Add example of delegated UI class

Fix incompatible GUID conversions
PM-5154 [Passkeys iOS] Fix Credential ID handling on bytes and string formats. Fix Discoverable to be lowercase on set so it doesn't break parsing on clients. Added UserDisplayName on Fido2 entities. Extracted the Guid Standard/Raw format helpers to a extensions class.
2025-12-05 23:53:33 +00:00 · 2024-02-19 16:44:15 +01:00 · 2024-02-19 15:35:17 +01:00 · 2024-02-16 19:30:33 -03:00 · 2024-02-16 10:57:44 +01:00 · 2024-02-15 21:16:54 -03:00
92 changed files with 4796 additions and 172 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -148,6 +148,7 @@ publish/

 # NuGet Packages
 *.nupkg
+!**/Xamarin.AndroidX.Credentials.1.0.0.nupkg
 # The packages folder can be ignored because of Package Restore
 **/packages/*
 # except build/, which is used as an MSBuild target.
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -1,6 +1,6 @@
 <Project>
 <PropertyGroup>
-   <MauiVersion>8.0.4-nightly.*</MauiVersion>
+   <MauiVersion>8.0.7-nightly.*</MauiVersion>
   <ReleaseCodesignProvision>Automatic:AppStore</ReleaseCodesignProvision>
   <ReleaseCodesignKey>iPhone Distribution</ReleaseCodesignKey>
   <IncludeBitwardeniOSExtensions>True</IncludeBitwardeniOSExtensions>
--- a/lib/android/Xamarin.AndroidX.Credentials/Xamarin.AndroidX.Credentials.1.0.0.nupkg
+++ b/lib/android/Xamarin.AndroidX.Credentials/Xamarin.AndroidX.Credentials.1.0.0.nupkg
--- a/lib/android/Xamarin.AndroidX.Credentials/net8.0-android/Xamarin.AndroidX.Credentials.dll
+++ b/lib/android/Xamarin.AndroidX.Credentials/net8.0-android/Xamarin.AndroidX.Credentials.dll
--- a/lib/android/Xamarin.AndroidX.Credentials/net8.0-android/Xamarin.AndroidX.Credentials.xml
+++ b/lib/android/Xamarin.AndroidX.Credentials/net8.0-android/Xamarin.AndroidX.Credentials.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0"?>
+<doc>
+    <assembly>
+        <name>Xamarin.AndroidX.Credentials</name>
+    </assembly>
+    <members>
+    </members>
+</doc>
--- a/lib/android/Xamarin.AndroidX.Credentials/net8.0-android/credentials-1.2.0.aar
+++ b/lib/android/Xamarin.AndroidX.Credentials/net8.0-android/credentials-1.2.0.aar
--- a/nuget.config
+++ b/nuget.config
@@ -2,5 +2,6 @@
 <configuration>
    <packageSources>
        <add key="MAUI Nightly builds" value="https://pkgs.dev.azure.com/xamarin/public/_packaging/maui-nightly/nuget/v3/index.json" />
+        <add key="Local AndroidX Credentials" value="lib/android/Xamarin.AndroidX.Credentials" />
    </packageSources>
 </configuration>
--- a/src/App/App.csproj
+++ b/src/App/App.csproj
@@ -121,6 +121,7 @@
 	<ItemGroup Condition="$([MSBuild]::GetTargetPlatformIdentifier('$(TargetFramework)')) == 'android'">
 	  <PackageReference Include="Xamarin.AndroidX.AutoFill" Version="1.1.0.18" />
 	  <PackageReference Include="Xamarin.AndroidX.Activity.Ktx" Version="1.7.2.1" />
+      <PackageReference Include="Xamarin.AndroidX.Credentials" Version="1.0.0" />
 	</ItemGroup>
 	<ItemGroup Condition="$([MSBuild]::GetTargetPlatformIdentifier('$(TargetFramework)')) == 'android' AND !$(DefineConstants.Contains(FDROID))">
 	  <PackageReference Include="Xamarin.GooglePlayServices.SafetyNet" Version="118.0.1.5" />
--- a/src/App/Platforms/Android/Autofill/CredentialProviderConstants.cs
+++ b/src/App/Platforms/Android/Autofill/CredentialProviderConstants.cs
@@ -0,0 +1,9 @@
+namespace Bit.Droid.Autofill
+{
+    public class CredentialProviderConstants
+    {
+        public const string CredentialProviderCipherId = "credentialProviderCipherId";
+        public const string CredentialDataIntentExtra = "CREDENTIAL_DATA";
+        public const string CredentialIdIntentExtra = "credId";
+    }
+}
--- a/src/App/Platforms/Android/Autofill/CredentialProviderSelectionActivity.cs
+++ b/src/App/Platforms/Android/Autofill/CredentialProviderSelectionActivity.cs
@@ -0,0 +1,65 @@
+using System.Threading.Tasks;
+using Android.App;
+using Android.Content.PM;
+using Android.OS;
+using AndroidX.Credentials.Provider;
+using AndroidX.Credentials.WebAuthn;
+using Bit.Core.Abstractions;
+using Bit.Core.Utilities;
+using Bit.App.Droid.Utilities;
+
+namespace Bit.Droid.Autofill
+{
+    [Activity(
+        NoHistory = true,
+        LaunchMode = LaunchMode.SingleTop)]
+    public class CredentialProviderSelectionActivity : MauiAppCompatActivity
+    {
+        protected override void OnCreate(Bundle bundle)
+        {
+            Intent?.Validate();
+            base.OnCreate(bundle);
+
+            var cipherId = Intent?.GetStringExtra(CredentialProviderConstants.CredentialProviderCipherId);
+            if (string.IsNullOrEmpty(cipherId))
+            {
+                SetResult(Result.Canceled);
+                Finish();
+                return;
+            }
+
+            GetCipherAndPerformPasskeyAuthAsync(cipherId).FireAndForget();
+        }
+
+        private async Task GetCipherAndPerformPasskeyAuthAsync(string cipherId)
+        {
+            // TODO this is a work in progress
+            // https://developer.android.com/training/sign-in/credential-provider#passkeys-implement
+
+            var getRequest = PendingIntentHandler.RetrieveProviderGetCredentialRequest(Intent);
+            // var publicKeyRequest = getRequest?.CredentialOptions as PublicKeyCredentialRequestOptions;
+
+            var requestInfo = Intent.GetBundleExtra(CredentialProviderConstants.CredentialDataIntentExtra);
+            var credIdEnc = requestInfo?.GetString(CredentialProviderConstants.CredentialIdIntentExtra);
+
+            var cipherService = ServiceContainer.Resolve<ICipherService>();
+            var cipher = await cipherService.GetAsync(cipherId);
+            var decCipher = await cipher.DecryptAsync();
+
+            var passkey = decCipher.Login.Fido2Credentials.Find(f => f.CredentialId == credIdEnc);
+
+            var credId = Convert.FromBase64String(credIdEnc);
+            // var privateKey = Convert.FromBase64String(passkey.PrivateKey);
+            // var uid = Convert.FromBase64String(passkey.uid);
+
+            var origin = getRequest?.CallingAppInfo.Origin;
+            var packageName = getRequest?.CallingAppInfo.PackageName;
+
+            // --- continue WIP here (save TOTP copy as last step) ---
+
+            // Copy TOTP if needed
+            var autofillHandler = ServiceContainer.Resolve<IAutofillHandler>();
+            autofillHandler.Autofill(decCipher);
+        }
+    }
+}
--- a/src/App/Platforms/Android/Autofill/CredentialProviderService.cs
+++ b/src/App/Platforms/Android/Autofill/CredentialProviderService.cs
@@ -0,0 +1,147 @@
+using Android;
+using Android.App;
+using Android.Content;
+using Android.Graphics.Drawables;
+using Android.OS;
+using Android.Runtime;
+using AndroidX.Credentials.Provider;
+using Bit.Core.Abstractions;
+using Bit.Core.Utilities;
+using AndroidX.Credentials.Exceptions;
+using AndroidX.Credentials.WebAuthn;
+using Bit.Core.Models.View;
+using Resource = Microsoft.Maui.Resource;
+
+namespace Bit.Droid.Autofill
+{
+    [Service(Permission = Manifest.Permission.BindCredentialProviderService, Label = "Bitwarden", Exported = true)]
+    [IntentFilter(new string[] { "android.service.credentials.CredentialProviderService" })]
+    [MetaData("android.credentials.provider", Resource = "@xml/provider")]
+    [Register("com.x8bit.bitwarden.Autofill.CredentialProviderService")]
+    public class CredentialProviderService : AndroidX.Credentials.Provider.CredentialProviderService
+    {
+        private const string GetPasskeyIntentAction = "PACKAGE_NAME.GET_PASSKEY";
+        private const int UniqueRequestCode = 94556023;
+
+        private ICipherService _cipherService;
+        private IUserVerificationService _userVerificationService;
+        private IVaultTimeoutService _vaultTimeoutService;
+        private LazyResolve<ILogger> _logger = new LazyResolve<ILogger>("logger");
+
+        public override async void OnBeginCreateCredentialRequest(BeginCreateCredentialRequest request,
+            CancellationSignal cancellationSignal, IOutcomeReceiver callback) => throw new NotImplementedException();
+
+        public override async void OnBeginGetCredentialRequest(BeginGetCredentialRequest request,
+            CancellationSignal cancellationSignal, IOutcomeReceiver callback)
+        {
+            try
+            {
+                _vaultTimeoutService ??= ServiceContainer.Resolve<IVaultTimeoutService>();
+
+                await _vaultTimeoutService.CheckVaultTimeoutAsync();
+                var locked = await _vaultTimeoutService.IsLockedAsync();
+                if (!locked)
+                {
+                    var response = await ProcessGetCredentialsRequestAsync(request);
+                    callback.OnResult(response);
+                }
+                // TODO handle auth/unlock account flow
+            }
+            catch (GetCredentialException e)
+            {
+                _logger.Value.Exception(e);
+                callback.OnError(e.ErrorMessage ?? "Error getting credentials");
+            }
+            catch (Exception e)
+            {
+                _logger.Value.Exception(e);
+                throw;
+            }
+        }
+
+        private async Task<BeginGetCredentialResponse> ProcessGetCredentialsRequestAsync(
+            BeginGetCredentialRequest request)
+        {
+            IList<CredentialEntry> credentialEntries = null;
+
+            foreach (var option in request.BeginGetCredentialOptions)
+            {
+                var credentialOption = option as BeginGetPublicKeyCredentialOption;
+                if (credentialOption != null)
+                {
+                    credentialEntries ??= new List<CredentialEntry>();
+                    ((List<CredentialEntry>)credentialEntries).AddRange(
+                        await PopulatePasskeyDataAsync(request.CallingAppInfo, credentialOption));
+                }
+            }
+
+            if (credentialEntries == null)
+            {
+                return new BeginGetCredentialResponse();
+            }
+
+            return new BeginGetCredentialResponse.Builder()
+                .SetCredentialEntries(credentialEntries)
+                .Build();
+        }
+
+        private async Task<List<CredentialEntry>> PopulatePasskeyDataAsync(CallingAppInfo callingAppInfo,
+            BeginGetPublicKeyCredentialOption option)
+        {
+            var packageName = callingAppInfo.PackageName;
+            var origin = callingAppInfo.Origin;
+            var signingInfo = callingAppInfo.SigningInfo;
+
+            var request = new PublicKeyCredentialRequestOptions(option.RequestJson);
+
+            var passkeyEntries = new List<CredentialEntry>();
+
+            _cipherService ??= ServiceContainer.Resolve<ICipherService>();
+            var ciphers = await _cipherService.GetAllDecryptedForUrlAsync(origin);
+            if (ciphers == null)
+            {
+                return passkeyEntries;
+            }
+
+            var passkeyCiphers = ciphers.Where(cipher => cipher.HasFido2Credential).ToList();
+            if (!passkeyCiphers.Any())
+            {
+                return passkeyEntries;
+            }
+
+            foreach (var cipher in passkeyCiphers)
+            {
+                var passkeyEntry = GetPasskey(cipher, option);
+                passkeyEntries.Add(passkeyEntry);
+            }
+
+            return passkeyEntries;
+        }
+
+        private PublicKeyCredentialEntry GetPasskey(CipherView cipher, BeginGetPublicKeyCredentialOption option)
+        {
+            var credDataBundle = new Bundle();
+            credDataBundle.PutString(CredentialProviderConstants.CredentialIdIntentExtra,
+                cipher.Login.MainFido2Credential.CredentialId);
+
+            var intent = new Intent(ApplicationContext, typeof(CredentialProviderSelectionActivity))
+                .SetAction(GetPasskeyIntentAction).SetPackage(Constants.PACKAGE_NAME);
+            intent.PutExtra(CredentialProviderConstants.CredentialDataIntentExtra, credDataBundle);
+            intent.PutExtra(CredentialProviderConstants.CredentialProviderCipherId, cipher.Id);
+            var pendingIntent = PendingIntent.GetActivity(ApplicationContext, UniqueRequestCode, intent,
+                PendingIntentFlags.Mutable | PendingIntentFlags.UpdateCurrent);
+
+            return new PublicKeyCredentialEntry.Builder(
+                    ApplicationContext,
+                    cipher.Login.Username ?? "No username",
+                    pendingIntent,
+                    option)
+                .SetDisplayName(cipher.Name)
+                .SetIcon(Icon.CreateWithResource(ApplicationContext, Resource.Drawable.icon))
+                .Build();
+        }
+
+        public override void OnClearCredentialStateRequest(ProviderClearCredentialStateRequest request,
+            CancellationSignal cancellationSignal, IOutcomeReceiver callback) => throw new NotImplementedException();
+    }
+}
--- a/src/App/Platforms/Android/Resources/xml/provider.xml
+++ b/src/App/Platforms/Android/Resources/xml/provider.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<credential-provider xmlns:android="http://schemas.android.com/apk/res/android">
+    <capabilities>
+        <capability name="androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" />
+    </capabilities>
+</credential-provider>
--- a/src/App/Platforms/Android/Services/AutofillHandler.cs
+++ b/src/App/Platforms/Android/Services/AutofillHandler.cs
@@ -37,6 +37,23 @@ namespace Bit.Droid.Services
            _eventService = eventService;
        }

