums.Region.SelfHosted
-                    ? AppResources.OrganizationUnassignedItemsMessageSelfHost041624DescriptionLong
-                    : AppResources.OrganizationUnassignedItemsMessageUSEUDescriptionLong;
-
-                var response = await _deviceActionService.DisplayAlertAsync(AppResources.Notice,
-                    message,
-                    null,
-                    AppResources.RemindMeLater,
-                    AppResources.Ok);
-
-                if (response == AppResources.Ok)
-                {
-                    await _stateService.SetShouldCheckOrganizationUnassignedItemsAsync(false);
-                }
-            }
-            catch (TimeoutException) { }
-            catch (Exception ex)
-            {
-                _logger.Exception(ex);
-            }
-        }
     }
 }

src/Core/Resources/Localization/AppResources.Designer.cs

@@ -1318,6 +1318,15 @@ namespace Bit.Core.Resources.Localization {
             }
         }
         
+        /// <summary>
+        ///   Looks up a localized string similar to We were unable to automatically open the Android credential provider settings menu for you. You can navigate to the credential provider settings menu manually from Android Settings &gt; System &gt; Passwords &amp; accounts &gt; Passwords, passkeys and data services..
+        /// </summary>
+        public static string BitwardenCredentialProviderGoToSettings {
+            get {
+                return ResourceManager.GetString("BitwardenCredentialProviderGoToSettings", resourceCulture);
+            }
+        }
+        
         /// <summary>
         ///   Looks up a localized string similar to Bitwarden Help Center.
         /// </summary>
@@ -1534,6 +1543,15 @@ namespace Bit.Core.Resources.Localization {
             }
         }
         
+        /// <summary>
+        ///   Looks up a localized string similar to Choose a login to save this passkey to.
+        /// </summary>
+        public static string ChooseALoginToSaveThisPasskeyTo {
+            get {
+                return ResourceManager.GetString("ChooseALoginToSaveThisPasskeyTo", resourceCulture);
+            }
+        }
+        
         /// <summary>
         ///   Looks up a localized string similar to Choose file.
         /// </summary>
@@ -1894,6 +1912,24 @@ namespace Bit.Core.Resources.Localization {
             }
         }
         
+        /// <summary>
+        ///   Looks up a localized string similar to Credential Provider service.
+        /// </summary>
+        public static string CredentialProviderService {
+            get {
+                return ResourceManager.GetString("CredentialProviderService", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to The Android Credential Provider is used for managing passkeys for use with websites and other apps on your device..
+        /// </summary>
+        public static string CredentialProviderServiceExplanationLong {
+            get {
+                return ResourceManager.GetString("CredentialProviderServiceExplanationLong", resourceCulture);
+            }
+        }
+        
         /// <summary>
         ///   Looks up a localized string similar to Credits.
         /// </summary>
@@ -2596,6 +2632,24 @@ namespace Bit.Core.Resources.Localization {
             }
         }
         
+        /// <summary>
+        ///   Looks up a localized string similar to Error creating passkey.
+        /// </summary>
+        public static string ErrorCreatingPasskey {
+            get {
+                return ResourceManager.GetString("ErrorCreatingPasskey", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to Error reading passkey.
+        /// </summary>
+        public static string ErrorReadingPasskey {
+            get {
+                return ResourceManager.GetString("ErrorReadingPasskey", resourceCulture);
+            }
+        }
+        
         /// <summary>
         ///   Looks up a localized string similar to EU.
         /// </summary>
@@ -3136,6 +3190,15 @@ namespace Bit.Core.Resources.Localization {
             }
         }
         
+        /// <summary>
+        ///   Looks up a localized string similar to 1. Go to your device&apos;s Settings &gt; Passwords &gt; Password Options.
+        /// </summary>
+        public static string FirstDotGoToYourDeviceSettingsPasswordsPasswordOptions {
+            get {
+                return ResourceManager.GetString("FirstDotGoToYourDeviceSettingsPasswordsPasswordOptions", resourceCulture);
+            }
+        }
+        
         /// <summary>
         ///   Looks up a localized string similar to First name.
         /// </summary>
@@ -3325,6 +3388,15 @@ namespace Bit.Core.Resources.Localization {
             }
         }
         
+        /// <summary>
+        ///   Looks up a localized string similar to Get instant access to your passwords and passkeys!.
+        /// </summary>
+        public static string GetInstantAccessToYourPasswordsAndPasskeys {
+            get {
+                return ResourceManager.GetString("GetInstantAccessToYourPasswordsAndPasskeys", resourceCulture);
+            }
+        }
+        
         /// <summary>
         ///   Looks up a localized string similar to Get master password hint.
         /// </summary>
@@ -4866,15 +4938,6 @@ namespace Bit.Core.Resources.Localization {
             }
         }
         
-        /// <summary>
-        ///   Looks up a localized string similar to Notice.
-        /// </summary>
-        public static string Notice {
-            get {
-                return ResourceManager.GetString("Notice", resourceCulture);
-            }
-        }
-        
         /// <summary>
         ///   Looks up a localized string similar to This account has two-step login set up, however, none of the configured two-step providers are supported on this device. Please use a supported device and/or add additional providers that are better supported across devices (such as an authenticator app)..
         /// </summary>
@@ -5110,24 +5173,6 @@ namespace Bit.Core.Resources.Localization {
             }
         }
         
-        /// <summary>
-        ///   Looks up a localized string similar to On May 16, 2024, unassigned organization items will no longer be visible in the All Vaults view and only accessible via the Admin Console. Assign these items to a collection from the Admin Console to make them visible..
-        /// </summary>
-        public static string OrganizationUnassignedItemsMessageSelfHost041624DescriptionLong {
-            get {
-                return ResourceManager.GetString("OrganizationUnassignedItemsMessageSelfHost041624DescriptionLong", resourceCulture);
-            }
-        }
-        
-        /// <summary>
-        ///   Looks up a localized string similar to Unassigned organization items are no longer visible in the All Vaults view and only accessible via the Admin Console. Assign these items to a collection from the Admin Console to make them visible..
-        /// </summary>
-        public static string OrganizationUnassignedItemsMessageUSEUDescriptionLong {
-            get {
-                return ResourceManager.GetString("OrganizationUnassignedItemsMessageUSEUDescriptionLong", resourceCulture);
-            }
-        }
-        
         /// <summary>
         ///   Looks up a localized string similar to Organization identifier.
         /// </summary>
@@ -5155,6 +5200,15 @@ namespace Bit.Core.Resources.Localization {
             }
         }
         
+        /// <summary>
+        ///   Looks up a localized string similar to Overwrite passkey?.
+        /// </summary>
+        public static string OverwritePasskey {
+            get {
+                return ResourceManager.GetString("OverwritePasskey", resourceCulture);
+            }
+        }
+        
         /// <summary>
         ///   Looks up a localized string similar to Ownership.
         /// </summary>
@@ -5182,6 +5236,15 @@ namespace Bit.Core.Resources.Localization {
             }
         }
         
+        /// <summary>
+        ///   Looks up a localized string similar to Passkeys for {0}.
+        /// </summary>
+        public static string PasskeysForX {
+            get {
+                return ResourceManager.GetString("PasskeysForX", resourceCulture);
+            }
+        }
+        
         /// <summary>
         ///   Looks up a localized string similar to Passkey will not be copied.
         /// </summary>
@@ -5362,6 +5425,15 @@ namespace Bit.Core.Resources.Localization {
             }
         }
         
+        /// <summary>
+        ///   Looks up a localized string similar to Passwords.
+        /// </summary>
+        public static string Passwords {
+            get {
+                return ResourceManager.GetString("Passwords", resourceCulture);
+            }
+        }
+        
         /// <summary>
         ///   Looks up a localized string similar to This password was not found in any known data breaches. It should be safe to use..
         /// </summary>
@@ -5371,6 +5443,15 @@ namespace Bit.Core.Resources.Localization {
             }
         }
         
+        /// <summary>
+        ///   Looks up a localized string similar to Passwords for {0}.
+        /// </summary>
+        public static string PasswordsForX {
+            get {
+                return ResourceManager.GetString("PasswordsForX", resourceCulture);
+            }
+        }
+        
         /// <summary>
         ///   Looks up a localized string similar to Password type.
         /// </summary>
@@ -5705,15 +5786,6 @@ namespace Bit.Core.Resources.Localization {
             }
         }
         
-        /// <summary>
-        ///   Looks up a localized string similar to Remind me later.
-        /// </summary>
-        public static string RemindMeLater {
-            get {
-                return ResourceManager.GetString("RemindMeLater", resourceCulture);
-            }
-        }
-        
         /// <summary>
         ///   Looks up a localized string similar to Remove.
         /// </summary>
@@ -5885,6 +5957,24 @@ namespace Bit.Core.Resources.Localization {
             }
         }
         
+        /// <summary>
+        ///   Looks up a localized string similar to Save passkey.
+        /// </summary>
+        public static string SavePasskey {
+            get {
+                return ResourceManager.GetString("SavePasskey", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to Save passkey as new login.
+        /// </summary>
+        public static string SavePasskeyAsNewLogin {
+            get {
+                return ResourceManager.GetString("SavePasskeyAsNewLogin", resourceCulture);
+            }
+        }
+        
         /// <summary>
         ///   Looks up a localized string similar to Saving....
         /// </summary>
@@ -5993,6 +6083,15 @@ namespace Bit.Core.Resources.Localization {
             }
         }
         
+        /// <summary>
+        ///   Looks up a localized string similar to 2. Turn on AutoFill.
+        /// </summary>
+        public static string SecondDotTurnOnAutoFill {
+            get {
+                return ResourceManager.GetString("SecondDotTurnOnAutoFill", resourceCulture);
+            }
+        }
+        
         /// <summary>
         ///   Looks up a localized string similar to Secure notes.
         /// </summary>
@@ -6317,6 +6416,24 @@ namespace Bit.Core.Resources.Localization {
             }
         }
         
+        /// <summary>
+        ///   Looks up a localized string similar to Set up auto-fill.
+        /// </summary>
+        public static string SetUpAutofill {
+            get {
+                return ResourceManager.GetString("SetUpAutofill", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to To set up password auto-fill and passkey management, set Bitwarden as your preferred provider in the iOS Settings..
+        /// </summary>
+        public static string SetUpAutoFillDescriptionLong {
+            get {
+                return ResourceManager.GetString("SetUpAutoFillDescriptionLong", resourceCulture);
+            }
+        }
+        
         /// <summary>
         ///   Looks up a localized string similar to Set up TOTP.
         /// </summary>
@@ -6722,6 +6839,24 @@ namespace Bit.Core.Resources.Localization {
             }
         }
         
+        /// <summary>
+        ///   Looks up a localized string similar to There was a problem creating a passkey for {0}. Try again later..
+        /// </summary>
+        public static string ThereWasAProblemCreatingAPasskeyForXTryAgainLater {
+            get {
+                return ResourceManager.GetString("ThereWasAProblemCreatingAPasskeyForXTryAgainLater", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to There was a problem reading your passkey for {0}. Try again later..
+        /// </summary>
+        public static string ThereWasAProblemReadingAPasskeyForXTryAgainLater {
+            get {
+                return ResourceManager.GetString("ThereWasAProblemReadingAPasskeyForXTryAgainLater", resourceCulture);
+            }
+        }
+        
         /// <summary>
         ///   Looks up a localized string similar to The URI {0} is already blocked.
         /// </summary>
@@ -6731,6 +6866,15 @@ namespace Bit.Core.Resources.Localization {
             }
         }
         
+        /// <summary>
+        ///   Looks up a localized string similar to 3. Select &quot;Bitwarden&quot; to use for passwords and passkeys.
+        /// </summary>
+        public static string ThirdDotSelectBitwardenToUseForPasswordsAndPasskeys {
+            get {
+                return ResourceManager.GetString("ThirdDotSelectBitwardenToUseForPasswordsAndPasskeys", resourceCulture);
+            }
+        }
+        
         /// <summary>
         ///   Looks up a localized string similar to 30 days.
         /// </summary>
@@ -6758,6 +6902,15 @@ namespace Bit.Core.Resources.Localization {
             }
         }
         