+        public bool CredentialProviderServiceEnabled()
+        {
+            if (Build.VERSION.SdkInt < BuildVersionCodes.UpsideDownCake)
+            {
+                return false;
+            }
+            try
+            {
+                // TODO - find a way to programmatically check if the credential provider service is enabled
+                return false;
+            }
+            catch
+            {
+                return false;
+            }
+        }
+
        public bool AutofillServiceEnabled()
        {
            if (Build.VERSION.SdkInt < BuildVersionCodes.O)
@@ -163,7 +180,14 @@ namespace Bit.Droid.Services
            return Accessibility.AccessibilityHelpers.OverlayPermitted();
        }

-        
+        public void DisableCredentialProviderService()
+        {
+            try
+            {
+                // TODO - find a way to programmatically disable the provider service, or take the user to the settings page where they can do it
+            }
+            catch { }
+        }

        public void DisableAutofillService()
        {
--- a/src/App/Platforms/Android/Services/DeviceActionService.cs
+++ b/src/App/Platforms/Android/Services/DeviceActionService.cs
@@ -11,6 +11,7 @@ using Android.Text.Method;
 using Android.Views;
 using Android.Views.InputMethods;
 using Android.Widget;
+using AndroidX.Credentials;
 using Bit.App.Abstractions;
 using Bit.Core.Resources.Localization;
 using Bit.App.Utilities;
@@ -490,6 +491,27 @@ namespace Bit.Droid.Services
            }
        }

+        public void OpenCredentialProviderSettings()
+        {
+            var activity = (MainActivity)Microsoft.Maui.ApplicationModel.Platform.CurrentActivity;
+            try
+            {
+                var pendingIntent = CredentialManager.Create(activity).CreateSettingsPendingIntent();
+                pendingIntent.Send();
+            }
+            catch (ActivityNotFoundException)
+            {
+                var alertBuilder = new AlertDialog.Builder(activity);
+                alertBuilder.SetMessage(AppResources.BitwardenCredentialProviderGoToSettings);
+                alertBuilder.SetCancelable(true);
+                alertBuilder.SetPositiveButton(AppResources.Ok, (sender, args) =>
+                {
+                    (sender as AlertDialog)?.Cancel();
+                });
+                alertBuilder.Create().Show();
+            }
+        }
+
        public void OpenAccessibilitySettings()
        {
            try
@@ -548,6 +570,8 @@ namespace Bit.Droid.Services
            return true;
        }

+        public bool SupportsCredentialProviderService() => Build.VERSION.SdkInt >= BuildVersionCodes.UpsideDownCake;
+
        public bool SupportsAutofillServices() => Build.VERSION.SdkInt >= BuildVersionCodes.O;

        public bool SupportsInlineAutofill() => Build.VERSION.SdkInt >= BuildVersionCodes.R;
--- a/src/App/Platforms/iOS/AppDelegate.cs
+++ b/src/App/Platforms/iOS/AppDelegate.cs
@@ -88,7 +88,7 @@ namespace Bit.iOS
                                Core.Constants.AutofillNeedsIdentityReplacementKey);
                            if (needsAutofillReplacement.GetValueOrDefault())
                            {
-                                await ASHelpers.ReplaceAllIdentities();
+                                await ASHelpers.ReplaceAllIdentitiesAsync();
                            }
                        }
                        else if (message.Command == "showAppExtension")
@@ -102,7 +102,7 @@ namespace Bit.iOS
                                var success = value as bool?;
                                if (success.GetValueOrDefault() && _deviceActionService.SystemMajorVersion() >= 12)
                                {
-                                    await ASHelpers.ReplaceAllIdentities();
+                                    await ASHelpers.ReplaceAllIdentitiesAsync();
                                }
                            }
                        }
@@ -114,22 +114,21 @@ namespace Bit.iOS
                                return;
                            }

-                            if (await ASHelpers.IdentitiesCanIncremental())
+                            if (await ASHelpers.IdentitiesSupportIncrementalAsync())
                            {
                                var cipherId = message.Data as string;
                                if (message.Command == "addedCipher" && !string.IsNullOrWhiteSpace(cipherId))
                                {
-                                    var identity = await ASHelpers.GetCipherIdentityAsync(cipherId);
+                                    var identity = await ASHelpers.GetCipherPasswordIdentityAsync(cipherId);
                                    if (identity == null)
                                    {
                                        return;
                                    }
-                                    await ASCredentialIdentityStore.SharedStore?.SaveCredentialIdentitiesAsync(
-                                        new ASPasswordCredentialIdentity[] { identity });
+                                    await ASCredentialIdentityStoreExtensions.SaveCredentialIdentitiesAsync(identity);
                                    return;
                                }
                            }
-                            await ASHelpers.ReplaceAllIdentities();
+                            await ASHelpers.ReplaceAllIdentitiesAsync();
                        }
                        else if (message.Command == "deletedCipher" || message.Command == "softDeletedCipher")
                        {
@@ -138,28 +137,27 @@ namespace Bit.iOS
                                return;
                            }

-                            if (await ASHelpers.IdentitiesCanIncremental())
+                            if (await ASHelpers.IdentitiesSupportIncrementalAsync())
                            {
-                                var identity = ASHelpers.ToCredentialIdentity(
+                                var identity = ASHelpers.ToPasswordCredentialIdentity(
                                    message.Data as Bit.Core.Models.View.CipherView);
                                if (identity == null)
                                {
                                    return;
                                }
-                                await ASCredentialIdentityStore.SharedStore?.RemoveCredentialIdentitiesAsync(
-                                    new ASPasswordCredentialIdentity[] { identity });
+                                await ASCredentialIdentityStoreExtensions.RemoveCredentialIdentitiesAsync(identity);
                                return;
                            }
-                            await ASHelpers.ReplaceAllIdentities();
+                            await ASHelpers.ReplaceAllIdentitiesAsync();
                        }
                        else if (message.Command == "logout" && UIDevice.CurrentDevice.CheckSystemVersion(12, 0))
                        {
-                            await ASCredentialIdentityStore.SharedStore?.RemoveAllCredentialIdentitiesAsync();
+                            await ASCredentialIdentityStore.SharedStore.RemoveAllCredentialIdentitiesAsync();
                        }
                        else if ((message.Command == "softDeletedCipher" || message.Command == "restoredCipher")
                            && UIDevice.CurrentDevice.CheckSystemVersion(12, 0))
                        {
-                            await ASHelpers.ReplaceAllIdentities();
+                            await ASHelpers.ReplaceAllIdentitiesAsync();
                        }
                        else if (message.Command == AppHelpers.VAULT_TIMEOUT_ACTION_CHANGED_MESSAGE_COMMAND)
                        {
@@ -168,12 +166,12 @@ namespace Bit.iOS
                            {
                                if (UIDevice.CurrentDevice.CheckSystemVersion(12, 0))
                                {
-                                    await ASCredentialIdentityStore.SharedStore?.RemoveAllCredentialIdentitiesAsync();
+                                    await ASCredentialIdentityStore.SharedStore.RemoveAllCredentialIdentitiesAsync();
                                }
                            }
                            else
                            {
-                                await ASHelpers.ReplaceAllIdentities();
+                                await ASHelpers.ReplaceAllIdentitiesAsync();
                            }
                        }
                    }
--- a/src/Core/Abstractions/IAutofillHandler.cs
+++ b/src/Core/Abstractions/IAutofillHandler.cs
@@ -4,6 +4,7 @@ namespace Bit.Core.Abstractions
 {
    public interface IAutofillHandler
    {
+        bool CredentialProviderServiceEnabled();
        bool AutofillServicesEnabled();
        bool SupportsAutofillService();
        void Autofill(CipherView cipher);
@@ -11,6 +12,7 @@ namespace Bit.Core.Abstractions
        bool AutofillAccessibilityServiceRunning();
        bool AutofillAccessibilityOverlayPermitted();
        bool AutofillServiceEnabled();
+        void DisableCredentialProviderService();
        void DisableAutofillService();
    }
 }
--- a/src/Core/Abstractions/ICryptoFunctionService.cs
+++ b/src/Core/Abstractions/ICryptoFunctionService.cs
@@ -1,6 +1,7 @@
 using System;
 using System.Threading.Tasks;
 using Bit.Core.Enums;
+using Bit.Core.Models.Domain;