+        /// <summary>
+        ///   Looks up a localized string similar to This item already contains a passkey. Are you sure you want to overwrite the current passkey?.
+        /// </summary>
+        public static string ThisItemAlreadyContainsAPasskeyAreYouSureYouWantToOverwriteTheCurrentPasskey {
+            get {
+                return ResourceManager.GetString("ThisItemAlreadyContainsAPasskeyAreYouSureYouWantToOverwriteTheCurrentPasskey", resourceCulture);
+            }
+        }
+        
         /// <summary>
         ///   Looks up a localized string similar to This request is no longer valid.
         /// </summary>
@@ -7055,6 +7208,15 @@ namespace Bit.Core.Resources.Localization {
             }
         }
         
+        /// <summary>
+        ///   Looks up a localized string similar to Unknown account.
+        /// </summary>
+        public static string UnknownAccount {
+            get {
+                return ResourceManager.GetString("UnknownAccount", resourceCulture);
+            }
+        }
+        
         /// <summary>
         ///   Looks up a localized string similar to Unknown {0} error occurred..
         /// </summary>
@@ -7541,6 +7703,24 @@ namespace Bit.Core.Resources.Localization {
             }
         }
         
+        /// <summary>
+        ///   Looks up a localized string similar to Verification required by {0}.
+        /// </summary>
+        public static string VerificationRequiredByX {
+            get {
+                return ResourceManager.GetString("VerificationRequiredByX", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to Verification required for this action. Set up an unlock method in Bitwarden to continue..
+        /// </summary>
+        public static string VerificationRequiredForThisActionSetUpAnUnlockMethodInBitwardenToContinue {
+            get {
+                return ResourceManager.GetString("VerificationRequiredForThisActionSetUpAnUnlockMethodInBitwardenToContinue", resourceCulture);
+            }
+        }
+        
         /// <summary>
         ///   Looks up a localized string similar to Verify Face ID.
         /// </summary>
@@ -7568,6 +7748,15 @@ namespace Bit.Core.Resources.Localization {
             }
         }
         
+        /// <summary>
+        ///   Looks up a localized string similar to Verifying identity....
+        /// </summary>
+        public static string VerifyingIdentityEllipsis {
+            get {
+                return ResourceManager.GetString("VerifyingIdentityEllipsis", resourceCulture);
+            }
+        }
+        
         /// <summary>
         ///   Looks up a localized string similar to Verify master password.
         /// </summary>

src/Core/Resources/Localization/AppResources.fi.resx

@@ -560,7 +560,7 @@
     <comment>Message shown when interacting with the server</comment>
   </data>
   <data name="LoginOrCreateNewAccount" xml:space="preserve">
-    <value>Käytä salattua holviasi kirjautumalla sisään tai luo uusi tili.</value>
+    <value>Käytä salattua holviasi kirjautumalla sisään tai tai luo uusi tili.</value>
   </data>
   <data name="Manage" xml:space="preserve">
     <value>Hallinta</value>

src/Core/Resources/Localization/AppResources.it.resx

@@ -2877,12 +2877,12 @@ Vuoi passare a questo account?</value>
     <value>Imposta un metodo di sblocco per modificare l'azione timeout cassaforte.</value>
   </data>
   <data name="DuoTwoStepLoginIsRequiredForYourAccount" xml:space="preserve">
-    <value>Per il tuo account è richiesta la verifica in due passaggi di Duo.</value>
+    <value>Duo two-step login is required for your account. </value>
   </data>
   <data name="FollowTheStepsFromDuoToFinishLoggingIn" xml:space="preserve">
-    <value>Segui i passaggi da Duo per completare l'accesso.</value>
+    <value>Follow the steps from Duo to finish logging in.</value>
   </data>
   <data name="LaunchDuo" xml:space="preserve">
-    <value>Avvia Duo</value>
+    <value>Launch Duo</value>
   </data>
 </root>

src/Core/Resources/Localization/AppResources.pt-BR.resx

@@ -2878,12 +2878,12 @@ Você deseja mudar para esta conta?</value>
     <value>Configure um método de desbloqueio para alterar o tempo limite do cofre.</value>
   </data>
   <data name="DuoTwoStepLoginIsRequiredForYourAccount" xml:space="preserve">
-    <value>A autenticação em duas etapas do Duo é necessária para sua conta. </value>
+    <value>Duo two-step login is required for your account. </value>
   </data>
   <data name="FollowTheStepsFromDuoToFinishLoggingIn" xml:space="preserve">
-    <value>Siga os passos no Duo para finalizar o login.</value>
+    <value>Follow the steps from Duo to finish logging in.</value>
   </data>
   <data name="LaunchDuo" xml:space="preserve">
-    <value>Abrir o Duo</value>
+    <value>Launch Duo</value>
   </data>
 </root>

src/Core/Resources/Localization/AppResources.resx

@@ -1191,6 +1191,9 @@ Scanning will happen automatically.</value>
   <data name="WindowsHello" xml:space="preserve">
     <value>Windows Hello</value>
   </data>
+  <data name="BitwardenCredentialProviderGoToSettings" xml:space="preserve">
+    <value>We were unable to automatically open the Android credential provider settings menu for you. You can navigate to the credential provider settings menu manually from Android Settings &gt; System &gt; Passwords &amp; accounts &gt; Passwords, passkeys and data services.</value>
+  </data>
   <data name="BitwardenAutofillGoToSettings" xml:space="preserve">
     <value>We were unable to automatically open the Android autofill settings menu for you. You can navigate to the autofill settings menu manually from Android Settings &gt; System &gt; Languages and input &gt; Advanced &gt; Autofill service.</value>
   </data>
@@ -1816,6 +1819,9 @@ Scanning will happen automatically.</value>
   <data name="AccessibilityDrawOverPermissionAlert" xml:space="preserve">
     <value>Bitwarden needs attention - Turn on "Draw-Over" in "Auto-fill Services" from Bitwarden Settings</value>
   </data>
+  <data name="CredentialProviderService" xml:space="preserve">
+    <value>Credential Provider service</value>
+  </data>
   <data name="AutofillServices" xml:space="preserve">
     <value>Auto-fill services</value>
   </data>
@@ -2799,6 +2805,9 @@ Do you want to switch to this account?</value>
   <data name="XHours" xml:space="preserve">
     <value>{0} hours</value>
   </data>
+  <data name="CredentialProviderServiceExplanationLong" xml:space="preserve">
+    <value>The Android Credential Provider is used for managing passkeys for use with websites and other apps on your device.</value>
+  </data>
   <data name="AutofillServicesExplanationLong" xml:space="preserve">
     <value>The Android Autofill Framework is used to assist in filling login information into other apps on your device.</value>
   </data>
@@ -2877,6 +2886,27 @@ Do you want to switch to this account?</value>
   <data name="SetUpAnUnlockOptionToChangeYourVaultTimeoutAction" xml:space="preserve">
     <value>Set up an unlock option to change your vault timeout action.</value>
   </data>
+  <data name="ChooseALoginToSaveThisPasskeyTo" xml:space="preserve">
+    <value>Choose a login to save this passkey to</value>
+  </data>
+  <data name="SavePasskeyAsNewLogin" xml:space="preserve">
+    <value>Save passkey as new login</value>
+  </data>
+  <data name="SavePasskey" xml:space="preserve">
+    <value>Save passkey</value>
+  </data>
+  <data name="PasskeysForX" xml:space="preserve">
+    <value>Passkeys for {0}</value>
+  </data>
+  <data name="PasswordsForX" xml:space="preserve">
+    <value>Passwords for {0}</value>
+  </data>
+  <data name="OverwritePasskey" xml:space="preserve">
+    <value>Overwrite passkey?</value>
+  </data>
+  <data name="ThisItemAlreadyContainsAPasskeyAreYouSureYouWantToOverwriteTheCurrentPasskey" xml:space="preserve">
+    <value>This item already contains a passkey. Are you sure you want to overwrite the current passkey?</value>
+  </data>
   <data name="DuoTwoStepLoginIsRequiredForYourAccount" xml:space="preserve">
     <value>Duo two-step login is required for your account. </value>
   </data>
@@ -2886,16 +2916,51 @@ Do you want to switch to this account?</value>
   <data name="LaunchDuo" xml:space="preserve">
     <value>Launch Duo</value>
   </data>
-  <data name="OrganizationUnassignedItemsMessageUSEUDescriptionLong" xml:space="preserve">
-    <value>Unassigned organization items are no longer visible in the All Vaults view and only accessible via the Admin Console. Assign these items to a collection from the Admin Console to make them visible.</value>
+  <data name="VerificationRequiredByX" xml:space="preserve">
+    <value>Verification required by {0}</value>
   </data>
-  <data name="OrganizationUnassignedItemsMessageSelfHost041624DescriptionLong" xml:space="preserve">
-    <value>On May 16, 2024, unassigned organization items will no longer be visible in the All Vaults view and only accessible via the Admin Console. Assign these items to a collection from the Admin Console to make them visible.</value>
+  <data name="VerificationRequiredForThisActionSetUpAnUnlockMethodInBitwardenToContinue" xml:space="preserve">
+    <value>Verification required for this action. Set up an unlock method in Bitwarden to continue.</value>
   </data>
-  <data name="RemindMeLater" xml:space="preserve">
-    <value>Remind me later</value>
+  <data name="ErrorCreatingPasskey" xml:space="preserve">
+    <value>Error creating passkey</value>
   </data>
-  <data name="Notice" xml:space="preserve">
-    <value>Notice</value>
+  <data name="ErrorReadingPasskey" xml:space="preserve">
+    <value>Error reading passkey</value>
+  </data>
+  <data name="ThereWasAProblemCreatingAPasskeyForXTryAgainLater" xml:space="preserve">
+    <value>There was a problem creating a passkey for {0}. Try again later.</value>
+    <comment>The parameter is the RpId</comment>
+  </data>
+  <data name="ThereWasAProblemReadingAPasskeyForXTryAgainLater" xml:space="preserve">
+    <value>There was a problem reading your passkey for {0}. Try again later.</value>
+    <comment>The parameter is the RpId</comment>
+  </data>
+  <data name="VerifyingIdentityEllipsis" xml:space="preserve">
+    <value>Verifying identity...</value>
+  </data>
+  <data name="Passwords" xml:space="preserve">
+    <value>Passwords</value>
+  </data>
+  <data name="UnknownAccount" xml:space="preserve">
+    <value>Unknown account</value>
+  </data>
+  <data name="SetUpAutofill" xml:space="preserve">
+    <value>Set up auto-fill</value>
+  </data>
+  <data name="GetInstantAccessToYourPasswordsAndPasskeys" xml:space="preserve">
+    <value>Get instant access to your passwords and passkeys!</value>
+  </data>
+  <data name="SetUpAutoFillDescriptionLong" xml:space="preserve">
+    <value>To set up password auto-fill and passkey management, set Bitwarden as your preferred provider in the iOS Settings.</value>
+  </data>
+  <data name="FirstDotGoToYourDeviceSettingsPasswordsPasswordOptions" xml:space="preserve">
+    <value>1. Go to your device's Settings &gt; Passwords &gt; Password Options</value>
+  </data>
+  <data name="SecondDotTurnOnAutoFill" xml:space="preserve">
+    <value>2. Turn on AutoFill</value>
+  </data>
+  <data name="ThirdDotSelectBitwardenToUseForPasswordsAndPasskeys" xml:space="preserve">
+    <value>3. Select "Bitwarden" to use for passwords and passkeys</value>
   </data>
 </root>

src/Core/Resources/Localization/AppResources.ru.resx

@@ -2641,22 +2641,22 @@
     <value>Запомнить это устройство</value>
   </data>
   <data name="Passkey" xml:space="preserve">
-    <value>Passkey</value>
+    <value>Ключ доступа</value>
   </data>
   <data name="Passkeys" xml:space="preserve">
-    <value>Passkeys</value>
+    <value>Ключи доступа</value>
   </data>
   <data name="Application" xml:space="preserve">
     <value>Приложение</value>
   </data>
   <data name="YouCannotEditPasskeyApplicationBecauseItWouldInvalidateThePasskey" xml:space="preserve">
-    <value>Редактирование passkey невозможно, поскольку это приведет к его аннулированию</value>
+    <value>Редактирование ключа доступа невозможно, поскольку это приведет к его аннулированию</value>
   </data>
   <data name="PasskeyWillNotBeCopied" xml:space="preserve">
-    <value>Passkey не будет скопирован</value>
+    <value>Ключ доступа не будет скопирован</value>
   </data>
   <data name="ThePasskeyWillNotBeCopiedToTheClonedItemDoYouWantToContinueCloningThisItem" xml:space="preserve">
-    <value>Passkey не будет скопирован в клонированный элемент. Продолжить клонирование этого элемента?</value>
+    <value>Ключ доступа не будет скопирован в клонированный элемент. Продолжить клонирование этого элемента?</value>
   </data>
   <data name="CopyApplication" xml:space="preserve">
     <value>Скопировать приложение</value>

src/Core/Resources/Localization/AppResources.ta.resx

@@ -641,7 +641,7 @@
     <value>தற்போதைய கடவுச்சொல்லை மேலெழுத உறுதியா?</value>
   </data>
   <data name="PushNotificationAlert" xml:space="preserve">
-    <value>Push அறிவிப்புகள் பயன்படுத்தி Bitwarden உம் பெட்டகத்தை தானாக ஒத்திசைகிறது. சிறந்த சாத்தியமான அனுபவத்திற்கு, பின்வரும் தூண்டியில் push அறிவிப்புகளை இயக்கச்சொல்லி கேட்டால் "அனுமதி"ஐ தேர்ந்தெடுக்கவும்.</value>
+    <value>push அறிவிப்புகள் பயன்படுத்தி Bitwarden உம் பெட்டகத்தை தானாக ஒத்திசைகிறது. சிறந்த சாத்தியமான அனுபவத்திற்கு, பின்வரும் தூண்டியில் push அறிவிப்புகளை இயக்கச்சொல்லி கேட்டால் "அனுமதி"ஐ தேர்ந்தெடுக்கவும்.</value>
     <comment>Push notifications for apple products</comment>
   </data>
   <data name="RateTheApp" xml:space="preserve">
@@ -923,7 +923,7 @@
     <value>இணைப்பு அழிக்கப்பட்டது</value>
   </data>
   <data name="ChooseFile" xml:space="preserve">
-    <value>கோப்பைத் தேர்ந்தெடு</value>
+    <value>கோப்பை தேர்ந்தெடு</value>
   </data>
   <data name="File" xml:space="preserve">
     <value>கோப்பு</value>

src/Core/Resources/Localization/AppResources.vi.resx

@@ -1143,7 +1143,7 @@ Quá trình quét sẽ diễn ra tự động.</value>
     <value>Địa chỉ biểu tượng máy chủ</value>
   </data>
   <data name="AutofillWithBitwarden" xml:space="preserve">
-    <value>Tự động điền bằng Bitwarden</value>
+    <value>Tự động điền với Bitwarden</value>
   </data>
   <data name="VaultIsLocked" xml:space="preserve">
     <value>Kho đã khóa</value>

src/Core/Resources/Localization/AppResources.zh-Hans.resx

@@ -2808,23 +2808,23 @@
     <value>附加选项</value>
   </data>
   <data name="ContinueToWebApp" xml:space="preserve">
-    <value>前往网页 App 吗？</value>
+    <value>接下来前往网页应用吗？</value>
   </data>
   <data name="ContinueToX" xml:space="preserve">
-    <value>前往 {0} 吗？</value>
+    <value>接下来前往 {0} 吗？</value>
     <comment>The parameter is an URL, like bitwarden.com.</comment>
   </data>
   <data name="ContinueToHelpCenter" xml:space="preserve">
-    <value>前往帮助中心吗？</value>
+    <value>接下来前往帮助中心吗？</value>
   </data>
   <data name="ContinueToContactSupport" xml:space="preserve">
-    <value>要联系支持吗？</value>
+    <value>接下来要联系支持吗？</value>
   </data>
   <data name="ContinueToPrivacyPolicy" xml:space="preserve">
-    <value>查看隐私政策吗？</value>
+    <value>接下来查看隐私政策吗？</value>
   </data>
   <data name="ContinueToAppStore" xml:space="preserve">
-    <value>前往 App Store 吗？</value>
+    <value>接下来前往 App Store 吗？</value>
   </data>
   <data name="TwoStepLoginDescriptionLong" xml:space="preserve">
     <value>通过在 Bitwarden 网页应用中设置两步登录，可以使您的账户更加安全。</value>
@@ -2874,7 +2874,7 @@
     <value>您的组织要求您设置主密码。</value> 
   </data>
   <data name="SetUpAnUnlockOptionToChangeYourVaultTimeoutAction" xml:space="preserve">
-    <value>设置解锁选项以更改您的密码库超时动作。</value>
+    <value>设置解锁选项以更改您的密码库超时操作。</value>
   </data>
   <data name="DuoTwoStepLoginIsRequiredForYourAccount" xml:space="preserve">
     <value>您的账户要求使用 Duo 两步登录。 </value>

src/Core/Services/ApiService.cs

@@ -334,11 +334,6 @@ namespace Bit.Core.Services
             return SendAsync<object, CipherResponse>(HttpMethod.Put, string.Concat("/ciphers/", id, "/restore"), null, true, true);
         }
 
-        public Task<bool> HasUnassignedCiphersAsync()
-        {
-            return SendAsync<object, bool>(HttpMethod.Get, "/ciphers/has-unassigned-ciphers", null, true, true);
-        }
-
         #endregion
 
         #region Attachments APIs

src/Core/Services/CipherService.cs

@@ -34,6 +34,8 @@ namespace Bit.Core.Services
         private readonly II18nService _i18nService;
         private readonly Func<ISearchService> _searchService;
         private readonly IConfigService _configService;
+        private readonly ITotpService _totpService;
+        private readonly IClipboardService _clipboardService;
         private readonly string _clearCipherCacheKey;
         private readonly string[] _allClearCipherCacheKeys;
         private Dictionary<string, HashSet<string>> _domainMatchBlacklist = new Dictionary<string, HashSet<string>>
@@ -53,6 +55,8 @@ namespace Bit.Core.Services
             II18nService i18nService,
             Func<ISearchService> searchService,
             IConfigService configService,
+            ITotpService totpService,
+            IClipboardService clipboardService,
             string clearCipherCacheKey,
             string[] allClearCipherCacheKeys)
         {
@@ -65,6 +69,8 @@ namespace Bit.Core.Services
             _i18nService = i18nService;
             _searchService = searchService;
             _configService = configService;
+            _totpService = totpService;
+            _clipboardService = clipboardService;
             _clearCipherCacheKey = clearCipherCacheKey;
             _allClearCipherCacheKeys = allClearCipherCacheKeys;
         }
@@ -829,24 +835,6 @@ namespace Bit.Core.Services
             await ClearCacheAsync();
         }
 
-        public async Task<bool> VerifyOrganizationHasUnassignedItemsAsync()
-        {
-            var organizations = await _stateService.GetOrganizationsAsync();
-            if (organizations?.Any() != true)
-            {
-                return false;
-            }
-
-            try
-            {
-                return await _apiService.HasUnassignedCiphersAsync();
-            }
-            catch (ApiException ex) when (ex.Error?.StatusCode == System.Net.HttpStatusCode.BadRequest)
-            {
-                return false;
-            }
-        }
-
         // Helpers
 
         private async Task<Tuple<SymmetricCryptoKey, EncString, SymmetricCryptoKey>> MakeAttachmentKeyAsync(string organizationId, Cipher cipher = null, CipherView cipherView = null)
@@ -1304,6 +1292,51 @@ namespace Bit.Core.Services
             cipher.PasswordHistory = encPhs;
         }
 
+        public async Task<string> CreateNewLoginForPasskeyAsync(Fido2ConfirmNewCredentialParams newPasskeyParams)
+        {
+            var newCipher = new CipherView
+            {
+                Name = newPasskeyParams.CredentialName,
+                Type = CipherType.Login,
+                Login = new LoginView
+                {
+                    Username = newPasskeyParams.UserName,
+                    Uris = new List<LoginUriView>
+                    {
+                        new LoginUriView { Uri = newPasskeyParams.RpId }
+                    }
+                },
+                Card = new CardView(),
+                Identity = new IdentityView(),
+                SecureNote = new SecureNoteView
+                {
+                    Type = SecureNoteType.Generic
+                },
+                Reprompt = CipherRepromptType.None
+            };
+
+            var encryptedCipher = await EncryptAsync(newCipher);
+            await SaveWithServerAsync(encryptedCipher);
+
+            return encryptedCipher.Id;
+        }
+
+        public async Task CopyTotpCodeIfNeededAsync(CipherView cipher)
+        {
+            if (string.IsNullOrWhiteSpace(cipher?.Login?.Totp)
+                ||
+                await _stateService.GetDisableAutoTotpCopyAsync() == true)
+            {
+                return;
+            }
+
+            if (cipher.OrganizationUseTotp || await _stateService.CanAccessPremiumAsync())
+            {
+                var totpCode = await _totpService.GetCodeAsync(cipher.Login.Totp);
+                await _clipboardService.CopyTextAsync(totpCode);
+            }
+        }
+
         private class CipherLocaleComparer : IComparer<CipherView>
         {
             private readonly II18nService _i18nService;

src/Core/Services/ConditionedAwaiterManager.cs

@@ -1,7 +1,4 @@
-using System;
-using System.Collections.Concurrent;
-using System.Collections.Generic;
-using System.Threading.Tasks;
+using System.Collections.Concurrent;
 using Bit.Core.Abstractions;
 
 namespace Bit.Core.Services
@@ -11,7 +8,8 @@ namespace Bit.Core.Services
         private readonly ConcurrentDictionary<AwaiterPrecondition, TaskCompletionSource<bool>> _preconditionsTasks = new ConcurrentDictionary<AwaiterPrecondition, TaskCompletionSource<bool>>
         {
             [AwaiterPrecondition.EnvironmentUrlsInited] = new TaskCompletionSource<bool>(),
-            [AwaiterPrecondition.AndroidWindowCreated] = new TaskCompletionSource<bool>()
+            [AwaiterPrecondition.AndroidWindowCreated] = new TaskCompletionSource<bool>(),
+            [AwaiterPrecondition.AutofillIOSExtensionViewDidAppear] = new TaskCompletionSource<bool>()
         };
 
         public Task GetAwaiterForPrecondition(AwaiterPrecondition awaiterPrecondition)
@@ -39,5 +37,15 @@ namespace Bit.Core.Services
                 tcs.TrySetException(ex);
             }
         }
+
+        public void Recreate(AwaiterPrecondition awaiterPrecondition)
+        {
+            if (_preconditionsTasks.TryRemove(awaiterPrecondition, out var oldTcs))
+            {
+                oldTcs.TrySetCanceled();
+
+                _preconditionsTasks.TryAdd(awaiterPrecondition, new TaskCompletionSource<bool>());
+            }
+        }
     }
 }