 namespace Bit.Core.Abstractions
 {
--- a/src/Core/Abstractions/IDeviceActionService.cs
+++ b/src/Core/Abstractions/IDeviceActionService.cs
@@ -28,6 +28,7 @@ namespace Bit.App.Abstractions
        bool SupportsNfc();
        bool SupportsCamera();
        bool SupportsFido2();
+        bool SupportsCredentialProviderService();
        bool SupportsAutofillServices();
        bool SupportsInlineAutofill();
        bool SupportsDrawOver();
@@ -36,6 +37,7 @@ namespace Bit.App.Abstractions
        void RateApp();
        void OpenAccessibilitySettings();
        void OpenAccessibilityOverlayPermissionSettings();
+        void OpenCredentialProviderSettings();
        void OpenAutofillSettings();
        long GetActiveTime();
        void CloseMainApp();
--- a/src/Core/Abstractions/IFido2AuthenticationService.cs
+++ b/src/Core/Abstractions/IFido2AuthenticationService.cs
@@ -0,0 +1,9 @@
+using Bit.Core.Utilities.Fido2;
+
+namespace Bit.Core.Abstractions
+{
+    public interface IFido2AuthenticationService
+    {
+        Task<Fido2AuthenticatorGetAssertionResult> GetAssertionAsync(Fido2AuthenticatorGetAssertionParams assertionParams);
+    }
+}
--- a/src/Core/Abstractions/IFido2AuthenticatorService.cs
+++ b/src/Core/Abstractions/IFido2AuthenticatorService.cs
@@ -0,0 +1,13 @@
+using Bit.Core.Utilities.Fido2;
+
+namespace Bit.Core.Abstractions
+{
+    public interface IFido2AuthenticatorService
+    {
+        void Init(IFido2UserInterface userInterface);
+        Task<Fido2AuthenticatorMakeCredentialResult> MakeCredentialAsync(Fido2AuthenticatorMakeCredentialParams makeCredentialParams);
+        Task<Fido2AuthenticatorGetAssertionResult> GetAssertionAsync(Fido2AuthenticatorGetAssertionParams assertionParams);
+        // TODO: Should this return a List? Or maybe IEnumerable?
+        Task<Fido2AuthenticatorDiscoverableCredentialMetadata[]> SilentCredentialDiscoveryAsync(string rpId);
+    }
+}
--- a/src/Core/Abstractions/IFido2ClientService.cs
+++ b/src/Core/Abstractions/IFido2ClientService.cs
@@ -0,0 +1,35 @@
+using Bit.Core.Utilities.Fido2;
+
+namespace Bit.Core.Abstractions
+{
+    /// <summary>
+    /// This class represents an abstraction of the WebAuthn Client as described by W3C:
+    /// https://www.w3.org/TR/webauthn-3/#webauthn-client
+    ///
+    /// The WebAuthn Client is an intermediary entity typically implemented in the user agent
+    /// (in whole, or in part). Conceptually, it underlies the Web Authentication API and embodies
+    /// the implementation of the Web Authentication API's operations.
+    ///
+    /// It is responsible for both marshalling the inputs for the underlying authenticator operations,
+    /// and for returning the results of the latter operations to the Web Authentication API's callers.
+    /// </summary>
+    public interface IFido2ClientService
+    {
+        /// <summary>
+        /// Allows WebAuthn Relying Party scripts to request the creation of a new public key credential source.
+        /// For more information please see: https://www.w3.org/TR/webauthn-3/#sctn-createCredential
+        /// </summary>
+        /// <param name="createCredentialParams">The parameters for the credential creation operation</param>
+        /// <returns>The new credential</returns>
+        Task<Fido2ClientCreateCredentialResult> CreateCredentialAsync(Fido2ClientCreateCredentialParams createCredentialParams);
+
+        /// <summary>
+        /// Allows WebAuthn Relying Party scripts to discover and use an existing public key credential, with the user’s consent.
+        /// Relying Party script can optionally specify some criteria to indicate what credential sources are acceptable to it.
+        /// For more information please see: https://www.w3.org/TR/webauthn-3/#sctn-getAssertion
+        /// </summary>
+        /// <param name="assertCredentialParams">The parameters for the credential assertion operation</param>
+        /// <returns>The asserted credential</returns>
+        Task<Fido2ClientAssertCredentialResult> AssertCredentialAsync(Fido2ClientAssertCredentialParams assertCredentialParams);
+    }
+}
--- a/src/Core/Abstractions/IFido2UserInterface.cs
+++ b/src/Core/Abstractions/IFido2UserInterface.cs
@@ -0,0 +1,100 @@
+using Bit.Core.Utilities.Fido2;
+
+namespace Bit.Core.Abstractions
+{
+    /// <summary>
+    /// Parameters used to ask the user to pick a credential from a list of existing credentials.
+    /// </summary>
+    public struct Fido2PickCredentialParams
+    {
+        /// <summary>
+        /// The IDs of the credentials that the user can pick from.
+        /// </summary>
+        public string[] CipherIds { get; set; }
+
+        /// <summary>
+        /// Whether or not the user must be verified before completing the operation.
+        /// </summary>
+        public bool UserVerification { get; set; }
+    }
+
+    /// <summary>
+    /// The result of asking the user to pick a credential from a list of existing credentials.
+    /// </summary>
+    public struct Fido2PickCredentialResult
+    {
+        /// <summary>
+        /// The ID of the cipher that contains the credentials the user picked.
+        /// </summary>
+        public string CipherId { get; set; }
+
+        /// <summary>
+        /// Whether or not the user was verified before completing the operation.
+        /// </summary>
+        public bool UserVerified { get; set; }
+    }
+
+    public struct Fido2ConfirmNewCredentialParams
+    {
+        ///<summary>
+        /// The name of the credential.
+        ///</summary>
+        public string CredentialName { get; set; }
+
+        ///<summary>
+        /// The name of the user.
+        ///</summary>
+        public string UserName { get; set; }
+
+        /// <summary>
+        /// Whether or not the user must be verified before completing the operation.
+        /// </summary>
+        public bool UserVerification { get; set; }
+
+        public string RpId { get; set; }
+    }
+
+    public struct Fido2ConfirmNewCredentialResult
+    {
+        /// <summary>
+        /// The name of the user.
+        /// </summary>
+        public string CipherId { get; set; }
+
+        /// <summary>
+        /// Whether or not the user was verified.
+        /// </summary>
+        public bool UserVerified { get; set; }
+    }
+
+    public interface IFido2UserInterface
+    {
+        /// <summary>
+        /// Ask the user to pick a credential from a list of existing credentials.
+        /// </summary>
+        /// <param name="pickCredentialParams">The parameters to use when asking the user to pick a credential.</param>
+        /// <returns>The ID of the cipher that contains the credentials the user picked.</returns>
+        Task<Fido2PickCredentialResult> PickCredentialAsync(Fido2PickCredentialParams pickCredentialParams);
+
+        /// <summary>
+        /// Inform the user that the operation was cancelled because their vault contains excluded credentials.
+        /// </summary>
+        /// <param name="existingCipherIds">The IDs of the excluded credentials.</param>
+        /// <returns>When user has confirmed the message</returns>
+        Task InformExcludedCredential(string[] existingCipherIds);
+
+        /// <summary>
+        /// Ask the user to confirm the creation of a new credential.
+        /// </summary>
+        /// <param name="confirmNewCredentialParams">The parameters to use when asking the user to confirm the creation of a new credential.</param>
+        /// <returns>The ID of the cipher where the new credential should be saved.</returns>
+        Task<Fido2ConfirmNewCredentialResult> ConfirmNewCredentialAsync(Fido2ConfirmNewCredentialParams confirmNewCredentialParams);
+
+        /// <summary>
+        /// Make sure that the vault is unlocked.
+        /// This should open a window and ask the user to login or unlock the vault if necessary.
+        /// </summary>
+        /// <returns>When vault has been unlocked.</returns>
+        Task EnsureUnlockedVaultAsync();
+    }
+}
--- a/src/Core/Core.csproj
+++ b/src/Core/Core.csproj
@@ -34,6 +34,7 @@
 	  <PackageReference Include="CsvHelper" Version="30.0.1" />
 	  <PackageReference Include="LiteDB" Version="5.0.17" />
 	  <PackageReference Include="PCLCrypto" Version="2.1.40-alpha" />
+	  <PackageReference Include="System.Formats.Cbor" Version="8.0.0" />
 	  <PackageReference Include="zxcvbn-core" Version="7.0.92" />
 	  <PackageReference Include="MessagePack.MSBuild.Tasks" Version="2.5.124">
 	    <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
@@ -52,6 +53,7 @@
 	<ItemGroup Condition="$([MSBuild]::GetTargetPlatformIdentifier('$(TargetFramework)')) == 'android'">
 	  <PackageReference Include="Xamarin.AndroidX.AutoFill" Version="1.1.0.18" />
 	  <PackageReference Include="Xamarin.AndroidX.Activity.Ktx" Version="1.7.2.1" />
+      <PackageReference Include="Xamarin.AndroidX.Credentials" Version="1.0.0" />
 	</ItemGroup>
 	<ItemGroup Condition="$([MSBuild]::GetTargetPlatformIdentifier('$(TargetFramework)')) == 'android' AND !$(DefineConstants.Contains(FDROID))">
 	  <PackageReference Include="Xamarin.GooglePlayServices.SafetyNet" Version="118.0.1.5" />
@@ -75,6 +77,7 @@
    <Folder Include="Utilities\Automation\" />
    <Folder Include="Utilities\Prompts\" />
    <Folder Include="Resources\Localization\" />
+    <Folder Include="Utilities\Fido2\" />
    <Folder Include="Controls\Picker\" />
    <Folder Include="Controls\Avatar\" />
  </ItemGroup>
@@ -105,6 +108,7 @@
 	  </MauiXaml>
 	</ItemGroup>
 	<ItemGroup>
+	  <None Remove="Utilities\Fido2\" />
 	  <None Remove="Controls\Picker\" />
 	  <None Remove="Controls\Avatar\" />
 	</ItemGroup>
--- a/src/Core/Models/Api/Fido2CredentialApi.cs
+++ b/src/Core/Models/Api/Fido2CredentialApi.cs
@@ -1,5 +1,4 @@
-using System;
-using Bit.Core.Models.Domain;
+using Bit.Core.Models.Domain;

 namespace Bit.Core.Models.Api
 {
@@ -21,6 +20,7 @@ namespace Bit.Core.Models.Api
            RpName = fido2Key.RpName?.EncryptedString;
            UserHandle = fido2Key.UserHandle?.EncryptedString;
            UserName = fido2Key.UserName?.EncryptedString;
+            UserDisplayName = fido2Key.UserDisplayName?.EncryptedString;
            Counter = fido2Key.Counter?.EncryptedString;
            CreationDate = fido2Key.CreationDate;
        }
@@ -35,6 +35,7 @@ namespace Bit.Core.Models.Api
        public string RpName { get; set; }
        public string UserHandle { get; set; }
        public string UserName { get; set; }
+        public string UserDisplayName { get; set; }
        public string Counter { get; set; }
        public DateTime CreationDate { get; set; }
    }
--- a/src/Core/Models/Data/Fido2CredentialData.cs
+++ b/src/Core/Models/Data/Fido2CredentialData.cs
@@ -19,6 +19,7 @@ namespace Bit.Core.Models.Data
            RpName = apiData.RpName;
            UserHandle = apiData.UserHandle;
            UserName = apiData.UserName;
+            UserDisplayName = apiData.UserDisplayName;
            Counter = apiData.Counter;
            CreationDate = apiData.CreationDate;
        }
@@ -33,6 +34,7 @@ namespace Bit.Core.Models.Data
        public string RpName { get; set; }
        public string UserHandle { get; set; }
        public string UserName { get; set; }
+        public string UserDisplayName { get; set; }
        public string Counter { get; set; }
        public DateTime CreationDate { get; set; }
    }
--- a/src/Core/Models/Domain/Fido2Credential.cs
+++ b/src/Core/Models/Domain/Fido2Credential.cs
@@ -1,8 +1,4 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Threading.Tasks;
-using Bit.Core.Models.Data;
+using Bit.Core.Models.Data;
 using Bit.Core.Models.View;

 namespace Bit.Core.Models.Domain
@@ -21,6 +17,7 @@ namespace Bit.Core.Models.Domain
            nameof(RpName),
            nameof(UserHandle),
            nameof(UserName),
+            nameof(UserDisplayName),
            nameof(Counter)
        };

@@ -48,6 +45,7 @@ namespace Bit.Core.Models.Domain
        public EncString RpName { get; set; }
        public EncString UserHandle { get; set; }
        public EncString UserName { get; set; }
+        public EncString UserDisplayName { get; set; }
        public EncString Counter { get; set; }
        public DateTime CreationDate { get; set; }

--- a/src/Core/Models/View/CipherView.cs
+++ b/src/Core/Models/View/CipherView.cs
@@ -1,7 +1,4 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using Bit.Core.Enums;
+using Bit.Core.Enums;
 using Bit.Core.Models.Domain;

 namespace Bit.Core.Models.View
--- a/src/Core/Models/View/Fido2CredentialView.cs
+++ b/src/Core/Models/View/Fido2CredentialView.cs
@@ -1,7 +1,7 @@
-using System;
-using System.Collections.Generic;
+using System.Text.Json.Serialization;
 using Bit.Core.Enums;
 using Bit.Core.Models.Domain;
+using Bit.Core.Utilities;

 namespace Bit.Core.Models.View
 {
@@ -26,13 +26,40 @@ namespace Bit.Core.Models.View
        public string RpName { get; set; }
        public string UserHandle { get; set; }
        public string UserName { get; set; }
+        public string UserDisplayName { get; set; }
        public string Counter { get; set; }
        public DateTime CreationDate { get; set; }