src/Core/Services/Fido2AuthenticatorService.cs

@@ -0,0 +1,509 @@
+using Bit.Core.Abstractions;
+using Bit.Core.Models.View;
+using Bit.Core.Enums;
+using Bit.Core.Utilities.Fido2;
+using Bit.Core.Utilities;
+using System.Formats.Cbor;
+using System.Security.Cryptography;
+
+namespace Bit.Core.Services
+{
+    public class Fido2AuthenticatorService : IFido2AuthenticatorService
+    {
+        // AAGUID: d548826e-79b4-db40-a3d8-11116f7e8349
+        public static readonly byte[] AAGUID = new byte[] { 0xd5, 0x48, 0x82, 0x6e, 0x79, 0xb4, 0xdb, 0x40, 0xa3, 0xd8, 0x11, 0x11, 0x6f, 0x7e, 0x83, 0x49 };
+
+        private readonly ICipherService _cipherService;
+        private readonly ISyncService _syncService;
+        private readonly ICryptoFunctionService _cryptoFunctionService;
+        private readonly IUserVerificationMediatorService _userVerificationMediatorService;
+
+        public Fido2AuthenticatorService(ICipherService cipherService,
+            ISyncService syncService,
+            ICryptoFunctionService cryptoFunctionService,
+            IUserVerificationMediatorService userVerificationMediatorService)
+        {
+            _cipherService = cipherService;
+            _syncService = syncService;
+            _cryptoFunctionService = cryptoFunctionService;
+            _userVerificationMediatorService = userVerificationMediatorService;
+        }
+
+        public async Task<Fido2AuthenticatorMakeCredentialResult> MakeCredentialAsync(Fido2AuthenticatorMakeCredentialParams makeCredentialParams, IFido2MakeCredentialUserInterface userInterface)
+        {
+            if (makeCredentialParams.CredTypesAndPubKeyAlgs.All((p) => p.Alg != (int)Fido2AlgorithmIdentifier.ES256))
+            {
+                throw new NotSupportedError();
+            }
+
+            await userInterface.EnsureUnlockedVaultAsync();
+            await _syncService.FullSyncAsync(false);
+
+            var existingCipherIds = await FindExcludedCredentialsAsync(
+                makeCredentialParams.ExcludeCredentialDescriptorList
+            );
+            if (existingCipherIds.Length > 0)
+            {
+                await userInterface.InformExcludedCredentialAsync(existingCipherIds);
+                throw new NotAllowedError();
+            }
+
+            var response = await userInterface.ConfirmNewCredentialAsync(new Fido2ConfirmNewCredentialParams
+            {
+                CredentialName = makeCredentialParams.RpEntity.Name,
+                UserName = makeCredentialParams.UserEntity.Name,
+                UserVerificationPreference = makeCredentialParams.UserVerificationPreference,
+                RpId = makeCredentialParams.RpEntity.Id
+            });
+
+            var cipherId = response.CipherId;
+            var userVerified = response.UserVerified;
+            string credentialId;
+            if (cipherId == null)
+            {
+                throw new NotAllowedError();
+            }
+
+            try
+            {
+                var keyPair = GenerateKeyPair();
+                var fido2Credential = CreateCredentialView(makeCredentialParams, keyPair.privateKey);
+
+                var encrypted = await _cipherService.GetAsync(cipherId);
+                var cipher = await encrypted.DecryptAsync();
+
+                if (!userVerified
+                &&
+                await _userVerificationMediatorService.ShouldEnforceFido2RequiredUserVerificationAsync(new Fido2UserVerificationOptions(
+                    cipher.Reprompt != CipherRepromptType.None,
+                    makeCredentialParams.UserVerificationPreference,
+                    userInterface.HasVaultBeenUnlockedInThisTransaction)))
+                {
+                    throw new NotAllowedError();
+                }
+
+                cipher.Login.Fido2Credentials = new List<Fido2CredentialView> { fido2Credential };
+                var reencrypted = await _cipherService.EncryptAsync(cipher);
+                await _cipherService.SaveWithServerAsync(reencrypted);
+                credentialId = fido2Credential.CredentialId;
+
+                var authData = await GenerateAuthDataAsync(
+                    rpId: makeCredentialParams.RpEntity.Id,
+                    counter: fido2Credential.CounterValue,
+                    userPresence: true,
+                    userVerification: userVerified,
+                    credentialId: credentialId.GuidToRawFormat(),
+                    publicKey: keyPair.publicKey
+                );
+
+                return new Fido2AuthenticatorMakeCredentialResult
+                {
+                    CredentialId = credentialId.GuidToRawFormat(),
+                    AttestationObject = EncodeAttestationObject(authData),
+                    AuthData = authData,
+                    PublicKey = keyPair.publicKey.ExportDer(),
+                    PublicKeyAlgorithm = (int)Fido2AlgorithmIdentifier.ES256,
+                };
+            }
+            catch (NotAllowedError)
+            {
+                throw;
+            }
+            catch (Exception ex)
+            {
+                LoggerHelper.LogEvenIfCantBeResolved(ex);
+                throw new UnknownError();
+            }
+        }
+
+        public async Task<Fido2AuthenticatorGetAssertionResult> GetAssertionAsync(Fido2AuthenticatorGetAssertionParams assertionParams, IFido2GetAssertionUserInterface userInterface)
+        {
+            List<CipherView> cipherOptions;
+
+            await userInterface.EnsureUnlockedVaultAsync();
+            await _syncService.FullSyncAsync(false);
+
+            if (assertionParams.AllowCredentialDescriptorList?.Length > 0)
+            {
+                cipherOptions = await FindCredentialsByIdAsync(
+                    assertionParams.AllowCredentialDescriptorList,
+                    assertionParams.RpId
+                );
+            }
+            else
+            {
+                cipherOptions = await FindCredentialsByRpAsync(assertionParams.RpId);
+            }
+
+            if (cipherOptions.Count == 0)
+            {
+                throw new NotAllowedError();
+            }
+
+            var response = await userInterface.PickCredentialAsync(
+                cipherOptions.Select((cipher) => new Fido2GetAssertionUserInterfaceCredential
+                {
+                    CipherId = cipher.Id,
+                    UserVerificationPreference = Fido2UserVerificationPreferenceExtensions.GetUserVerificationPreferenceFrom(assertionParams.UserVerificationPreference, cipher.Reprompt)
+                }).ToArray()
+            );
+            var selectedCipherId = response.CipherId;
+            var userVerified = response.UserVerified;
+
+            var selectedCipher = cipherOptions.FirstOrDefault((c) => c.Id == selectedCipherId);
+            if (selectedCipher == null)
+            {
+                throw new NotAllowedError();
+            }
+
+            if (!userVerified
+                &&
+                await _userVerificationMediatorService.ShouldEnforceFido2RequiredUserVerificationAsync(new Fido2UserVerificationOptions(
+                    selectedCipher.Reprompt != CipherRepromptType.None,
+                    assertionParams.UserVerificationPreference,
+                    userInterface.HasVaultBeenUnlockedInThisTransaction)))
+            {
+                throw new NotAllowedError();
+            }
+
+            try
+            {
+                var selectedFido2Credential = selectedCipher.Login.MainFido2Credential;
+                var selectedCredentialId = selectedFido2Credential.CredentialId;
+
+                await _cipherService.UpdateLastUsedDateAsync(selectedCipher.Id);
+
+                if (selectedFido2Credential.CounterValue != 0)
+                {
+                    ++selectedFido2Credential.CounterValue;
+                    var encrypted = await _cipherService.EncryptAsync(selectedCipher);
+                    await _cipherService.SaveWithServerAsync(encrypted);
+                }
+
+                var authenticatorData = await GenerateAuthDataAsync(
+                    rpId: selectedFido2Credential.RpId,
+                    userPresence: true,
+                    userVerification: userVerified,
+                    counter: selectedFido2Credential.CounterValue
+                );
+
+                var signature = GenerateSignature(
+                    authData: authenticatorData,
+                    clientDataHash: assertionParams.Hash,
+                    privateKey: selectedFido2Credential.KeyBytes
+                );
+
+                return new Fido2AuthenticatorGetAssertionResult
+                {
+                    SelectedCredential = new Fido2AuthenticatorGetAssertionSelectedCredential
+                    {
+                        Id = selectedCredentialId.GuidToRawFormat(),
+                        UserHandle = selectedFido2Credential.UserHandleValue,
+                        Cipher = selectedCipher
+                    },
+                    AuthenticatorData = authenticatorData,
+                    Signature = signature
+                };
+            }
+            catch (Exception ex)
+            {
+                LoggerHelper.LogEvenIfCantBeResolved(ex);
+                throw new UnknownError();
+            }
+        }
+
+        public async Task<Fido2AuthenticatorDiscoverableCredentialMetadata[]> SilentCredentialDiscoveryAsync(string rpId)
+        {
+            var credentials = (await FindCredentialsByRpAsync(rpId)).Select(cipher => new Fido2AuthenticatorDiscoverableCredentialMetadata
+            {
+                Type = Constants.DefaultFido2CredentialType,
+                Id = cipher.Login.MainFido2Credential.CredentialId.GuidToRawFormat(),
+                RpId = cipher.Login.MainFido2Credential.RpId,
+                UserHandle = cipher.Login.MainFido2Credential.UserHandleValue,
+                UserName = cipher.Login.MainFido2Credential.UserName
+            }).ToArray();
+
+            return credentials;
+        }
+
+        /// <summary>
+        /// Finds existing crendetials and returns the `CipherId` for each one
+        /// </summary>
+        private async Task<string[]> FindExcludedCredentialsAsync(
+            PublicKeyCredentialDescriptor[] credentials
+        )
+        {
+            if (credentials == null || credentials.Length == 0)
+            {
+                return Array.Empty<string>();
+            }
+
+            var ids = new List<string>();
+
+            foreach (var credential in credentials)
+            {
+                try
+                {
+                    ids.Add(credential.Id.GuidToStandardFormat());
+                }
+                catch { }
+            }
+
+            if (ids.Count == 0)
+            {
+                return Array.Empty<string>();
+            }
+
+            var ciphers = await _cipherService.GetAllDecryptedAsync();
+            return ciphers
+                .FindAll(
+                    (cipher) =>
+                    !cipher.IsDeleted &&
+                    cipher.OrganizationId == null &&
+                    cipher.Type == CipherType.Login &&
+                    cipher.Login.HasFido2Credentials &&
+                    ids.Contains(cipher.Login.MainFido2Credential.CredentialId)
+                )
+                .Select((cipher) => cipher.Id)
+                .ToArray();
+        }
+
+        private async Task<List<CipherView>> FindCredentialsByIdAsync(PublicKeyCredentialDescriptor[] credentials, string rpId)
+        {
+            var ids = new List<string>();
+
+            foreach (var credential in credentials)
+            {
+                try
+                {
+                    ids.Add(credential.Id.GuidToStandardFormat());
+                }
+                catch { }
+            }
+
+            if (ids.Count == 0)
+            {
+                return new List<CipherView>();
+            }
+
+            var ciphers = await _cipherService.GetAllDecryptedAsync();
+            return ciphers.FindAll((cipher) =>
+                !cipher.IsDeleted &&
+                cipher.Type == CipherType.Login &&
+                cipher.Login.HasFido2Credentials &&
+                cipher.Login.MainFido2Credential.RpId == rpId &&
+                ids.Contains(cipher.Login.MainFido2Credential.CredentialId)
+            );
+        }
+
+        private async Task<List<CipherView>> FindCredentialsByRpAsync(string rpId)
+        {
+            var ciphers = await _cipherService.GetAllDecryptedAsync();
+            return ciphers.FindAll((cipher) =>
+                !cipher.IsDeleted &&
+                cipher.Type == CipherType.Login &&
+                cipher.Login.HasFido2Credentials &&
+                cipher.Login.MainFido2Credential.RpId == rpId &&
+                cipher.Login.MainFido2Credential.DiscoverableValue
+            );
+        }
+
+        // TODO: Move this to a separate service
+        private (PublicKey publicKey, byte[] privateKey) GenerateKeyPair()
+        {
+            var dsa = ECDsa.Create();
+            dsa.GenerateKey(ECCurve.NamedCurves.nistP256);
+            var privateKey = dsa.ExportPkcs8PrivateKey();
+
+            return (new PublicKey(dsa), privateKey);
+        }
+
+        private Fido2CredentialView CreateCredentialView(Fido2AuthenticatorMakeCredentialParams makeCredentialsParams, byte[] privateKey)
+        {
+            return new Fido2CredentialView
+            {
+                CredentialId = Guid.NewGuid().ToString(),
+                KeyType = Constants.DefaultFido2CredentialType,
+                KeyAlgorithm = Constants.DefaultFido2CredentialAlgorithm,
+                KeyCurve = Constants.DefaultFido2CredentialCurve,
+                KeyValue = CoreHelpers.Base64UrlEncode(privateKey),
+                RpId = makeCredentialsParams.RpEntity.Id,
+                UserHandle = CoreHelpers.Base64UrlEncode(makeCredentialsParams.UserEntity.Id),
+                UserName = makeCredentialsParams.UserEntity.Name,
+                CounterValue = 0,
+                RpName = makeCredentialsParams.RpEntity.Name,
+                UserDisplayName = makeCredentialsParams.UserEntity.DisplayName,
+                DiscoverableValue = makeCredentialsParams.RequireResidentKey,
+                CreationDate = DateTime.UtcNow
+            };
+        }
+
+        private async Task<byte[]> GenerateAuthDataAsync(
+            string rpId,
+            bool userVerification,
+            bool userPresence,
+            int counter,
+            byte[] credentialId = null,
+            PublicKey publicKey = null
+        )
+        {
+            var isAttestation = credentialId != null && publicKey != null;
+
+            List<byte> authData = new List<byte>();
+
+            var rpIdHash = await _cryptoFunctionService.HashAsync(rpId, CryptoHashAlgorithm.Sha256);
+            authData.AddRange(rpIdHash);
+
+            var flags = AuthDataFlags(
+                extensionData: false,
+                attestationData: isAttestation,
+                userVerification: userVerification,
+                userPresence: userPresence
+            );
+            authData.Add(flags);
+
+            authData.AddRange(new List<byte> {
+                (byte)(counter >> 24),
+                (byte)(counter >> 16),
+                (byte)(counter >> 8),
+                (byte)counter
+            });
+
+            if (isAttestation)
+            {
+                var attestedCredentialData = new List<byte>();
+
+                attestedCredentialData.AddRange(AAGUID);
+
+                // credentialIdLength (2 bytes) and credential Id
+                var credentialIdLength = new byte[] {
+                    (byte)((credentialId.Length - (credentialId.Length & 0xff)) / 256),
+                    (byte)(credentialId.Length & 0xff)
+                };
+                attestedCredentialData.AddRange(credentialIdLength);
+                attestedCredentialData.AddRange(credentialId);
+                attestedCredentialData.AddRange(publicKey.ExportCose());
+
+                authData.AddRange(attestedCredentialData);
+            }
+
+            return authData.ToArray();
+        }
+
+        private byte AuthDataFlags(bool extensionData, bool attestationData, bool userVerification, bool userPresence, bool backupEligibility = true, bool backupState = true)
+        {
+            byte flags = 0;
+
+            if (extensionData)
+            {
+                flags |= 0b1000000;
+            }
+
+            if (attestationData)
+            {
+                flags |= 0b01000000;
+            }
+
+            if (backupState)
+            {
+                flags |= 0b00010000;
+            }
+
+            if (backupEligibility)
+            {
+                flags |= 0b00001000;
+            }
+
+            if (userVerification)
+            {
+                flags |= 0b00000100;
+            }
+
+            if (userPresence)
+            {
+                flags |= 0b00000001;
+            }
+
+            return flags;
+        }
+
+        private byte[] EncodeAttestationObject(byte[] authData)
+        {
+            var attestationObject = new CborWriter(CborConformanceMode.Ctap2Canonical);
+            attestationObject.WriteStartMap(3);
+            attestationObject.WriteTextString("fmt");
+            attestationObject.WriteTextString("none");
+            attestationObject.WriteTextString("attStmt");
+            attestationObject.WriteStartMap(0);
+            attestationObject.WriteEndMap();
+            attestationObject.WriteTextString("authData");
+            attestationObject.WriteByteString(authData);
+            attestationObject.WriteEndMap();
+
+            return attestationObject.Encode();
+        }
+
+        // TODO: Move this to a separate service
+        private byte[] GenerateSignature(byte[] authData, byte[] clientDataHash, byte[] privateKey)
+        {
+            var sigBase = authData.Concat(clientDataHash).ToArray();
+            var dsa = ECDsa.Create();
+            dsa.ImportPkcs8PrivateKey(privateKey, out var bytesRead);
+
+            if (bytesRead == 0)
+            {
+                throw new Exception("Failed to import private key");
+            }
+
+            return dsa.SignData(sigBase, HashAlgorithmName.SHA256, DSASignatureFormat.Rfc3279DerSequence);
+        }
+
+        private class PublicKey
+        {
+            private readonly ECDsa _dsa;
+
+            public PublicKey(ECDsa dsa)
+            {
+                _dsa = dsa;
+            }
+
+            public byte[] X => _dsa.ExportParameters(false).Q.X;
+            public byte[] Y => _dsa.ExportParameters(false).Q.Y;
+
+            public byte[] ExportDer()
+            {
+                return _dsa.ExportSubjectPublicKeyInfo();
+            }
+
+            public byte[] ExportCose()
+            {
+                var result = new CborWriter(CborConformanceMode.Ctap2Canonical);
+                result.WriteStartMap(5);
+
+                // kty = EC2
+                result.WriteInt32(1);
+                result.WriteInt32(2);
+
+                // alg = ES256
+                result.WriteInt32(3);
+                result.WriteInt32((int)Fido2AlgorithmIdentifier.ES256);
+
+                // crv = P-256
+                result.WriteInt32(-1);
+                result.WriteInt32(1);
+
+                // x
+                result.WriteInt32(-2);
+                result.WriteByteString(X);
+
+                // y
+                result.WriteInt32(-3);
+                result.WriteByteString(Y);
+
+                result.WriteEndMap();
+
+                return result.Encode();
+            }
+        }
+    }
+}