+        [JsonIgnore]
+        public int CounterValue {
+            get => int.TryParse(Counter, out var counter) ? counter : 0;
+            set => Counter = value.ToString();
+        }
+
+        [JsonIgnore]
+        public byte[] UserHandleValue {
+            get => UserHandle == null ? null : CoreHelpers.Base64UrlDecode(UserHandle);
+            set => UserHandle = value == null ? null : CoreHelpers.Base64UrlEncode(value);
+        }
+
+        [JsonIgnore]
+        public byte[] KeyBytes {
+            get => KeyValue == null ? null : CoreHelpers.Base64UrlDecode(KeyValue);
+            set => KeyValue = value == null ? null : CoreHelpers.Base64UrlEncode(value);
+        }
+
+        [JsonIgnore]
+        public bool DiscoverableValue {
+            get => bool.TryParse(Discoverable, out var discoverable) && discoverable;
+            set => Discoverable = value.ToString().ToLower(); // must be lowercase so it can be parsed in the current version of clients
+        }
+
+        [JsonIgnore]
        public override string SubTitle => UserName;
        public override List<KeyValuePair<string, LinkedIdType>> LinkedFieldOptions => new List<KeyValuePair<string, LinkedIdType>>();
-        public bool IsDiscoverable => !string.IsNullOrWhiteSpace(Discoverable);
+        [JsonIgnore]
        public bool CanLaunch => !string.IsNullOrEmpty(RpId);
+        [JsonIgnore]
        public string LaunchUri => $"https://{RpId}";

        public bool IsUniqueAgainst(Fido2CredentialView fido2View) => fido2View?.RpId != RpId || fido2View?.UserName != UserName;
--- a/src/Core/Pages/Accounts/EnvironmentPage.xaml
+++ b/src/Core/Pages/Accounts/EnvironmentPage.xaml
@@ -21,6 +21,10 @@
    <ScrollView>
        <StackLayout Spacing="20">
            <StackLayout StyleClass="box">
+                <StackLayout StyleClass="box-row-header">
+                    <Label Text="MAUI APP"
+                           StyleClass="box-header, box-header-platform" />
+                </StackLayout>
                <StackLayout StyleClass="box-row-header">
                    <Label Text="{u:I18n SelfHostedEnvironment, Header=True}"
                           StyleClass="box-header, box-header-platform" />
--- a/src/Core/Pages/Settings/AboutSettingsPageViewModel.cs
+++ b/src/Core/Pages/Settings/AboutSettingsPageViewModel.cs
@@ -68,7 +68,8 @@ namespace Bit.App.Pages
        {
            get
            {
-                var appInfo = string.Format("{0}: {1} ({2})",
+                // TODO: REMOVE WHEN MERGED INTO MAIN BRANCH
+                var appInfo = string.Format("MAUI {0}: {1} ({2})",
                    AppResources.Version,
                    _platformUtilsService.GetApplicationVersion(),
                    _deviceActionService.GetBuildNumber());
--- a/src/Core/Pages/Settings/AutofillSettingsPage.xaml
+++ b/src/Core/Pages/Settings/AutofillSettingsPage.xaml
@@ -19,6 +19,15 @@
                Text="{u:I18n Autofill}"
                StyleClass="settings-header" />

+            <controls:SwitchItemView
+                Title="{u:I18n CredentialProviderService}"
+                Subtitle="{u:I18n CredentialProviderServiceExplanationLong}"
+                IsVisible="{Binding SupportsCredentialProviderService}"
+                IsToggled="{Binding UseCredentialProviderService}"
+                AutomationId="CredentialProviderServiceSwitch"
+                StyleClass="settings-item-view"
+                HorizontalOptions="FillAndExpand" />
+
            <controls:SwitchItemView
                Title="{u:I18n AutofillServices}"
                Subtitle="{u:I18n AutofillServicesExplanationLong}"
--- a/src/Core/Pages/Settings/AutofillSettingsPageViewModel.android.cs
+++ b/src/Core/Pages/Settings/AutofillSettingsPageViewModel.android.cs
@@ -6,12 +6,27 @@ namespace Bit.App.Pages
 {
    public partial class AutofillSettingsPageViewModel
    {
+        private bool _useCredentialProviderService;
        private bool _useAutofillServices;
        private bool _useInlineAutofill;
        private bool _useAccessibility;
        private bool _useDrawOver;
        private bool _askToAddLogin;

+        public bool SupportsCredentialProviderService => DeviceInfo.Platform == DevicePlatform.Android && _deviceActionService.SupportsCredentialProviderService();
+
+        public bool UseCredentialProviderService
+        {
+            get => _useCredentialProviderService;
+            set
+            {
+                if (SetProperty(ref _useCredentialProviderService, value))
+                {
+                    ((ICommand)ToggleUseCredentialProviderServiceCommand).Execute(null);
+                }
+            }
+        }
+
        public bool SupportsAndroidAutofillServices => DeviceInfo.Platform == DevicePlatform.Android && _deviceActionService.SupportsAutofillServices();

        public bool UseAutofillServices
@@ -84,6 +99,7 @@ namespace Bit.App.Pages
            }
        }

+        public AsyncRelayCommand ToggleUseCredentialProviderServiceCommand { get; private set; }
        public AsyncRelayCommand ToggleUseAutofillServicesCommand { get; private set; }
        public AsyncRelayCommand ToggleUseInlineAutofillCommand { get; private set; }
        public AsyncRelayCommand ToggleUseAccessibilityCommand { get; private set; }
@@ -93,6 +109,7 @@ namespace Bit.App.Pages

        private void InitAndroidCommands()
        {
+            ToggleUseCredentialProviderServiceCommand = CreateDefaultAsyncRelayCommand(() => MainThread.InvokeOnMainThreadAsync(() => ToggleUseCredentialProviderService()), () => _inited, allowsMultipleExecutions: false);
            ToggleUseAutofillServicesCommand = CreateDefaultAsyncRelayCommand(() => MainThread.InvokeOnMainThreadAsync(() => ToggleUseAutofillServices()), () => _inited, allowsMultipleExecutions: false);
            ToggleUseInlineAutofillCommand = CreateDefaultAsyncRelayCommand(() => MainThread.InvokeOnMainThreadAsync(() => ToggleUseInlineAutofillEnabledAsync()), () => _inited, allowsMultipleExecutions: false);
            ToggleUseAccessibilityCommand = CreateDefaultAsyncRelayCommand(ToggleUseAccessibilityAsync, () => _inited, allowsMultipleExecutions: false);
@@ -115,6 +132,9 @@ namespace Bit.App.Pages

        private async Task UpdateAndroidAutofillSettingsAsync()
        {
+            // TODO - uncomment once _autofillHandler.CredentialProviderServiceEnabled() returns a real value
+            // _useCredentialProviderService = 
+            //     SupportsCredentialProviderService && _autofillHandler.CredentialProviderServiceEnabled();
            _useAutofillServices =
                _autofillHandler.SupportsAutofillService() && _autofillHandler.AutofillServiceEnabled();
            _useAccessibility = _autofillHandler.AutofillAccessibilityServiceRunning();
@@ -123,6 +143,7 @@ namespace Bit.App.Pages

            await MainThread.InvokeOnMainThreadAsync(() =>
            {
+                TriggerPropertyChanged(nameof(UseCredentialProviderService));
                TriggerPropertyChanged(nameof(UseAutofillServices));
                TriggerPropertyChanged(nameof(UseAccessibility));
                TriggerPropertyChanged(nameof(UseDrawOver));
@@ -130,6 +151,18 @@ namespace Bit.App.Pages
            });
        }

+        private void ToggleUseCredentialProviderService()
+        {
+            if (UseCredentialProviderService)
+            {
+                _deviceActionService.OpenCredentialProviderSettings();
+            }
+            else
+            {
+                _autofillHandler.DisableCredentialProviderService();
+            }
+        }
+
        private void ToggleUseAutofillServices()
        {
            if (UseAutofillServices)
--- a/src/Core/Resources/Localization/AppResources.Designer.cs
+++ b/src/Core/Resources/Localization/AppResources.Designer.cs
@@ -166,6 +166,15 @@ namespace Bit.Core.Resources.Localization {
            }
        }
        
+        /// <summary>
+        ///   Looks up a localized string similar to Credential Provider service
+        /// </summary>
+        public static string CredentialProviderService {
+            get {
+                return ResourceManager.GetString("CredentialProviderService", resourceCulture);
+            }
+        }
+        
        /// <summary>
        ///   Looks up a localized string similar to Bitwarden needs attention - See &quot;Auto-fill Accessibility Service&quot; from Bitwarden settings.
        /// </summary>
@@ -7685,6 +7694,15 @@ namespace Bit.Core.Resources.Localization {
            }
        }
        
+        /// <summary>
+        ///   Looks up a localized string similar to We were unable to automatically open the Android credential provider settings menu for you. You can navigate to the credential provider settings menu manually from Android Settings &gt; System &gt; Passwords &amp; accounts &gt; Passwords, passkeys and data services.
+        /// </summary>
+        public static string BitwardenCredentialProviderGoToSettings {
+            get {
+                return ResourceManager.GetString("BitwardenCredentialProviderGoToSettings", resourceCulture);
+            }
+        }
+        
        /// <summary>
        ///   Looks up a localized string similar to Word separator.
        /// </summary>
@@ -7703,6 +7721,15 @@ namespace Bit.Core.Resources.Localization {
            }
        }
        
+        /// <summary>
+        ///   Looks up a localized string similar to The Android Credential Provider is used for managing passkeys for use with websites and other apps on your device.
+        /// </summary>
+        public static string CredentialProviderServiceExplanationLong {
+            get {
+                return ResourceManager.GetString("CredentialProviderServiceExplanationLong", resourceCulture);
+            }
+        }
+        
        /// <summary>
        ///   Looks up a localized string similar to {0} hours and one minute.
        /// </summary>
--- a/src/Core/Resources/Localization/AppResources.resx
+++ b/src/Core/Resources/Localization/AppResources.resx
@@ -1191,6 +1191,9 @@ Scanning will happen automatically.</value>
  <data name="WindowsHello" xml:space="preserve">
    <value>Windows Hello</value>
  </data>
+  <data name="BitwardenCredentialProviderGoToSettings" xml:space="preserve">
+    <value>We were unable to automatically open the Android credential provider settings menu for you. You can navigate to the credential provider settings menu manually from Android Settings &gt; System &gt; Passwords &amp; accounts &gt; Passwords, passkeys and data services.</value>
+  </data>
  <data name="BitwardenAutofillGoToSettings" xml:space="preserve">
    <value>We were unable to automatically open the Android autofill settings menu for you. You can navigate to the autofill settings menu manually from Android Settings &gt; System &gt; Languages and input &gt; Advanced &gt; Autofill service.</value>
  </data>
@@ -1816,6 +1819,9 @@ Scanning will happen automatically.</value>
  <data name="AccessibilityDrawOverPermissionAlert" xml:space="preserve">
    <value>Bitwarden needs attention - Turn on "Draw-Over" in "Auto-fill Services" from Bitwarden Settings</value>
  </data>
+  <data name="CredentialProviderService" xml:space="preserve">
+    <value>Credential Provider service</value>
+  </data>
  <data name="AutofillServices" xml:space="preserve">
    <value>Auto-fill services</value>
  </data>
@@ -2799,6 +2805,9 @@ Do you want to switch to this account?</value>
  <data name="XHours" xml:space="preserve">
    <value>{0} hours</value>
  </data>
+  <data name="CredentialProviderServiceExplanationLong" xml:space="preserve">
+    <value>The Android Credential Provider is used for managing passkeys for use with websites and other apps on your device.</value>
+  </data>
  <data name="AutofillServicesExplanationLong" xml:space="preserve">
    <value>The Android Autofill Framework is used to assist in filling login information into other apps on your device.</value>
  </data>
--- a/src/Core/Services/Fido2AuthenticationService.cs
+++ b/src/Core/Services/Fido2AuthenticationService.cs
@@ -0,0 +1,18 @@
+using Bit.Core.Abstractions;
+using Bit.Core.Utilities.Fido2;
+
+namespace Bit.Core.Services
+{
+    public class Fido2AuthenticationService : IFido2AuthenticationService
+    {
+        public Task<Fido2AuthenticatorGetAssertionResult> GetAssertionAsync(Fido2AuthenticatorGetAssertionParams assertionParams)
+        {
+            // TODO: IMPLEMENT this
+            return Task.FromResult(new Fido2AuthenticatorGetAssertionResult
+            {
+                AuthenticatorData = new byte[32],
+                Signature = new byte[8]
+            });
+        }
+    }
+}
--- a/src/Core/Services/Fido2AuthenticatorService.cs
+++ b/src/Core/Services/Fido2AuthenticatorService.cs
@@ -0,0 +1,574 @@
+using Bit.Core.Abstractions;
+using Bit.Core.Models.View;
+using Bit.Core.Enums;
+using Bit.Core.Utilities.Fido2;
+using Bit.Core.Utilities;
+using System.Formats.Cbor;
+using System.Security.Cryptography;
+
+namespace Bit.Core.Services
+{
+    public class Fido2AuthenticatorService: IFido2AuthenticatorService
+    {
+        // AAGUID: d548826e-79b4-db40-a3d8-11116f7e8349
+        public static readonly byte[] AAGUID = new byte[] { 0xd5, 0x48, 0x82, 0x6e, 0x79, 0xb4, 0xdb, 0x40, 0xa3, 0xd8, 0x11, 0x11, 0x6f, 0x7e, 0x83, 0x49 };
+
+        private readonly ICipherService _cipherService;
+        private readonly ISyncService _syncService;
+        private readonly ICryptoFunctionService _cryptoFunctionService;
+        private IFido2UserInterface _userInterface;
+
+        public Fido2AuthenticatorService(ICipherService cipherService, ISyncService syncService, ICryptoFunctionService cryptoFunctionService)
+        {
+            _cipherService = cipherService;
+            _syncService = syncService;
+            _cryptoFunctionService = cryptoFunctionService;
+        }
+
+        public void Init(IFido2UserInterface userInterface)
+        {
+            _userInterface = userInterface;
+        }
+
+        public async Task<Fido2AuthenticatorMakeCredentialResult> MakeCredentialAsync(Fido2AuthenticatorMakeCredentialParams makeCredentialParams) 
+        {
+            if (makeCredentialParams.CredTypesAndPubKeyAlgs.All((p) => p.Alg != (int) Fido2AlgorithmIdentifier.ES256))
+            {
+                // var requestedAlgorithms = string.Join(", ", makeCredentialParams.CredTypesAndPubKeyAlgs.Select((p) => p.Algorithm).ToArray());
+                // _logService.Warning(
+                //     $"[Fido2Authenticator] No compatible algorithms found, RP requested: {requestedAlgorithms}"
+                // );
+                ClipLogger.Log("[Fido2Authenticator] No compatible algorithms found, RP requested: {requestedAlgorithms}");
+                throw new NotSupportedError();
+            }
+
+            await _userInterface.EnsureUnlockedVaultAsync();
+            await _syncService.FullSyncAsync(false);
+
+            var existingCipherIds = await FindExcludedCredentialsAsync(
+                makeCredentialParams.ExcludeCredentialDescriptorList
+            );
+            if (existingCipherIds.Length > 0) {
+                // _logService.Info(
+                //     "[Fido2Authenticator] Aborting due to excluded credential found in vault."
+                // );
+                ClipLogger.Log("[Fido2Authenticator] Aborting due to excluded credential found in vault");
+                await _userInterface.InformExcludedCredential(existingCipherIds);
+                throw new NotAllowedError();
+            }
+
+            var response = await _userInterface.ConfirmNewCredentialAsync(new Fido2ConfirmNewCredentialParams {
+                CredentialName = makeCredentialParams.RpEntity.Name,
+                UserName = makeCredentialParams.UserEntity.Name,
+                UserVerification = makeCredentialParams.RequireUserVerification,
+                RpId = makeCredentialParams.RpEntity.Id
+            });
+
+            var cipherId = response.CipherId;
+            var userVerified = response.UserVerified;
+            string credentialId;
+            if (cipherId == null) {
+                // _logService.Info(
+                //     "[Fido2Authenticator] Aborting because user confirmation was not recieved."
+                // );
+                ClipLogger.Log("[Fido2Authenticator] Aborting because user confirmation was not recieved");
+                throw new NotAllowedError();
+            }
+            
+            try {
+                var keyPair = GenerateKeyPair();
+                var fido2Credential = CreateCredentialView(makeCredentialParams, keyPair.privateKey);
+
+                ClipLogger.Log($"[Fido2Authenticator] IsDiscoverable {fido2Credential.Discoverable} - {fido2Credential.DiscoverableValue}");
+
+                var encrypted = await _cipherService.GetAsync(cipherId);
+                var cipher = await encrypted.DecryptAsync();
+
+                if (!userVerified && (makeCredentialParams.RequireUserVerification || cipher.Reprompt != CipherRepromptType.None)) {
+                    // _logService.Info(
+                    //     "[Fido2Authenticator] Aborting because user verification was unsuccessful."
+                    // );
+                    ClipLogger.Log("[Fido2Authenticator] Aborting because user verification was unsuccessful");
+                    throw new NotAllowedError();
+                }
+
+                cipher.Login.Fido2Credentials = new List<Fido2CredentialView> { fido2Credential };
+                var reencrypted = await _cipherService.EncryptAsync(cipher);
+                await _cipherService.SaveWithServerAsync(reencrypted);
+                credentialId = fido2Credential.CredentialId;
+
+                ClipLogger.Log($"[Fido2Authenticator] IsDiscoverable {cipher.Login.MainFido2Credential.Discoverable} - {cipher.Login.MainFido2Credential.DiscoverableValue}");
+
+                var authData = await GenerateAuthDataAsync(
+                    rpId: makeCredentialParams.RpEntity.Id,
+                    counter: fido2Credential.CounterValue,
+                    userPresence: true,
+                    userVerification: userVerified,
+                    credentialId: credentialId.GuidToRawFormat(),
+                    publicKey: keyPair.publicKey
+                );
+
+                return new Fido2AuthenticatorMakeCredentialResult
+                {
+                    CredentialId = credentialId.GuidToRawFormat(),
+                    AttestationObject = EncodeAttestationObject(authData),
+                    AuthData = authData,
+                    PublicKey = keyPair.publicKey.ExportDer(),
+                    PublicKeyAlgorithm = (int) Fido2AlgorithmIdentifier.ES256,
+                };
+            } catch (NotAllowedError) {
+                throw;
+            } catch (Exception e) {
+                // _logService.Error(
+                //     $"[Fido2Authenticator] Unknown error occured during attestation: {e.Message}"
+                // );
+                ClipLogger.Log("[Fido2Authenticator] Unknown error occured during attestation: {e.Message}");
+
+                throw new UnknownError();
+            }
+        }
+        
+        public async Task<Fido2AuthenticatorGetAssertionResult> GetAssertionAsync(Fido2AuthenticatorGetAssertionParams assertionParams)
+        {
+            List<CipherView> cipherOptions;
+
+            await _userInterface.EnsureUnlockedVaultAsync();
+            await _syncService.FullSyncAsync(false);
+
+            if (assertionParams.AllowCredentialDescriptorList?.Length > 0) {
+
+                ClipLogger.Log("[Fido2Authenticator] Finding credentials with credential descriptor list");
+
+                cipherOptions = await FindCredentialsByIdAsync(
+                    assertionParams.AllowCredentialDescriptorList,
+                    assertionParams.RpId
+                );
+            } else
+            {
+                ClipLogger.Log("[Fido2Authenticator] Finding credentials with RP");
+                cipherOptions = await FindCredentialsByRpAsync(assertionParams.RpId);
+            }
+
+            if (cipherOptions.Count == 0) {
+                // _logService.Info(
+                //     "[Fido2Authenticator] Aborting because no matching credentials were found in the vault."
+                // );
+                ClipLogger.Log("[Fido2Authenticator] Aborting because no matching credentials were found in the vault");
+
+                throw new NotAllowedError();
+            }
+
+            string selectedCipherId;
+            bool userVerified;
+            bool userPresence;
+            // TODO: We might want reconsider allowing user presence to be optional
+            if (assertionParams.AllowCredentialDescriptorList?.Length == 1 && assertionParams.RequireUserPresence == false)
+            {
+                ClipLogger.Log("[Fido2Authenticator] AllowCredentialDescriptorList + RequireUserPresence false");
+                selectedCipherId = cipherOptions[0].Id;
+                userVerified = false;
+                userPresence = false;
+            }
+            else
+            {
+                ClipLogger.Log("[Fido2Authenticator] PickCredentialAsync");
+
+                var response = await _userInterface.PickCredentialAsync(new Fido2PickCredentialParams {
+                    CipherIds = cipherOptions.Select((cipher) => cipher.Id).ToArray(),
+                    UserVerification = assertionParams.RequireUserVerification
+                });
+                selectedCipherId = response.CipherId;
+                userVerified = response.UserVerified;
+                userPresence = true;
+            }
+
+            var selectedCipher = cipherOptions.FirstOrDefault((c) => c.Id == selectedCipherId);
+            if (selectedCipher == null) {
+                // _logService.Info(
+                //     "[Fido2Authenticator] Aborting because the selected credential could not be found."
+                // );
+                ClipLogger.Log("[Fido2Authenticator] Aborting because the selected credential could not be found");
+
+                throw new NotAllowedError();
+            }
+
+            if (!userPresence && assertionParams.RequireUserPresence) {
+                // _logService.Info(
+                //     "[Fido2Authenticator] Aborting because user presence was required but not detected."
+                // );
+
+                ClipLogger.Log("[Fido2Authenticator] Aborting because user presence was required but not detected");
+                throw new NotAllowedError();
+            }
+
+            // TODO: Remove this hardcoding
+            userVerified = true;
+
+            if (!userVerified && (assertionParams.RequireUserVerification || selectedCipher.Reprompt != CipherRepromptType.None)) {
+                // _logService.Info(
+                //     "[Fido2Authenticator] Aborting because user verification was unsuccessful."
+                // );
+                ClipLogger.Log("[Fido2Authenticator] Aborting because user verification was unsuccessful");
+
+                throw new NotAllowedError();
+            }
+            
+            try
+            {
+                var selectedFido2Credential = selectedCipher.Login.MainFido2Credential;
+                var selectedCredentialId = selectedFido2Credential.CredentialId;
+
+                ClipLogger.Log($"[Fido2Authenticator] Selected fido2 cred {selectedFido2Credential.CredentialId}");
+
+                if (selectedFido2Credential.CounterValue != 0) {
+                    ++selectedFido2Credential.CounterValue;
+                }
+
+                await _cipherService.UpdateLastUsedDateAsync(selectedCipher.Id);
+                var encrypted = await _cipherService.EncryptAsync(selectedCipher);
+                await _cipherService.SaveWithServerAsync(encrypted);
+
+                ClipLogger.Log($"[Fido2Authenticator] Selected fido2 cred RPID {selectedFido2Credential.RpId}");
+                ClipLogger.Log($"[Fido2Authenticator] param RpId {assertionParams.RpId}");
+
+                var authenticatorData = await GenerateAuthDataAsync(
+                    rpId: selectedFido2Credential.RpId,
+                    userPresence: true,
+                    userVerification: true,
+                    counter: selectedFido2Credential.CounterValue
+                );
+
+
+                ClipLogger.Log($"authenticatorData base64 from bytes: {Convert.ToBase64String(authenticatorData, Base64FormattingOptions.None)}");
+                ClipLogger.Log($"ClientDataHash base64 from bytes: {Convert.ToBase64String(assertionParams.Hash, Base64FormattingOptions.None)}");
+                ClipLogger.Log($"selectedFido2Credential.KeyBytes base64 from bytes: {Convert.ToBase64String(selectedFido2Credential.KeyBytes, Base64FormattingOptions.None)}");
+
+                var signature = GenerateSignature(
+                    authData: authenticatorData,
+                    clientDataHash: assertionParams.Hash,
+                    privateKey: selectedFido2Credential.KeyBytes
+                );
+
+                ClipLogger.Log($"signature base64 from bytes: {Convert.ToBase64String(signature, Base64FormattingOptions.None)}");
+
+                return new Fido2AuthenticatorGetAssertionResult
+                {
+                    SelectedCredential = new Fido2AuthenticatorGetAssertionSelectedCredential
+                    {
+                        Id = selectedCredentialId.GuidToRawFormat(),
+                        UserHandle = selectedFido2Credential.UserHandleValue
+                    },
+                    AuthenticatorData = authenticatorData,
+                    Signature = signature
+                };
+            } catch (Exception e) {
+                // _logService.Error(
+                //     $"[Fido2Authenticator] Unknown error occured during assertion: {e.Message}"
+                // );
+                ClipLogger.Log($"[Fido2Authenticator] Unknown error occured during assertion: {e.Message}");
+
+                throw new UnknownError();
+            }
+        }
+
+        public async Task<Fido2AuthenticatorDiscoverableCredentialMetadata[]> SilentCredentialDiscoveryAsync(string rpId)
+        {
+            var credentials = (await FindCredentialsByRpAsync(rpId)).Select(cipher => new Fido2AuthenticatorDiscoverableCredentialMetadata {
+                Type = "public-key",
+                Id = cipher.Login.MainFido2Credential.CredentialId.GuidToRawFormat(),
+                RpId = cipher.Login.MainFido2Credential.RpId,
+                UserHandle = cipher.Login.MainFido2Credential.UserHandleValue,
+                UserName = cipher.Login.MainFido2Credential.UserName
+            }).ToArray();
+
+            return credentials;
+        }
+
+        /// <summary>
+        /// Finds existing crendetials and returns the `CipherId` for each one
+        /// </summary>
+        private async Task<string[]> FindExcludedCredentialsAsync(
+            PublicKeyCredentialDescriptor[] credentials
+        ) {
+            if (credentials == null || credentials.Length == 0) {
+                return Array.Empty<string>();
+            }
+
+            var ids = new List<string>();
+
+            foreach (var credential in credentials) 
+            {
+                try
+                {
+                    ids.Add(credential.Id.GuidToStandardFormat());
+                } catch {}
+            }
+
+            if (ids.Count == 0) {
+                return Array.Empty<string>();
+            }
+
+            var ciphers = await _cipherService.GetAllDecryptedAsync();
+            return ciphers
+                .FindAll(
+                    (cipher) =>
+                    !cipher.IsDeleted &&
+                    cipher.OrganizationId == null &&
+                    cipher.Type == CipherType.Login &&
+                    cipher.Login.HasFido2Credentials &&
+                    ids.Contains(cipher.Login.MainFido2Credential.CredentialId)
+                )
+                .Select((cipher) => cipher.Id)
+                .ToArray();
+        }
+
+        private async Task<List<CipherView>> FindCredentialsByIdAsync(PublicKeyCredentialDescriptor[] credentials, string rpId)
+        {
+            var ids = new List<string>();
+
+            foreach (var credential in credentials)
+            {
+                try
+                {
+                    ClipLogger.Log($"[Fido2Authenticator] FindCredentialsByIdAsync -> Converting Guid byte length: {credential.Id.Length}");
+                    ids.Add(credential.Id.GuidToStandardFormat());
+                }
+                catch(Exception ex)
+                {
+                    ClipLogger.Log($"[Fido2Authenticator] FindCredentialsByIdAsync -> Converting Guid ex {ex}");
+                }
+            }
+
+            ClipLogger.Log($"[Fido2Authenticator] FindCredentialsByIdAsync -> {credentials.Length} vs {ids.Count}");
+
+            if (ids.Count == 0)
+            {
+                return new List<CipherView>();
+            }
+
+            ClipLogger.Log($"[Fido2Authenticator] FindCredentialsByIdAsync -> {ids[0]}");
+
+            var ciphers = await _cipherService.GetAllDecryptedAsync();
+
+            ClipLogger.Log($"[Fido2Authenticator] FindCredentialsByIdAsync -> ciphers count: {ciphers?.Count}");
+
+            return ciphers.FindAll((cipher) =>
+                !cipher.IsDeleted &&
+                cipher.Type == CipherType.Login &&
+                cipher.Login.HasFido2Credentials &&
+                cipher.Login.MainFido2Credential.RpId == rpId &&
+                ids.Contains(cipher.Login.MainFido2Credential.CredentialId)
+            );
+        }
+
+        private async Task<List<CipherView>> FindCredentialsByRpAsync(string rpId)
+        {
+            var ciphers = await _cipherService.GetAllDecryptedAsync();
+            return ciphers.FindAll((cipher) =>
+                !cipher.IsDeleted &&
+                cipher.Type == CipherType.Login &&
+                cipher.Login.HasFido2Credentials &&
+                cipher.Login.MainFido2Credential.RpId == rpId &&
+                cipher.Login.MainFido2Credential.DiscoverableValue
+            );
+        }
+
+        // TODO: Move this to a separate service
+        private (PublicKey publicKey, byte[] privateKey) GenerateKeyPair()
+        {
+            var dsa = ECDsa.Create();
+            dsa.GenerateKey(ECCurve.NamedCurves.nistP256);
+            var privateKey = dsa.ExportPkcs8PrivateKey();
+
+            return (new PublicKey(dsa), privateKey);
+        }
+
+        private Fido2CredentialView CreateCredentialView(Fido2AuthenticatorMakeCredentialParams makeCredentialsParams, byte[] privateKey)
+        {
+            return new Fido2CredentialView {