src/Core/Services/Fido2ClientService.cs

@@ -0,0 +1,261 @@
+using System.Text;
+using System.Text.Json;
+using Bit.Core.Abstractions;
+using Bit.Core.Enums;
+using Bit.Core.Utilities;
+using Bit.Core.Utilities.Fido2;
+
+namespace Bit.Core.Services
+{
+    public class Fido2ClientService : IFido2ClientService
+    {
+        private readonly IStateService _stateService;
+        private readonly IEnvironmentService _environmentService;
+        private readonly ICryptoFunctionService _cryptoFunctionService;
+        private readonly IFido2AuthenticatorService _fido2AuthenticatorService;
+        private readonly IFido2GetAssertionUserInterface _getAssertionUserInterface;
+        private readonly IFido2MakeCredentialUserInterface _makeCredentialUserInterface;
+
+        public Fido2ClientService(
+            IStateService stateService,
+            IEnvironmentService environmentService,
+            ICryptoFunctionService cryptoFunctionService,
+            IFido2AuthenticatorService fido2AuthenticatorService,
+            IFido2GetAssertionUserInterface getAssertionUserInterface,
+            IFido2MakeCredentialUserInterface makeCredentialUserInterface)
+        {
+            _stateService = stateService;
+            _environmentService = environmentService;
+            _cryptoFunctionService = cryptoFunctionService;
+            _fido2AuthenticatorService = fido2AuthenticatorService;
+            _getAssertionUserInterface = getAssertionUserInterface;
+            _makeCredentialUserInterface = makeCredentialUserInterface;
+        }
+
+        public async Task<Fido2ClientCreateCredentialResult> CreateCredentialAsync(Fido2ClientCreateCredentialParams createCredentialParams)
+        {
+            var blockedUris = await _stateService.GetAutofillBlacklistedUrisAsync();
+            var domain = CoreHelpers.GetHostname(createCredentialParams.Origin);
+            if (blockedUris != null && blockedUris.Contains(domain))
+            {
+                throw new Fido2ClientException(
+                    Fido2ClientException.ErrorCode.UriBlockedError,
+                    "Origin is blocked by the user");
+            }
+
+            if (!await _stateService.IsAuthenticatedAsync())
+            {
+                throw new Fido2ClientException(
+                    Fido2ClientException.ErrorCode.InvalidStateError,
+                    "No user is logged in");
+            }
+
+            if (createCredentialParams.Origin == _environmentService.GetWebVaultUrl())
+            {
+                throw new Fido2ClientException(
+                    Fido2ClientException.ErrorCode.NotAllowedError,
+                    "Saving Bitwarden credentials in a Bitwarden vault is not allowed");
+            }
+
+            if (!createCredentialParams.SameOriginWithAncestors)
+            {
+                throw new Fido2ClientException(
+                    Fido2ClientException.ErrorCode.NotAllowedError,
+                    "Credential creation is now allowed from embedded contexts with different origins");
+            }
+
+            if (createCredentialParams.User.Id.Length < 1 || createCredentialParams.User.Id.Length > 64)
+            {
+                throw new Fido2ClientException(
+                    Fido2ClientException.ErrorCode.TypeError,
+                    "The length of user.id is not between 1 and 64 bytes (inclusive)");
+            }
+
+            if (!createCredentialParams.Origin.StartsWith("https://"))
+            {
+                throw new Fido2ClientException(
+                    Fido2ClientException.ErrorCode.SecurityError,
+                    "Origin is not a valid https origin");
+            }
+
+            if (!Fido2DomainUtils.IsValidRpId(createCredentialParams.Rp.Id, createCredentialParams.Origin))
+            {
+                throw new Fido2ClientException(
+                    Fido2ClientException.ErrorCode.SecurityError,
+                    "RP ID cannot be used with this origin");
+            }
+
+            PublicKeyCredentialParameters[] credTypesAndPubKeyAlgs;
+            if (createCredentialParams.PubKeyCredParams?.Length > 0)
+            {
+                // Filter out all unsupported algorithms
+                credTypesAndPubKeyAlgs = createCredentialParams.PubKeyCredParams
+                    .Where(kp => kp.Alg == (int)Fido2AlgorithmIdentifier.ES256 && kp.Type == Constants.DefaultFido2CredentialType)
+                    .ToArray();
+            }
+            else
+            {
+                // Assign default algorithms
+                credTypesAndPubKeyAlgs = new PublicKeyCredentialParameters[]
+                {
+                    new PublicKeyCredentialParameters { Alg = (int) Fido2AlgorithmIdentifier.ES256, Type = Constants.DefaultFido2CredentialType },
+                    new PublicKeyCredentialParameters { Alg = (int) Fido2AlgorithmIdentifier.RS256, Type = Constants.DefaultFido2CredentialType }
+                };
+            }
+
+            if (credTypesAndPubKeyAlgs.Length == 0)
+            {
+                throw new Fido2ClientException(Fido2ClientException.ErrorCode.NotSupportedError, "No supported algorithms found");
+            }
+
+            var clientDataJSON = JsonSerializer.Serialize(new
+            {
+                type = "webauthn.create",
+                challenge = CoreHelpers.Base64UrlEncode(createCredentialParams.Challenge),
+                origin = createCredentialParams.Origin,
+                crossOrigin = !createCredentialParams.SameOriginWithAncestors,
+                // tokenBinding: {} // Not supported
+            });
+            var clientDataJSONBytes = Encoding.UTF8.GetBytes(clientDataJSON);
+            var clientDataHash = await _cryptoFunctionService.HashAsync(clientDataJSONBytes, CryptoHashAlgorithm.Sha256);
+            var makeCredentialParams = MapToMakeCredentialParams(createCredentialParams, credTypesAndPubKeyAlgs, clientDataHash);
+
+            try
+            {
+                var makeCredentialResult = await _fido2AuthenticatorService.MakeCredentialAsync(makeCredentialParams, _makeCredentialUserInterface);
+
+                return new Fido2ClientCreateCredentialResult
+                {
+                    CredentialId = makeCredentialResult.CredentialId,
+                    AttestationObject = makeCredentialResult.AttestationObject,
+                    AuthData = makeCredentialResult.AuthData,
+                    ClientDataJSON = clientDataJSONBytes,
+                    PublicKey = makeCredentialResult.PublicKey,
+                    PublicKeyAlgorithm = makeCredentialResult.PublicKeyAlgorithm,
+                    Transports = createCredentialParams.Rp.Id == "google.com" ? new string[] { "internal", "usb" } : new string[] { "internal" } // workaround for a bug on Google's side
+                };
+            }
+            catch (InvalidStateError)
+            {
+                throw new Fido2ClientException(Fido2ClientException.ErrorCode.InvalidStateError, "Unknown invalid state encountered");
+            }
+            catch (Exception)
+            {
+                throw new Fido2ClientException(Fido2ClientException.ErrorCode.UnknownError, $"An unknown error occurred");
+            }
+        }
+
+        public async Task<Fido2ClientAssertCredentialResult> AssertCredentialAsync(Fido2ClientAssertCredentialParams assertCredentialParams)
+        {
+            var blockedUris = await _stateService.GetAutofillBlacklistedUrisAsync();
+            var domain = CoreHelpers.GetHostname(assertCredentialParams.Origin);
+            if (blockedUris != null && blockedUris.Contains(domain))
+            {
+                throw new Fido2ClientException(
+                    Fido2ClientException.ErrorCode.UriBlockedError,
+                    "Origin is blocked by the user");
+            }
+
+            if (!await _stateService.IsAuthenticatedAsync())
+            {
+                throw new Fido2ClientException(
+                    Fido2ClientException.ErrorCode.InvalidStateError,
+                    "No user is logged in");
+            }
+
+            if (assertCredentialParams.Origin == _environmentService.GetWebVaultUrl())
+            {
+                throw new Fido2ClientException(
+                    Fido2ClientException.ErrorCode.NotAllowedError,
+                    "Saving Bitwarden credentials in a Bitwarden vault is not allowed");
+            }
+
+            if (!assertCredentialParams.Origin.StartsWith("https://"))
+            {
+                throw new Fido2ClientException(
+                    Fido2ClientException.ErrorCode.SecurityError,
+                    "Origin is not a valid https origin");
+            }
+
+            if (!Fido2DomainUtils.IsValidRpId(assertCredentialParams.RpId, assertCredentialParams.Origin))
+            {
+                throw new Fido2ClientException(
+                    Fido2ClientException.ErrorCode.SecurityError,
+                    "RP ID cannot be used with this origin");
+            }
+
+            var clientDataJSON = JsonSerializer.Serialize(new
+            {
+                type = "webauthn.get",
+                challenge = CoreHelpers.Base64UrlEncode(assertCredentialParams.Challenge),
+                origin = assertCredentialParams.Origin,
+                crossOrigin = !assertCredentialParams.SameOriginWithAncestors,
+            });
+            var clientDataJSONBytes = Encoding.UTF8.GetBytes(clientDataJSON);
+            var clientDataHash = await _cryptoFunctionService.HashAsync(clientDataJSONBytes, CryptoHashAlgorithm.Sha256);
+            var getAssertionParams = MapToGetAssertionParams(assertCredentialParams, clientDataHash);
+
+            try
+            {
+                var getAssertionResult = await _fido2AuthenticatorService.GetAssertionAsync(getAssertionParams, _getAssertionUserInterface);
+
+                return new Fido2ClientAssertCredentialResult
+                {
+                    AuthenticatorData = getAssertionResult.AuthenticatorData,
+                    ClientDataJSON = clientDataJSONBytes,
+                    Id = CoreHelpers.Base64UrlEncode(getAssertionResult.SelectedCredential.Id),
+                    RawId = getAssertionResult.SelectedCredential.Id,
+                    Signature = getAssertionResult.Signature,
+                    UserHandle = getAssertionResult.SelectedCredential.UserHandle,
+                    Cipher = getAssertionResult.SelectedCredential.Cipher
+                };
+            }
+            catch (InvalidStateError)
+            {
+                throw new Fido2ClientException(Fido2ClientException.ErrorCode.InvalidStateError, "Unknown invalid state encountered");
+            }
+            catch (Exception)
+            {
+                throw new Fido2ClientException(Fido2ClientException.ErrorCode.UnknownError, $"An unknown error occurred");
+            }
+
+            throw new NotImplementedException();
+        }
+
+        private Fido2AuthenticatorMakeCredentialParams MapToMakeCredentialParams(
+            Fido2ClientCreateCredentialParams createCredentialParams,
+            PublicKeyCredentialParameters[] credTypesAndPubKeyAlgs,
+            byte[] clientDataHash)
+        {
+            var requireResidentKey = createCredentialParams.AuthenticatorSelection?.ResidentKey == "required" ||
+                createCredentialParams.AuthenticatorSelection?.ResidentKey == "preferred" ||
+                (createCredentialParams.AuthenticatorSelection?.ResidentKey == null &&
+                createCredentialParams.AuthenticatorSelection?.RequireResidentKey == true);
+
+            return new Fido2AuthenticatorMakeCredentialParams
+            {
+                RequireResidentKey = requireResidentKey,
+                UserVerificationPreference = Fido2UserVerificationPreferenceExtensions.ToFido2UserVerificationPreference(createCredentialParams.AuthenticatorSelection?.UserVerification),
+                ExcludeCredentialDescriptorList = createCredentialParams.ExcludeCredentials,
+                CredTypesAndPubKeyAlgs = credTypesAndPubKeyAlgs,
+                Hash = clientDataHash,
+                RpEntity = createCredentialParams.Rp,
+                UserEntity = createCredentialParams.User,
+                Extensions = createCredentialParams.Extensions
+            };
+        }
+
+        private Fido2AuthenticatorGetAssertionParams MapToGetAssertionParams(
+            Fido2ClientAssertCredentialParams assertCredentialParams,
+            byte[] cliendDataHash)
+        {
+            return new Fido2AuthenticatorGetAssertionParams {
+                RpId = assertCredentialParams.RpId,
+                Challenge = assertCredentialParams.Challenge,
+                AllowCredentialDescriptorList = assertCredentialParams.AllowCredentials,
+                UserVerificationPreference = Fido2UserVerificationPreferenceExtensions.ToFido2UserVerificationPreference(assertCredentialParams?.UserVerification),
+                Hash = cliendDataHash
+            };
+        }
+    }
+}