+                CredentialId = Guid.NewGuid().ToString(),
+                KeyType = Constants.DefaultFido2CredentialType,
+                KeyAlgorithm = Constants.DefaultFido2CredentialAlgorithm,
+                KeyCurve = Constants.DefaultFido2CredentialCurve,
+                KeyValue = CoreHelpers.Base64UrlEncode(privateKey),
+                RpId = makeCredentialsParams.RpEntity.Id,
+                UserHandle = CoreHelpers.Base64UrlEncode(makeCredentialsParams.UserEntity.Id),
+                UserName = makeCredentialsParams.UserEntity.Name,
+                CounterValue = 0,
+                RpName = makeCredentialsParams.RpEntity.Name,
+                UserDisplayName = makeCredentialsParams.UserEntity.DisplayName,
+                DiscoverableValue = makeCredentialsParams.RequireResidentKey,
+                CreationDate = DateTime.Now
+            };
+        }
+
+        private async Task<byte[]> GenerateAuthDataAsync(
+            string rpId,
+            bool userVerification,
+            bool userPresence,
+            int counter,
+            byte[] credentialId = null,
+            PublicKey publicKey = null
+        ) {
+            var isAttestation = credentialId != null && publicKey != null;
+
+            List<byte> authData = new List<byte>();
+
+            var rpIdHash = await _cryptoFunctionService.HashAsync(rpId, CryptoHashAlgorithm.Sha256);
+            authData.AddRange(rpIdHash);
+
+            ClipLogger.Log($"[Fido2Authenticator] GenerateAuthDataAsync -> rpIdHash: {rpIdHash}");
+
+            ClipLogger.Log($"[Fido2Authenticator] GenerateAuthDataAsync -> ad: {isAttestation} - uv: {userVerification} - up: {userPresence}");
+
+            var flags = AuthDataFlags(
+                extensionData: false,
+                attestationData: isAttestation,
+                userVerification: userVerification,
+                userPresence: userPresence
+            );
+            authData.Add(flags);
+
+            ClipLogger.Log($"[Fido2Authenticator] GenerateAuthDataAsync -> flags: {flags}");
+
+            ClipLogger.Log($"[Fido2Authenticator] GenerateAuthDataAsync -> counter: {counter}");
+
+            authData.AddRange(new List<byte> {
+                (byte)(counter >> 24),
+                (byte)(counter >> 16),
+                (byte)(counter >> 8),
+                (byte)counter
+            });
+
+            if (isAttestation)
+            {
+                var attestedCredentialData = new List<byte>();
+
+                attestedCredentialData.AddRange(AAGUID);
+                
+                // credentialIdLength (2 bytes) and credential Id
+                var credentialIdLength = new byte[] {
+                    (byte)((credentialId.Length - (credentialId.Length & 0xff)) / 256),
+                    (byte)(credentialId.Length & 0xff)
+                };
+                attestedCredentialData.AddRange(credentialIdLength);
+                attestedCredentialData.AddRange(credentialId);
+                attestedCredentialData.AddRange(publicKey.ExportCose());
+
+                ClipLogger.Log($"[Fido2Authenticator] GenerateAuthDataAsync -> adding attestedCD: {attestedCredentialData}");
+                authData.AddRange(attestedCredentialData);
+            }
+
+            return authData.ToArray();
+        }
+
+        private byte AuthDataFlags(bool extensionData, bool attestationData, bool userVerification, bool userPresence, bool backupEligibility = true, bool backupState = true) {
+            byte flags = 0;
+
+            if (extensionData) {
+                flags |= 0b1000000;
+            }
+
+            if (attestationData) {
+                flags |= 0b01000000;
+            }
+
+            if (backupEligibility)
+            {
+                flags |= 0b00001000;
+            }
+
+            if (backupState)
+            {
+                flags |= 0b00010000;
+            }
+
+            if (userVerification) {
+                flags |= 0b00000100;
+            }
+
+            if (userPresence) {
+                flags |= 0b00000001;
+            }
+
+            return flags;
+        }
+
+        private byte[] EncodeAttestationObject(byte[] authData) {
+            var attestationObject = new CborWriter(CborConformanceMode.Ctap2Canonical);
+            attestationObject.WriteStartMap(3);
+            attestationObject.WriteTextString("fmt");
+            attestationObject.WriteTextString("none");
+            attestationObject.WriteTextString("attStmt");
+            attestationObject.WriteStartMap(0);
+            attestationObject.WriteEndMap();
+            attestationObject.WriteTextString("authData");
+            attestationObject.WriteByteString(authData);
+            attestationObject.WriteEndMap();
+
+            return attestationObject.Encode();
+        }
+
+        // TODO: Move this to a separate service
+        private byte[] GenerateSignature(byte[] authData, byte[] clientDataHash, byte[] privateKey)
+        {
+            var sigBase = authData.Concat(clientDataHash).ToArray();
+            var dsa = ECDsa.Create();
+            dsa.ImportPkcs8PrivateKey(privateKey, out var bytesRead);
+
+            if (bytesRead == 0) 
+            {
+                throw new Exception("Failed to import private key");
+            }
+
+            return dsa.SignData(sigBase, HashAlgorithmName.SHA256, DSASignatureFormat.Rfc3279DerSequence);
+        }
+
+        private class PublicKey
+        {
+            private readonly ECDsa _dsa;
+
+            public PublicKey(ECDsa dsa) {
+                _dsa = dsa;
+            }
+
+            public byte[] X => _dsa.ExportParameters(false).Q.X;
+            public byte[] Y => _dsa.ExportParameters(false).Q.Y;
+
+            public byte[] ExportDer()
+            {
+                return _dsa.ExportSubjectPublicKeyInfo();
+            }
+
+            public byte[] ExportCose()
+            {
+                var result = new CborWriter(CborConformanceMode.Ctap2Canonical);
+                result.WriteStartMap(5);
+                
+                // kty = EC2
+                result.WriteInt32(1);
+                result.WriteInt32(2);
+
+                // alg = ES256
+                result.WriteInt32(3);
+                result.WriteInt32(-7);
+
+                // crv = P-256
+                result.WriteInt32(-1);
+                result.WriteInt32(1);
+
+                // x
+                result.WriteInt32(-2);
+                result.WriteByteString(X);
+
+                // y
+                result.WriteInt32(-3);
+                result.WriteByteString(Y);
+
+                result.WriteEndMap();
+
+                return result.Encode();
+            }
+        }
+    }
+}
--- a/src/Core/Services/Fido2ClientService.cs
+++ b/src/Core/Services/Fido2ClientService.cs
@@ -0,0 +1,248 @@
+using System.Text;
+using System.Text.Json;
+using Bit.Core.Abstractions;
+using Bit.Core.Enums;
+using Bit.Core.Utilities;
+using Bit.Core.Utilities.Fido2;
+
+namespace Bit.Core.Services
+{
+    public class Fido2ClientService : IFido2ClientService
+    {
+        private readonly IStateService _stateService;
+        private readonly IEnvironmentService _environmentService;
+        private readonly ICryptoFunctionService _cryptoFunctionService;
+        private readonly IFido2AuthenticatorService _fido2AuthenticatorService;
+
+        public Fido2ClientService(
+            IStateService stateService,
+            IEnvironmentService environmentService,
+            ICryptoFunctionService cryptoFunctionService,
+            IFido2AuthenticatorService fido2AuthenticatorService)
+        {
+            _stateService = stateService;
+            _environmentService = environmentService;
+            _cryptoFunctionService = cryptoFunctionService;
+            _fido2AuthenticatorService = fido2AuthenticatorService;
+        }
+
+        public async Task<Fido2ClientCreateCredentialResult> CreateCredentialAsync(Fido2ClientCreateCredentialParams createCredentialParams) 
+        {
+            var blockedUris = await _stateService.GetAutofillBlacklistedUrisAsync();
+            var domain = CoreHelpers.GetHostname(createCredentialParams.Origin);
+            if (blockedUris.Contains(domain))
+            {
+                throw new Fido2ClientException(
+                    Fido2ClientException.ErrorCode.UriBlockedError,
+                    "Origin is blocked by the user");
+            }
+
+            if (!await _stateService.IsAuthenticatedAsync())
+            {
+                throw new Fido2ClientException(
+                    Fido2ClientException.ErrorCode.InvalidStateError,
+                    "No user is logged in");
+            }
+
+            if (createCredentialParams.Origin == _environmentService.GetWebVaultUrl())
+            {
+                throw new Fido2ClientException(
+                    Fido2ClientException.ErrorCode.NotAllowedError,
+                    "Saving Bitwarden credentials in a Bitwarden vault is not allowed");
+            }
+
+            if (!createCredentialParams.SameOriginWithAncestors)
+            {
+                throw new Fido2ClientException(
+                    Fido2ClientException.ErrorCode.NotAllowedError,
+                    "Credential creation is now allowed from embedded contexts with different origins");
+            }
+
+            if (createCredentialParams.User.Id.Length < 1 || createCredentialParams.User.Id.Length > 64)
+            {
+                // TODO: Should we use ArgumentException here instead?
+                throw new Fido2ClientException(
+                    Fido2ClientException.ErrorCode.TypeError,
+                    "The length of user.id is not between 1 and 64 bytes (inclusive)");
+            }
+
+            if (!createCredentialParams.Origin.StartsWith("https://"))
+            {
+                throw new Fido2ClientException(
+                    Fido2ClientException.ErrorCode.SecurityError,
+                    "Origin is not a valid https origin");
+            }
+
+            if (!Fido2DomainUtils.IsValidRpId(createCredentialParams.Rp.Id, createCredentialParams.Origin))
+            {
+                throw new Fido2ClientException(
+                    Fido2ClientException.ErrorCode.SecurityError,
+                    "RP ID cannot be used with this origin");
+            }
+
+            PublicKeyCredentialParameters[] credTypesAndPubKeyAlgs;
+            if (createCredentialParams.PubKeyCredParams?.Length > 0)
+            {
+                // Filter out all unsupported algorithms
+                credTypesAndPubKeyAlgs = createCredentialParams.PubKeyCredParams
+                    .Where(kp => kp.Alg == -7 && kp.Type == "public-key")
+                    .ToArray();
+            }
+            else
+            {
+                // Assign default algorithms
+                credTypesAndPubKeyAlgs = [
+                    new PublicKeyCredentialParameters { Alg = -7, Type = "public-key" },
+                    new PublicKeyCredentialParameters { Alg = -257, Type = "public-key" }
+                ];
+            }
+
+            if (credTypesAndPubKeyAlgs.Length == 0)
+            {
+                throw new Fido2ClientException(Fido2ClientException.ErrorCode.NotSupportedError, "No supported algorithms found");
+            }
+
+            var clientDataJSON = JsonSerializer.Serialize(new {
+                type = "webauthn.create",
+                challenge = CoreHelpers.Base64UrlEncode(createCredentialParams.Challenge),
+                origin = createCredentialParams.Origin,
+                crossOrigin = !createCredentialParams.SameOriginWithAncestors,
+                // tokenBinding: {} // Not supported
+            });
+            var clientDataJSONBytes = Encoding.UTF8.GetBytes(clientDataJSON);
+            var clientDataHash = await _cryptoFunctionService.HashAsync(clientDataJSONBytes, CryptoHashAlgorithm.Sha256);
+            var makeCredentialParams = MapToMakeCredentialParams(createCredentialParams, credTypesAndPubKeyAlgs, clientDataHash);
+
+            try {
+                var makeCredentialResult = await _fido2AuthenticatorService.MakeCredentialAsync(makeCredentialParams);
+
+                return new Fido2ClientCreateCredentialResult {
+                    CredentialId = makeCredentialResult.CredentialId,
+                    AttestationObject = makeCredentialResult.AttestationObject,
+                    AuthData = makeCredentialResult.AuthData,
+                    ClientDataJSON = clientDataJSONBytes,
+                    PublicKey = makeCredentialResult.PublicKey,
+                    PublicKeyAlgorithm = makeCredentialResult.PublicKeyAlgorithm,
+                    Transports = createCredentialParams.Rp.Id == "google.com" ? ["internal", "usb"] : ["internal"] // workaround for a bug on Google's side
+                };
+            } catch (InvalidStateError) {
+                throw new Fido2ClientException(Fido2ClientException.ErrorCode.InvalidStateError, "Unknown invalid state encountered");
+            } catch (Exception) {
+                throw new Fido2ClientException(Fido2ClientException.ErrorCode.UnknownError, $"An unknown error occurred");
+            }
+        }
+
+        public async Task<Fido2ClientAssertCredentialResult> AssertCredentialAsync(Fido2ClientAssertCredentialParams assertCredentialParams)
+        {
+            var blockedUris = await _stateService.GetAutofillBlacklistedUrisAsync();
+            var domain = CoreHelpers.GetHostname(assertCredentialParams.Origin);
+            if (blockedUris.Contains(domain))
+            {
+                throw new Fido2ClientException(
+                    Fido2ClientException.ErrorCode.UriBlockedError,
+                    "Origin is blocked by the user");
+            }
+
+            if (!await _stateService.IsAuthenticatedAsync())
+            {
+                throw new Fido2ClientException(
+                    Fido2ClientException.ErrorCode.InvalidStateError,
+                    "No user is logged in");
+            }
+
+            if (assertCredentialParams.Origin == _environmentService.GetWebVaultUrl())
+            {
+                throw new Fido2ClientException(
+                    Fido2ClientException.ErrorCode.NotAllowedError,
+                    "Saving Bitwarden credentials in a Bitwarden vault is not allowed");
+            }
+
+            if (!assertCredentialParams.Origin.StartsWith("https://"))
+            {
+                throw new Fido2ClientException(
+                    Fido2ClientException.ErrorCode.SecurityError,
+                    "Origin is not a valid https origin");
+            }
+
+            if (!Fido2DomainUtils.IsValidRpId(assertCredentialParams.RpId, assertCredentialParams.Origin))
+            {
+                throw new Fido2ClientException(
+                    Fido2ClientException.ErrorCode.SecurityError,
+                    "RP ID cannot be used with this origin");
+            }
+
+            var clientDataJSON = JsonSerializer.Serialize(new {
+                type = "webauthn.get",
+                challenge = CoreHelpers.Base64UrlEncode(assertCredentialParams.Challenge),
+                origin = assertCredentialParams.Origin,
+                crossOrigin = !assertCredentialParams.SameOriginWithAncestors,
+            });
+            var clientDataJSONBytes = Encoding.UTF8.GetBytes(clientDataJSON);
+            var clientDataHash = await _cryptoFunctionService.HashAsync(clientDataJSONBytes, CryptoHashAlgorithm.Sha256);
+            var getAssertionParams = MapToGetAssertionParams(assertCredentialParams, clientDataHash);
+
+            try {
+                var getAssertionResult = await _fido2AuthenticatorService.GetAssertionAsync(getAssertionParams);
+
+                return new Fido2ClientAssertCredentialResult {
+                    AuthenticatorData = getAssertionResult.AuthenticatorData,
+                    ClientDataJSON = clientDataJSONBytes,
+                    Id = CoreHelpers.Base64UrlEncode(getAssertionResult.SelectedCredential.Id),
+                    RawId = getAssertionResult.SelectedCredential.Id,
+                    Signature = getAssertionResult.Signature,
+                    UserHandle = getAssertionResult.SelectedCredential.UserHandle
+                };
+            } catch (InvalidStateError) {
+                throw new Fido2ClientException(Fido2ClientException.ErrorCode.InvalidStateError, "Unknown invalid state encountered");
+            } catch (Exception) {
+                throw new Fido2ClientException(Fido2ClientException.ErrorCode.UnknownError, $"An unknown error occurred");
+            }
+
+            throw new NotImplementedException();
+        }
+
+        private Fido2AuthenticatorMakeCredentialParams MapToMakeCredentialParams(
+            Fido2ClientCreateCredentialParams createCredentialParams,
+            PublicKeyCredentialParameters[] credTypesAndPubKeyAlgs,
+            byte[] clientDataHash)
+        {
+            var requireResidentKey = createCredentialParams.AuthenticatorSelection?.ResidentKey == "required" ||
+                createCredentialParams.AuthenticatorSelection?.ResidentKey == "preferred" ||
+                (createCredentialParams.AuthenticatorSelection?.ResidentKey == null &&
+                createCredentialParams.AuthenticatorSelection?.RequireResidentKey == true);
+            
+            var requireUserVerification = createCredentialParams.AuthenticatorSelection?.UserVerification == "required" ||
+                createCredentialParams.AuthenticatorSelection?.UserVerification == "preferred" ||
+                createCredentialParams.AuthenticatorSelection?.UserVerification == null;
+
+            return new Fido2AuthenticatorMakeCredentialParams {
+                RequireResidentKey = requireResidentKey,
+                RequireUserVerification = requireUserVerification,
+                ExcludeCredentialDescriptorList = createCredentialParams.ExcludeCredentials,
+                CredTypesAndPubKeyAlgs = credTypesAndPubKeyAlgs,
+                Hash = clientDataHash,
+                RpEntity = createCredentialParams.Rp,
+                UserEntity = createCredentialParams.User,
+                Extensions = createCredentialParams.Extensions
+            };
+        }
+
+        private Fido2AuthenticatorGetAssertionParams MapToGetAssertionParams(
+            Fido2ClientAssertCredentialParams assertCredentialParams,
+            byte[] cliendDataHash)
+        {
+            var requireUserVerification = assertCredentialParams.UserVerification == "required" ||
+                assertCredentialParams.UserVerification == "preferred" ||
+                assertCredentialParams.UserVerification == null;
+
+            return new Fido2AuthenticatorGetAssertionParams {
+                RpId = assertCredentialParams.RpId,
+                Challenge = assertCredentialParams.Challenge,
+                AllowCredentialDescriptorList = assertCredentialParams.AllowCredentials,
+                RequireUserPresence = true,
+                RequireUserVerification = requireUserVerification,
+                Hash = cliendDataHash
+            };
+        }
+    }
+}
--- a/src/Core/Services/Logging/ClipLogger.cs
+++ b/src/Core/Services/Logging/ClipLogger.cs
@@ -0,0 +1,61 @@
+using System.Runtime.CompilerServices;
+using System.Text;
+using Bit.Core.Abstractions;
+
+#if IOS
+using UIKit;
+#endif
+
+namespace Bit.Core.Services
+{
+    public class ClipLogger : ILogger
+    {
+        private static readonly StringBuilder _currentBreadcrumbs = new StringBuilder();
+
+        static ILogger _instance;
+        public static ILogger Instance
+        {
+            get
+            {
+                if (_instance is null)
+                {
+                    _instance = new ClipLogger();
+                }
+                return _instance;
+            }
+        }
+
+        protected ClipLogger()
+        {
+        }
+
+        public static void Log(string breadcrumb)
+        {
+            _currentBreadcrumbs.AppendLine($"{DateTime.Now.ToShortTimeString()}: {breadcrumb}");
+#if IOS
+            UIPasteboard.General.String = _currentBreadcrumbs.ToString();
+#endif
+        }
+
+        public void Error(string message, IDictionary<string, string> extraData = null, [CallerMemberName] string memberName = "", [CallerFilePath] string sourceFilePath = "", [CallerLineNumber] int sourceLineNumber = 0)
+        {
+            var classAndMethod = $"{Path.GetFileNameWithoutExtension(sourceFilePath)}.{memberName}";
+            var filePathAndLineNumber = $"{Path.GetFileName(sourceFilePath)}:{sourceLineNumber}";
+            var properties = new Dictionary<string, string>
+            {
+                ["File"] = filePathAndLineNumber,
+                ["Method"] = memberName
+            };
+
+            Log(message ?? $"Error found in: {classAndMethod}, {filePathAndLineNumber}");
+        }
+
+        public void Exception(Exception ex) => Log(ex?.ToString());
+
+        public Task InitAsync() => Task.CompletedTask;
+
+        public Task<bool> IsEnabled() => Task.FromResult(true);
+
+        public Task SetEnabled(bool value) => Task.CompletedTask;
+    }
+}
--- a/src/Core/Services/Logging/LoggerHelper.cs
+++ b/src/Core/Services/Logging/LoggerHelper.cs
@@ -1,5 +1,5 @@
-using System;
-using Bit.Core.Abstractions;
+using Bit.Core.Abstractions;
+using Bit.Core.Services;
 using Bit.Core.Utilities;

 namespace Bit.Core.Services
@@ -22,10 +22,23 @@ namespace Bit.Core.Services
 #if !FDROID
                // just in case the caller throws the exception in a moment where the logger can't be resolved
                // we need to track the error as well
-                Microsoft.AppCenter.Crashes.Crashes.TrackError(ex);
+                //Microsoft.AppCenter.Crashes.Crashes.TrackError(ex);
+                ClipLogger.Log(ex?.ToString());
 #endif

            }
        }
+
+        public static void LogBreadcrumb(string breadcrumb)
+        {
+            if (ServiceContainer.Resolve<ILogger>("logger", true) is ILogger logger)
+            {
+                logger.Error(breadcrumb);
+            }
+            else
+            {
+                ClipLogger.Log(breadcrumb);
+            }
+        }
    }
 }
--- a/src/Core/Services/PclCryptoFunctionService.cs
+++ b/src/Core/Services/PclCryptoFunctionService.cs
@@ -4,6 +4,7 @@ using System.Text;
 using System.Threading.Tasks;
 using Bit.Core.Abstractions;
 using Bit.Core.Enums;
+using Bit.Core.Models.Domain;
 using PCLCrypto;
 using static PCLCrypto.WinRTCrypto;

--- a/src/Core/Utilities/CoreHelpers.cs
+++ b/src/Core/Utilities/CoreHelpers.cs
@@ -38,12 +38,38 @@ namespace Bit.Core.Utilities
 #endif
        }