src/Core/Services/Fido2MediatorService.cs

@@ -0,0 +1,60 @@
+using Bit.Core.Abstractions;
+using Bit.Core.Utilities.Fido2;
+
+namespace Bit.Core.Services
+{
+    public class Fido2MediatorService : IFido2MediatorService
+    {
+        private readonly IFido2AuthenticatorService _fido2AuthenticatorService;
+        private readonly IFido2ClientService _fido2ClientService;
+        private readonly ICipherService _cipherService;
+
+        public Fido2MediatorService(IFido2AuthenticatorService fido2AuthenticatorService,
+            IFido2ClientService fido2ClientService,
+            ICipherService cipherService)
+        {
+            _fido2AuthenticatorService = fido2AuthenticatorService;
+            _fido2ClientService = fido2ClientService;
+            _cipherService = cipherService;
+        }
+
+        public async Task<Fido2ClientAssertCredentialResult> AssertCredentialAsync(Fido2ClientAssertCredentialParams assertCredentialParams)
+        {
+            var result = await _fido2ClientService.AssertCredentialAsync(assertCredentialParams);
+
+            if (result?.Cipher != null)
+            {
+                await _cipherService.CopyTotpCodeIfNeededAsync(result.Cipher);
+            }
+
+            return result;
+        }
+
+        public Task<Fido2ClientCreateCredentialResult> CreateCredentialAsync(Fido2ClientCreateCredentialParams createCredentialParams)
+        {
+            return _fido2ClientService.CreateCredentialAsync(createCredentialParams);
+        }
+
+        public async Task<Fido2AuthenticatorGetAssertionResult> GetAssertionAsync(Fido2AuthenticatorGetAssertionParams assertionParams, IFido2GetAssertionUserInterface userInterface)
+        {
+            var result = await _fido2AuthenticatorService.GetAssertionAsync(assertionParams, userInterface);
+
+            if (result?.SelectedCredential?.Cipher != null)
+            {
+                await _cipherService.CopyTotpCodeIfNeededAsync(result.SelectedCredential.Cipher);
+            }
+
+            return result;
+        }
+
+        public Task<Fido2AuthenticatorMakeCredentialResult> MakeCredentialAsync(Fido2AuthenticatorMakeCredentialParams makeCredentialParams, IFido2MakeCredentialUserInterface userInterface)
+        {
+            return _fido2AuthenticatorService.MakeCredentialAsync(makeCredentialParams, userInterface);
+        }
+
+        public Task<Fido2AuthenticatorDiscoverableCredentialMetadata[]> SilentCredentialDiscoveryAsync(string rpId)
+        {
+            return _fido2AuthenticatorService.SilentCredentialDiscoveryAsync(rpId);
+        }
+    }
+}

src/Core/Services/Logging/ClipLogger.cs

@@ -0,0 +1,66 @@
+using System.Runtime.CompilerServices;
+using System.Text;
+using Bit.Core.Abstractions;
+
+#if IOS
+using UIKit;
+#endif
+
+namespace Bit.Core.Services
+{
+    /// <summary>
+    /// This logger can be used to help debug iOS extensions where we cannot use the .NET debugger yet
+    /// so we can use this that copies the logs to the clipboard so one
+    /// can paste them and analyze its output.
+    /// </summary>
+    public class ClipLogger : ILogger
+    {
+        private static readonly StringBuilder _currentBreadcrumbs = new StringBuilder();
+
+        static ILogger _instance;
+        public static ILogger Instance
+        {
+            get
+            {
+                if (_instance is null)
+                {
+                    _instance = new ClipLogger();
+                }
+                return _instance;
+            }
+        }
+
+        protected ClipLogger()
+        {
+        }
+
+        public static void Log(string breadcrumb)
+        {
+            _currentBreadcrumbs.AppendLine($"{DateTime.Now.ToShortTimeString()}: {breadcrumb}");
+#if IOS
+            MainThread.BeginInvokeOnMainThread(() => UIPasteboard.General.String = _currentBreadcrumbs.ToString());
+#endif
+        }
+
+        public void Error(string message, IDictionary<string, string> extraData = null, [CallerMemberName] string memberName = "", [CallerFilePath] string sourceFilePath = "", [CallerLineNumber] int sourceLineNumber = 0)
+        {
+            var classAndMethod = $"{Path.GetFileNameWithoutExtension(sourceFilePath)}.{memberName}";
+            var filePathAndLineNumber = $"{Path.GetFileName(sourceFilePath)}:{sourceLineNumber}";
+            var properties = new Dictionary<string, string>
+            {
+                ["File"] = filePathAndLineNumber,
+                ["Method"] = memberName
+            };
+
+            Log(message ?? $"Error found in: {classAndMethod}, {filePathAndLineNumber}");
+        }
+
+        public void Exception(Exception ex) => Log(ex?.ToString());
+
+        public Task InitAsync() => Task.CompletedTask;
+
+        public Task<bool> IsEnabled() => Task.FromResult(true);
+
+        public Task SetEnabled(bool value) => Task.CompletedTask;
+    }
+}

src/Core/Services/Logging/LoggerHelper.cs

@@ -1,5 +1,4 @@
-using System;
-using Bit.Core.Abstractions;
+using Bit.Core.Abstractions;
 using Bit.Core.Utilities;
 
 namespace Bit.Core.Services
@@ -22,9 +21,9 @@ namespace Bit.Core.Services
 #if !FDROID
                 // just in case the caller throws the exception in a moment where the logger can't be resolved
                 // we need to track the error as well
-                Microsoft.AppCenter.Crashes.Crashes.TrackError(ex);
+                //Microsoft.AppCenter.Crashes.Crashes.TrackError(ex);
+                ClipLogger.Log(ex?.ToString());
 #endif
-
             }
         }
     }

src/Core/Services/MobilePasswordRepromptService.cs

@@ -57,7 +57,7 @@ namespace Bit.App.Services
             return passwordValid;
         }
 
-        private async Task<bool> ShouldByPassMasterPasswordRepromptAsync()
+        public async Task<bool> ShouldByPassMasterPasswordRepromptAsync()
         {
             return await _cryptoService.GetMasterKeyHashAsync() is null;
         }

src/Core/Services/MobilePlatformUtilsService.cs

@@ -1,19 +1,12 @@
-using System;
-using System.Collections.Generic;
-using System.Threading.Tasks;
-using Bit.App.Abstractions;
+using Bit.App.Abstractions;
 using Bit.App.Models;
-using Bit.Core.Resources.Localization;
 using Bit.Core.Abstractions;
 using Bit.Core.Enums;
+using Bit.Core.Resources.Localization;
+using Bit.Core.Services;
 using Bit.Core.Utilities;
 using Plugin.Fingerprint;
 using Plugin.Fingerprint.Abstractions;
-using Microsoft.Maui.ApplicationModel.DataTransfer;
-using Microsoft.Maui.ApplicationModel;
-using Microsoft.Maui.Devices;
-using Microsoft.Maui.Controls;
-using Microsoft.Maui;
 
 namespace Bit.App.Services
 {
@@ -245,31 +238,34 @@ namespace Bit.App.Services
             return await stateService.IsAccountBiometricIntegrityValidAsync(bioIntegritySrcKey);
         }
 
-        public async Task<bool> AuthenticateBiometricAsync(string text = null, string fallbackText = null,
-            Action fallback = null, bool logOutOnTooManyAttempts = false)
+        public async Task<bool?> AuthenticateBiometricAsync(string text = null, string fallbackText = null,
+            Action fallback = null, bool logOutOnTooManyAttempts = false, bool allowAlternativeAuthentication = false)
         {
             try
             {
                 if (text == null)
                 {
                     text = AppResources.BiometricsDirection;
-                    // TODO Xamarin.Forms.Device.RuntimePlatform is no longer supported. Use Microsoft.Maui.Devices.DeviceInfo.Platform instead. For more details see https://learn.microsoft.com/en-us/dotnet/maui/migration/forms-projects#device-changes
-                    if (Device.RuntimePlatform == Device.iOS)
-                    {
-                        var supportsFace = await _deviceActionService.SupportsFaceBiometricAsync();
-                        text = supportsFace ? AppResources.FaceIDDirection : AppResources.FingerprintDirection;
-                    }
+#if IOS
+                    var supportsFace = await _deviceActionService.SupportsFaceBiometricAsync();
+                    text = supportsFace ? AppResources.FaceIDDirection : AppResources.FingerprintDirection;
+#endif
                 }
                 var biometricRequest = new AuthenticationRequestConfiguration(AppResources.Bitwarden, text)
                 {
                     CancelTitle = AppResources.Cancel,
-                    FallbackTitle = fallbackText
+                    FallbackTitle = fallbackText,
+                    AllowAlternativeAuthentication = allowAlternativeAuthentication
                 };
                 var result = await CrossFingerprint.Current.AuthenticateAsync(biometricRequest);
                 if (result.Authenticated)
                 {
                     return true;
                 }
+                if (result.Status == FingerprintAuthenticationResultStatus.Canceled)
+                {
+                    return null;
+                }
                 if (result.Status == FingerprintAuthenticationResultStatus.FallbackRequested)
                 {
                     fallback?.Invoke();

src/Core/Services/PclCryptoFunctionService.cs

@@ -4,6 +4,7 @@ using System.Text;
 using System.Threading.Tasks;
 using Bit.Core.Abstractions;
 using Bit.Core.Enums;
+using Bit.Core.Models.Domain;
 using PCLCrypto;
 using static PCLCrypto.WinRTCrypto;
 

src/Core/Services/StateService.cs

@@ -1384,16 +1384,6 @@ namespace Bit.Core.Services
             await _storageMediatorService.SaveAsync(Constants.RegionEnvironment, value);
         }
 
-        public async Task<bool> GetShouldCheckOrganizationUnassignedItemsAsync(string userId = null)
-        {
-            return await _storageMediatorService.GetAsync<bool?>(await ComposeKeyAsync(Constants.ShouldCheckOrganizationUnassignedItemsKey, userId)) ?? true;
-        }
-
-        public async Task SetShouldCheckOrganizationUnassignedItemsAsync(bool shouldCheck, string userId = null)
-        {
-            await _storageMediatorService.SaveAsync<bool?>(await ComposeKeyAsync(Constants.ShouldCheckOrganizationUnassignedItemsKey, userId), shouldCheck);
-        }
-
         // Helpers
 
         [Obsolete("Use IStorageMediatorService instead")]
@@ -1698,6 +1688,11 @@ namespace Bit.Core.Services
             await _storageService.SaveAsync(Constants.iOSExtensionActiveUserIdKey, userId);
         }
 
+        public async Task ReloadStateAsync()
+        {
+            _state = await GetStateFromStorageAsync() ?? new State();
+        }
+
         private async Task CheckStateAsync()
         {
             if (!_migrationChecked)
@@ -1709,7 +1704,7 @@ namespace Bit.Core.Services
 
             if (_state == null)
             {
-                _state = await GetStateFromStorageAsync() ?? new State();
+                await ReloadStateAsync();
             }
         }
 

src/Core/Services/UserPinService.cs

@@ -1,5 +1,6 @@
-using System.Threading.Tasks;
-using Bit.Core.Abstractions;
+using Bit.Core.Abstractions;
+using Bit.Core.Models.Domain;
+using Bit.Core.Services;
 
 namespace Bit.App.Services
 {
@@ -7,11 +8,25 @@ namespace Bit.App.Services
     {
         private readonly IStateService _stateService;
         private readonly ICryptoService _cryptoService;
+        private readonly IVaultTimeoutService _vaultTimeoutService;
 
-        public UserPinService(IStateService stateService, ICryptoService cryptoService)
+        public UserPinService(IStateService stateService, ICryptoService cryptoService, IVaultTimeoutService vaultTimeoutService)
         {
             _stateService = stateService;
             _cryptoService = cryptoService;
+            _vaultTimeoutService = vaultTimeoutService;
+        }
+
+        public async Task<bool> IsPinLockEnabledAsync()
+        {
+            var pinLockType = await _vaultTimeoutService.GetPinLockTypeAsync();
+
+            var ephemeralPinSet = await _stateService.GetPinKeyEncryptedUserKeyEphemeralAsync()
+                ?? await _stateService.GetPinProtectedKeyAsync();
+
+            return (pinLockType == PinLockType.Transient && ephemeralPinSet != null)
+                ||
+                pinLockType == PinLockType.Persistent;
         }
 
         public async Task SetupPinAsync(string pin, bool requireMasterPasswordOnRestart)
@@ -34,5 +49,59 @@ namespace Bit.App.Services
                 await _stateService.SetPinKeyEncryptedUserKeyAsync(protectedPinKey);
             }
         }
+
+        public async Task<bool> VerifyPinAsync(string inputPin)
+        {
+            var (email, kdfConfig) = await _stateService.GetActiveUserCustomDataAsync(a => a?.Profile is null ? (null, default) : (a.Profile.Email, new KdfConfig(a.Profile)));
+            if (kdfConfig.Type is null)
+            {
+                return false;
+            }
+
+            return await VerifyPinAsync(inputPin, email, kdfConfig, await _vaultTimeoutService.GetPinLockTypeAsync());
+        }
+
+        public async Task<bool> VerifyPinAsync(string inputPin, string email, KdfConfig kdfConfig, PinLockType pinLockType)
+        {
+            EncString userKeyPin = null;
+            EncString oldPinProtected = null;
+            if (pinLockType == PinLockType.Persistent)
+            {
+                userKeyPin = await _stateService.GetPinKeyEncryptedUserKeyAsync();
+                var oldEncryptedKey = await _stateService.GetPinProtectedAsync();
+                oldPinProtected = oldEncryptedKey != null ? new EncString(oldEncryptedKey) : null;
+            }
+            else if (pinLockType == PinLockType.Transient)
+            {
+                userKeyPin = await _stateService.GetPinKeyEncryptedUserKeyEphemeralAsync();
+                oldPinProtected = await _stateService.GetPinProtectedKeyAsync();
+            }
+
+            UserKey userKey;
+            if (oldPinProtected != null)
+            {
+                userKey = await _cryptoService.DecryptAndMigrateOldPinKeyAsync(
+                    pinLockType == PinLockType.Transient,
+                    inputPin,
+                    email,
+                    kdfConfig,
+                    oldPinProtected
+                );
+            }
+            else
+            {
+                userKey = await _cryptoService.DecryptUserKeyWithPinAsync(
+                    inputPin,
+                    email,
+                    kdfConfig,
+                    userKeyPin
+                );
+            }
+
+            var protectedPin = await _stateService.GetProtectedPinAsync();
+            var decryptedPin = await _cryptoService.DecryptToUtf8Async(new EncString(protectedPin), userKey);
+
+            return decryptedPin == inputPin;
+        }
     }
 }

src/Core/Services/UserVerification/Fido2UserVerificationPreferredServiceStrategy.cs

@@ -0,0 +1,41 @@
+using Bit.Core.Abstractions;
+using Bit.Core.Utilities;
+using Bit.Core.Utilities.Fido2;
+
+namespace Bit.Core.Services.UserVerification
+{
+    public class Fido2UserVerificationPreferredServiceStrategy : IUserVerificationServiceStrategy
+    {
+        private readonly IUserVerificationMediatorService _userVerificationMediatorService;
+
+        public Fido2UserVerificationPreferredServiceStrategy(IUserVerificationMediatorService userVerificationMediatorService)
+        {
+            _userVerificationMediatorService = userVerificationMediatorService;
+        }
+
+        public async Task<CancellableResult<bool>> VerifyUserForFido2Async(Fido2UserVerificationOptions options)
+        {
+            if (options.HasVaultBeenUnlockedInTransaction)
+            {
+                return new CancellableResult<bool>(true);
+            }
+
+            if (options.OnNeedUITask != null)
+            {
+                await options.OnNeedUITask();
+            }
+
+            var osUnlockVerification = await _userVerificationMediatorService.PerformOSUnlockAsync();
+            if (osUnlockVerification.IsCancelled)
+            {
+                return new CancellableResult<bool>(false, true);
+            }
+            if (osUnlockVerification.Result.CanPerform)
+            {
+                return new CancellableResult<bool>(osUnlockVerification.Result.IsVerified);
+            }
+
+            return new CancellableResult<bool>(false);
+        }
+    }
+}

src/Core/Services/UserVerification/Fido2UserVerificationRequiredServiceStrategy.cs

@@ -0,0 +1,71 @@
+using Bit.Core.Abstractions;
+using Bit.Core.Resources.Localization;
+using Bit.Core.Utilities;
+using Bit.Core.Utilities.Fido2;
+
+namespace Bit.Core.Services.UserVerification
+{
+    public class Fido2UserVerificationRequiredServiceStrategy : IUserVerificationServiceStrategy
+    {
+        private readonly IUserVerificationMediatorService _userVerificationMediatorService;
+        private readonly IPlatformUtilsService _platformUtilsService;
+
+        public Fido2UserVerificationRequiredServiceStrategy(IUserVerificationMediatorService userVerificationMediatorService,
+            IPlatformUtilsService platformUtilsService)
+        {
+            _userVerificationMediatorService = userVerificationMediatorService;
+            _platformUtilsService = platformUtilsService;
+        }
+
+        public async Task<CancellableResult<bool>> VerifyUserForFido2Async(Fido2UserVerificationOptions options)
+        {
+            if (options.HasVaultBeenUnlockedInTransaction)
+            {
+                return new CancellableResult<bool>(true);
+            }
+
+            if (options.OnNeedUITask != null)
+            {
+                await options.OnNeedUITask();
+            }
+
+            var osUnlockVerification = await _userVerificationMediatorService.PerformOSUnlockAsync();
+            if (osUnlockVerification.IsCancelled)
+            {
+                return new CancellableResult<bool>(false, true);
+            }
+            if (osUnlockVerification.Result.CanPerform)
+            {
+                return new CancellableResult<bool>(osUnlockVerification.Result.IsVerified);
+            }
+
+            var pinVerification = await _userVerificationMediatorService.VerifyPinCodeAsync();
+            if (pinVerification.IsCancelled)
+            {
+                return new CancellableResult<bool>(false, true);
+            }
+            if (pinVerification.Result.CanPerform)
+            {
+                return new CancellableResult<bool>(pinVerification.Result.IsVerified);
+            }
+
+            var mpVerification = await _userVerificationMediatorService.VerifyMasterPasswordAsync(false);
+            if (mpVerification.IsCancelled)
+            {
+                return new CancellableResult<bool>(false, true);
+            }
+            if (mpVerification.Result.CanPerform)
+            {
+                return new CancellableResult<bool>(mpVerification.Result.IsVerified);
+            }
+
+            // TODO: Setup PIN code. For the sake of simplicity, we're not implementing this step now and just telling the user to do it in the main app.
+
+            await _platformUtilsService.ShowDialogAsync(AppResources.VerificationRequiredForThisActionSetUpAnUnlockMethodInBitwardenToContinue,
+                string.Format(AppResources.VerificationRequiredByX, options.RpId),
+                AppResources.Ok);
+
+            return new CancellableResult<bool>(false);
+        }
+    }
+}

src/Core/Services/UserVerification/IUserVerificationServiceStrategy.cs

@@ -0,0 +1,10 @@
+using Bit.Core.Utilities;
+using Bit.Core.Utilities.Fido2;
+
+namespace Bit.Core.Services.UserVerification
+{
+    public interface IUserVerificationServiceStrategy
+    {
+        Task<CancellableResult<bool>> VerifyUserForFido2Async(Fido2UserVerificationOptions options);
+    }
+}

src/Core/Services/UserVerification/UserVerificationMediatorService.cs

@@ -0,0 +1,211 @@
+using Bit.App.Abstractions;
+using Bit.Core.Abstractions;
+using Bit.Core.Models.Domain;
+using Bit.Core.Resources.Localization;
+using Bit.Core.Utilities;
+using Bit.Core.Utilities.Fido2;
+using Plugin.Fingerprint;
+using static Bit.Core.Abstractions.IUserVerificationMediatorService;
+using FingerprintAvailability = Plugin.Fingerprint.Abstractions.FingerprintAvailability;
+
+namespace Bit.Core.Services.UserVerification
+{
+    public class UserVerificationMediatorService : IUserVerificationMediatorService
+    {
+        private const byte MAX_ATTEMPTS = 5;
+
+        private readonly IPlatformUtilsService _platformUtilsService;
+        private readonly IPasswordRepromptService _passwordRepromptService;
+        private readonly IUserPinService _userPinService;
+        private readonly IDeviceActionService _deviceActionService;
+        private readonly IUserVerificationService _userVerificationService;
+
+        private readonly Dictionary<Fido2UserVerificationPreference, IUserVerificationServiceStrategy> _fido2UserVerificationStrategies = new Dictionary<Fido2UserVerificationPreference, IUserVerificationServiceStrategy>();
+
+        public UserVerificationMediatorService(
+            IPlatformUtilsService platformUtilsService,
+            IPasswordRepromptService passwordRepromptService,
+            IUserPinService userPinService,
+            IDeviceActionService deviceActionService,
+            IUserVerificationService userVerificationService)
+        {
+            _platformUtilsService = platformUtilsService;
+            _passwordRepromptService = passwordRepromptService;
+            _userPinService = userPinService;
+            _deviceActionService = deviceActionService;
+            _userVerificationService = userVerificationService;
+
+            _fido2UserVerificationStrategies.Add(Fido2UserVerificationPreference.Required, new Fido2UserVerificationRequiredServiceStrategy(this, _platformUtilsService));
+            _fido2UserVerificationStrategies.Add(Fido2UserVerificationPreference.Preferred, new Fido2UserVerificationPreferredServiceStrategy(this));
+        }
+
+        public async Task<CancellableResult<bool>> VerifyUserForFido2Async(Fido2UserVerificationOptions options)
+        {
+            if (await ShouldPerformMasterPasswordRepromptAsync(options))
+            {
+                if (options.OnNeedUITask != null)
+                {
+                    await options.OnNeedUITask();
+                }
+
+                var mpVerification = await VerifyMasterPasswordAsync(true);
+                return new CancellableResult<bool>(
+                    !mpVerification.IsCancelled && mpVerification.Result.CanPerform && mpVerification.Result.IsVerified, 
+                    mpVerification.IsCancelled
+                );
+            }
+
+            if (!_fido2UserVerificationStrategies.TryGetValue(options.UserVerificationPreference, out var userVerificationServiceStrategy))
+            {
+                return new CancellableResult<bool>(false, false);
+            }
+
+            return await userVerificationServiceStrategy.VerifyUserForFido2Async(options);
+        }
+
+        public async Task<bool> CanPerformUserVerificationPreferredAsync(Fido2UserVerificationOptions options)
+        {
+            if (await ShouldPerformMasterPasswordRepromptAsync(options))
+            {
+                return true;
+            }
+
+            return options.HasVaultBeenUnlockedInTransaction
+                   ||
+                   await CrossFingerprint.Current.GetAvailabilityAsync() == FingerprintAvailability.Available
+                   ||
+                   await CrossFingerprint.Current.GetAvailabilityAsync(true) == FingerprintAvailability.Available;
+        }
+
+        public async Task<bool> ShouldPerformMasterPasswordRepromptAsync(Fido2UserVerificationOptions options)
+        {
+            return options.ShouldCheckMasterPasswordReprompt && !await _passwordRepromptService.ShouldByPassMasterPasswordRepromptAsync();
+        }
+
+        public async Task<bool> ShouldEnforceFido2RequiredUserVerificationAsync(Fido2UserVerificationOptions options)
+        {
+            switch (options.UserVerificationPreference)
+            {
+                case Fido2UserVerificationPreference.Required:
+                    return true;
+                case Fido2UserVerificationPreference.Discouraged:
+                    return await ShouldPerformMasterPasswordRepromptAsync(options);
+                default:
+                    return await CanPerformUserVerificationPreferredAsync(options);
+            }
+        }
+
+        public async Task<CancellableResult<UVResult>> PerformOSUnlockAsync()
+        {
+            var availability = await CrossFingerprint.Current.GetAvailabilityAsync();
+            if (availability == FingerprintAvailability.Available)
+            {
+                var isValid = await _platformUtilsService.AuthenticateBiometricAsync(null, DeviceInfo.Platform == DevicePlatform.Android ? "." : null);
+                if (!isValid.HasValue)
+                {
+                    return new UVResult(false, false).AsCancellable(true);
+                }
+                return new UVResult(true, isValid.Value).AsCancellable();
+            }
+
+            var alternativeAuthAvailability = await CrossFingerprint.Current.GetAvailabilityAsync(true);
+            if (alternativeAuthAvailability == FingerprintAvailability.Available)
+            {
+                var isNonBioValid = await _platformUtilsService.AuthenticateBiometricAsync(null, DeviceInfo.Platform == DevicePlatform.Android ? "." : null, allowAlternativeAuthentication: true);
+                if (!isNonBioValid.HasValue)
+                {
+                    return new UVResult(false, false).AsCancellable(true);
+                }
+                return new UVResult(true, isNonBioValid.Value).AsCancellable();
+            }
+
+            return new UVResult(false, false).AsCancellable();
+        }
+
+        public async Task<CancellableResult<UVResult>> VerifyPinCodeAsync()
+        {
+            return await VerifyWithAttemptsAsync(async () =>
+            {
+                if (!await _userPinService.IsPinLockEnabledAsync())
+                {
+                    return new UVResult(false, false).AsCancellable();
+                }
+
+                var pin = await _deviceActionService.DisplayPromptAync(AppResources.EnterPIN,
+                    AppResources.VerifyPIN, null, AppResources.Ok, AppResources.Cancel, password: true);
+                if (pin is null)
+                {
+                    // cancelled by the user
+                    return new UVResult(true, false).AsCancellable(true);
+                }
+
+                try
+                {
+                    var isVerified = await _userPinService.VerifyPinAsync(pin);
+                    return new UVResult(true, isVerified).AsCancellable();
+                }
+                catch (SymmetricCryptoKey.ArgumentKeyNullException)
+                {
+                    return new UVResult(true, false).AsCancellable();
+                }
+                catch (SymmetricCryptoKey.InvalidKeyOperationException)
+                {
+                    return new UVResult(true, false).AsCancellable();
+                }
+            });
+        }
+
+        public async Task<CancellableResult<UVResult>> VerifyMasterPasswordAsync(bool isMasterPasswordReprompt)
+        {
+            return await VerifyWithAttemptsAsync(async () =>
+            {
+                if (!await _userVerificationService.HasMasterPasswordAsync(true))
+                {
+                    return new UVResult(false, false).AsCancellable();
+                }
+
+                var title = isMasterPasswordReprompt ? AppResources.PasswordConfirmation : AppResources.MasterPassword;
+                var body = isMasterPasswordReprompt ? AppResources.PasswordConfirmationDesc : string.Empty;
+
+                var (password, isValid) = await _platformUtilsService.ShowPasswordDialogAndGetItAsync(title, body, _userVerificationService.VerifyMasterPasswordAsync);
+                if (password is null)
+                {
+                    return new UVResult(true, false).AsCancellable(true);
+                }
+
+                return new UVResult(true, isValid).AsCancellable();
+            });
+        }
+
+        private async Task<CancellableResult<UVResult>> VerifyWithAttemptsAsync(Func<Task<CancellableResult<UVResult>>> verifyAsync)
+        {
+            byte attempts = 0;
+            do
+            {
+                var verification = await verifyAsync();
+                if (verification.IsCancelled)
+                {
+                    return new UVResult(false, false).AsCancellable(true);
+                }
+                if (!verification.Result.CanPerform)
+                {
+                    return new UVResult(false, false).AsCancellable();
+                }
+                if (verification.Result.IsVerified)
+                {
+                    return new UVResult(true, true).AsCancellable();
+                }
+            } while (++attempts < MAX_ATTEMPTS);
+
+            return new UVResult(true, false).AsCancellable();
+        }
+    }
+
+    public static class UVResultExtensions
+    {
+        public static CancellableResult<UVResult> AsCancellable(this UVResult result, bool isCancelled = false)
+        {
+            return new CancellableResult<UVResult>(result, isCancelled);
+        }
+    }
+}

src/Core/Services/UserVerificationService.cs

@@ -25,7 +25,7 @@ namespace Bit.Core.Services
             _keyConnectorService = keyConnectorService;
         }
 
-        async public Task<bool> VerifyUser(string secret, VerificationType verificationType)
+        public async Task<bool> VerifyUser(string secret, VerificationType verificationType)
         {
             if (string.IsNullOrEmpty(secret))
             {
@@ -61,6 +61,12 @@ namespace Bit.Core.Services
             return true;
         }
 
+        public async Task<bool> VerifyMasterPasswordAsync(string masterPassword)
+        {
+            var masterKey = await _cryptoService.GetOrDeriveMasterKeyAsync(masterPassword);
+            return await _cryptoService.CompareAndUpdateKeyHashAsync(masterPassword, masterKey);
+        }
+
         async private Task InvalidSecretErrorAsync(VerificationType verificationType)
         {
             var errorMessage = verificationType == VerificationType.OTP

src/Core/Utilities/CancellableResult.cs

@@ -0,0 +1,15 @@
+namespace Bit.Core.Utilities
+{
+    public readonly struct CancellableResult<T>
+    {
+        public CancellableResult(T result, bool isCancelled = false)
+        {
+            Result = result;
+            IsCancelled = isCancelled;
+        }
+
+        public T Result { get; }
+
+        public bool IsCancelled { get; }
+    }
+}

src/Core/Utilities/CoreHelpers.cs

@@ -38,12 +38,38 @@ namespace Bit.Core.Utilities
 #endif
         }
 
+        /// <summary>
+        /// Returns the host (and not port) of the given uri.
+        /// Does not support plain hostnames without a protocol.
+        /// 
+        /// Input => Output examples:
+        /// <para>https://bitwarden.com => bitwarden.com</para>
+        /// <para>https://login.bitwarden.com:1337 => login.bitwarden.com</para>
+        /// <para>https://sub.login.bitwarden.com:1337 => sub.login.bitwarden.com</para>
+        /// <para>https://localhost:8080 => localhost</para>
+        /// <para>localhost => null</para>
+        /// <para>bitwarden => null</para>
+        /// <para>127.0.0.1 => 127.0.0.1</para>
+        /// </summary>
         public static string GetHostname(string uriString)
         {
             var uri = GetUri(uriString);
             return string.IsNullOrEmpty(uri?.Host) ? null : uri.Host;
         }
 
+        /// <summary>
+        /// Returns the host and port of the given uri.
+        /// Does not support plain hostnames without 
+        /// 
+        /// Input => Output examples:
+        /// <para>https://bitwarden.com => bitwarden.com</para>
+        /// <para>https://login.bitwarden.com:1337 => login.bitwarden.com:1337</para>
+        /// <para>https://sub.login.bitwarden.com:1337 => sub.login.bitwarden.com:1337</para>
+        /// <para>https://localhost:8080 => localhost:8080</para>
+        /// <para>localhost => null</para>
+        /// <para>bitwarden => null</para>
+        /// <para>127.0.0.1 => 127.0.0.1</para>
+        /// </summary>
         public static string GetHost(string uriString)
         {
             var uri = GetUri(uriString);
@@ -61,6 +87,19 @@ namespace Bit.Core.Utilities
             return null;
         }
 
+        /// <summary>
+        /// Returns the second and top level domain of the given uri.
+        /// Does not support plain hostnames without 
+        /// 
+        /// Input => Output examples:
+        /// <para>https://bitwarden.com => bitwarden.com</para>
+        /// <para>https://login.bitwarden.com:1337 => bitwarden.com</para>
+        /// <para>https://sub.login.bitwarden.com:1337 => bitwarden.com</para>
+        /// <para>https://localhost:8080 => localhost</para>
+        /// <para>localhost => null</para>
+        /// <para>bitwarden => null</para>
+        /// <para>127.0.0.1 => 127.0.0.1</para>
+        /// </summary>
         public static string GetDomain(string uriString)
         {
             var uri = GetUri(uriString);

src/Core/Utilities/Fido2/AuthenticatorSelectionCriteria.cs

@@ -0,0 +1,18 @@
+namespace Bit.Core.Utilities.Fido2
+{
+    #nullable enable
+    /// <summary>
+    /// The Relying Party's requirements of the authenticator used in the creation of the credential.
+    /// </summary>
+    public class AuthenticatorSelectionCriteria
+    {
+        public bool? RequireResidentKey { get; set; }
+        public string? ResidentKey { get; set; }
+        public string UserVerification { get; set; } = "preferred";
+
+        /// <summary>
+        /// This member is intended for use by Relying Parties that wish to select the appropriate authenticators to participate in the create() operation.
+        /// </summary>
+        // public AuthenticatorAttachment? AuthenticatorAttachment { get; set; } // not used
+    }
+}

src/Core/Utilities/Fido2/Fido2AlgorithmIdentifier.cs

@@ -0,0 +1,8 @@
+namespace Bit.Core.Utilities.Fido2 
+{
+    public enum Fido2AlgorithmIdentifier : int
+    {
+        ES256 = -7,
+        RS256 = -257,
+    }
+}