+        /// <summary>
+        /// Returns the host (and not port) of the given uri.
+        /// Does not support plain hostnames without a protocol.
+        /// 
+        /// Input => Output examples:
+        /// <para>https://bitwarden.com => bitwarden.com</para>
+        /// <para>https://login.bitwarden.com:1337 => login.bitwarden.com</para>
+        /// <para>https://sub.login.bitwarden.com:1337 => sub.login.bitwarden.com</para>
+        /// <para>https://localhost:8080 => localhost</para>
+        /// <para>localhost => null</para>
+        /// <para>bitwarden => null</para>
+        /// <para>127.0.0.1 => 127.0.0.1</para>
+        /// </summary>
        public static string GetHostname(string uriString)
        {
            var uri = GetUri(uriString);
            return string.IsNullOrEmpty(uri?.Host) ? null : uri.Host;
        }

+        /// <summary>
+        /// Returns the host and port of the given uri.
+        /// Does not support plain hostnames without 
+        /// 
+        /// Input => Output examples:
+        /// <para>https://bitwarden.com => bitwarden.com</para>
+        /// <para>https://login.bitwarden.com:1337 => login.bitwarden.com:1337</para>
+        /// <para>https://sub.login.bitwarden.com:1337 => sub.login.bitwarden.com:1337</para>
+        /// <para>https://localhost:8080 => localhost:8080</para>
+        /// <para>localhost => null</para>
+        /// <para>bitwarden => null</para>
+        /// <para>127.0.0.1 => 127.0.0.1</para>
+        /// </summary>
        public static string GetHost(string uriString)
        {
            var uri = GetUri(uriString);
@@ -61,6 +87,19 @@ namespace Bit.Core.Utilities
            return null;
        }

+        /// <summary>
+        /// Returns the second and top level domain of the given uri.
+        /// Does not support plain hostnames without 
+        /// 
+        /// Input => Output examples:
+        /// <para>https://bitwarden.com => bitwarden.com</para>
+        /// <para>https://login.bitwarden.com:1337 => bitwarden.com</para>
+        /// <para>https://sub.login.bitwarden.com:1337 => bitwarden.com</para>
+        /// <para>https://localhost:8080 => localhost</para>
+        /// <para>localhost => null</para>
+        /// <para>bitwarden => null</para>
+        /// <para>127.0.0.1 => 127.0.0.1</para>
+        /// </summary>
        public static string GetDomain(string uriString)
        {
            var uri = GetUri(uriString);
--- a/src/Core/Utilities/Fido2/AuthenticatorSelectionCriteria.cs
+++ b/src/Core/Utilities/Fido2/AuthenticatorSelectionCriteria.cs
@@ -0,0 +1,18 @@
+namespace Bit.Core.Utilities.Fido2
+{
+    #nullable enable
+    /// <summary>
+    /// The Relying Party's requirements of the authenticator used in the creation of the credential.
+    /// </summary>
+    public class AuthenticatorSelectionCriteria
+    {
+        public bool? RequireResidentKey { get; set; }
+        public string? ResidentKey { get; set; }
+        public string UserVerification { get; set; } = "preferred";
+
+        /// <summary>
+        /// This member is intended for use by Relying Parties that wish to select the appropriate authenticators to participate in the create() operation.
+        /// </summary>
+        // public AuthenticatorAttachment? AuthenticatorAttachment { get; set; } // not used
+    }
+}
--- a/src/Core/Utilities/Fido2/Fido2AlgorithmIdentifier.cs
+++ b/src/Core/Utilities/Fido2/Fido2AlgorithmIdentifier.cs
@@ -0,0 +1,6 @@
+namespace Bit.Core.Utilities.Fido2 {
+    public enum Fido2AlgorithmIdentifier : int {
+        ES256 = -7,
+        RS256 = -257,
+    }
+}
--- a/src/Core/Utilities/Fido2/Fido2AuthenticatorDiscoverableCredentialMetadata.cs
+++ b/src/Core/Utilities/Fido2/Fido2AuthenticatorDiscoverableCredentialMetadata.cs
@@ -0,0 +1,16 @@
+/// <summary>
+/// Represents the metadata of a discoverable credential for a FIDO2 authenticator.
+/// See: https://www.w3.org/TR/webauthn-3/#sctn-op-silent-discovery
+/// </summary>
+public class Fido2AuthenticatorDiscoverableCredentialMetadata
+{
+    public string Type { get; set; }
+
+    public byte[] Id { get; set; }
+
+    public string RpId { get; set; }
+
+    public byte[] UserHandle { get; set; }
+
+    public string UserName { get; set; }
+}
--- a/src/Core/Utilities/Fido2/Fido2AuthenticatorException.cs
+++ b/src/Core/Utilities/Fido2/Fido2AuthenticatorException.cs
@@ -0,0 +1,37 @@
+namespace Bit.Core.Utilities.Fido2
+{
+    public class Fido2AuthenticatorException : Exception
+    {
+        public Fido2AuthenticatorException(string message) : base(message)
+        {
+        }
+    }
+
+    public class NotAllowedError : Fido2AuthenticatorException
+    {
+        public NotAllowedError() : base("NotAllowedError")
+        {
+        }
+    }
+
+    public class NotSupportedError : Fido2AuthenticatorException
+    {
+        public NotSupportedError() : base("NotSupportedError")
+        {
+        }
+    }
+
+    public class InvalidStateError : Fido2AuthenticatorException
+    {
+        public InvalidStateError() : base("InvalidStateError")
+        {
+        }
+    }
+
+    public class UnknownError : Fido2AuthenticatorException
+    {
+        public UnknownError() : base("UnknownError")
+        {
+        }
+    }
+}
--- a/src/Core/Utilities/Fido2/Fido2AuthenticatorGetAssertionParams.cs
+++ b/src/Core/Utilities/Fido2/Fido2AuthenticatorGetAssertionParams.cs
@@ -0,0 +1,31 @@
+namespace Bit.Core.Utilities.Fido2
+{
+    public class Fido2AuthenticatorGetAssertionParams
+    {
+        /** The caller’s RP ID, as determined by the user agent and the client. */
+        public string RpId { get; set; }
+
+        /** The hash of the serialized client data, provided by the client. */
+        public byte[] Hash { get; set; }
+
+        public PublicKeyCredentialDescriptor[] AllowCredentialDescriptorList { get; set; }
+
+        /// <summary>
+        /// Instructs the authenticator to require a user-verifying gesture in order to complete the request. Examples of such gestures are fingerprint scan or a PIN.
+        /// </summary>
+        public bool RequireUserVerification { get; set; }
+        
+        /// <summary>
+        /// Instructs the authenticator to require user consent to complete the operation.
+        /// </summary>
+        public bool RequireUserPresence { get; set; }
+
+        /// <summary>
+        /// The challenge to be signed by the authenticator.
+        /// </summary>
+        public byte[] Challenge { get; set; }
+
+        public object Extensions { get; set; }
+    }
+}
+
--- a/src/Core/Utilities/Fido2/Fido2AuthenticatorGetAssertionResult.cs
+++ b/src/Core/Utilities/Fido2/Fido2AuthenticatorGetAssertionResult.cs
@@ -0,0 +1,24 @@
+namespace Bit.Core.Utilities.Fido2
+{
+    public class Fido2AuthenticatorGetAssertionResult
+    {
+        public byte[] AuthenticatorData { get; set; }
+
+        public byte[] Signature { get; set; }
+
+        public Fido2AuthenticatorGetAssertionSelectedCredential SelectedCredential { get; set; }
+
+        public override string ToString()
+        {
+            return $"AD: {AuthenticatorData.Length}; Sig: {Signature.Length}; SC: {SelectedCredential?.Id?.Length}; {SelectedCredential?.UserHandle?.Length}";
+        }
+    }
+
+    public class Fido2AuthenticatorGetAssertionSelectedCredential {
+        public byte[] Id { get; set; }
+
+        #nullable enable
+        public byte[]? UserHandle { get; set; }
+    }
+}
+
--- a/src/Core/Utilities/Fido2/Fido2AuthenticatorMakeCredentialParams.cs
+++ b/src/Core/Utilities/Fido2/Fido2AuthenticatorMakeCredentialParams.cs
@@ -0,0 +1,53 @@
+namespace Bit.Core.Utilities.Fido2
+{
+    public class Fido2AuthenticatorMakeCredentialParams
+    {
+        /// <summary>
+        /// The Relying Party's PublicKeyCredentialRpEntity.
+        /// </summary>
+        public PublicKeyCredentialRpEntity RpEntity { get; set; }
+
+        /// <summary>
+        /// The Relying Party's PublicKeyCredentialRpEntity.
+        /// </summary>
+        public PublicKeyCredentialUserEntity UserEntity { get; set; }
+
+        /// <summary>
+        /// The hash of the serialized client data, provided by the client.
+        /// </summary>
+        public byte[] Hash { get; set; }
+
+        /// <summary>
+        /// A sequence of pairs of PublicKeyCredentialType and public key algorithms (COSEAlgorithmIdentifier) requested by the Relying Party. This sequence is ordered from most preferred to least preferred. The authenticator makes a best-effort to create the most preferred credential that it can.
+        /// </summary>
+        public PublicKeyCredentialParameters[] CredTypesAndPubKeyAlgs { get; set; }
+
+        /// <summary>
+        ///An OPTIONAL list of PublicKeyCredentialDescriptor objects provided by the Relying Party with the intention that, if any of these are known to the authenticator, it SHOULD NOT create a new credential. excludeCredentialDescriptorList contains a list of known credentials.
+        /// </summary>
+        public PublicKeyCredentialDescriptor[] ExcludeCredentialDescriptorList { get; set; }
+
+        /// <summary>
+        /// The effective resident key requirement for credential creation, a Boolean value determined by the client. Resident is synonymous with discoverable. */
+        /// </summary>
+        public bool RequireResidentKey { get; set; }
+
+        /// <summary>
+        /// The effective user verification requirement for assertion, a Boolean value provided by the client.
+        /// </summary>
+        public bool RequireUserVerification { get; set; }
+        
+        /// <summary>
+        /// CTAP2 authenticators support setting this to false, but we only support the WebAuthn authenticator model which does not have that option.
+        /// </summary>
+        // public bool RequireUserPresence { get; set; } // Always required
+
+        /// <summary>
+        /// The authenticator's attestation preference, a string provided by the client. This is a hint that the client gives to the authenticator about what kind of attestation statement it would like. The authenticator makes a best-effort to satisfy the preference.
+        /// Note: Attestation statements are not supported at this time.
+        /// </summary>
+        // public string AttestationPreference { get; set; }
+
+        public object Extensions { get; set; }
+    }
+}
--- a/src/Core/Utilities/Fido2/Fido2AuthenticatorMakeCredentialResult.cs
+++ b/src/Core/Utilities/Fido2/Fido2AuthenticatorMakeCredentialResult.cs
@@ -0,0 +1,16 @@
+
+namespace Bit.Core.Utilities.Fido2
+{
+    public class Fido2AuthenticatorMakeCredentialResult
+    {
+        public byte[] CredentialId { get; set; }
+
+        public byte[] AttestationObject { get; set; }
+
+        public byte[] AuthData { get; set; }
+
+        public byte[] PublicKey { get; set; }
+
+        public int PublicKeyAlgorithm { get; set; }
+    }
+}
--- a/src/Core/Utilities/Fido2/Fido2ClientAssertCredentialParams.cs
+++ b/src/Core/Utilities/Fido2/Fido2ClientAssertCredentialParams.cs
@@ -0,0 +1,57 @@
+namespace Bit.Core.Utilities.Fido2
+{
+    #nullable enable
+
+    /// <summary>
+    /// Parameters for asserting a credential.
+    /// 
+    /// This class is an extended version of the WebAuthn struct:
+    /// https://www.w3.org/TR/webauthn-2/#dictdef-publickeycredentialrequestoptions
+    /// </summary>
+    public class Fido2ClientAssertCredentialParams
+    {
+        /// <summary>
+        /// A value which is true if and only if the caller’s environment settings object is same-origin with its ancestors.
+        /// It is false if caller is cross-origin.
+        /// </summary>
+        public bool SameOriginWithAncestors { get; set; }
+
+        /// <summary>
+        /// The challenge that the selected authenticator signs, along with other data, when producing an authentication
+        /// assertion. 
+        /// </summary>
+        public required byte[] Challenge { get; set; }
+
+        /// <summary>
+        /// The relying party identifier claimed by the caller. If omitted, its value will be the CredentialsContainer 
+        /// object's relevant settings object's origin's effective domain.
+        /// </summary>
+        public string RpId { get; set; }
+
+        /// <summary>
+        /// The Relying Party's origin (e.g., "https://example.com").
+        /// </summary>
+        public string Origin { get; set; }
+        
+        /// <summary>
+        /// A list of PublicKeyCredentialDescriptor objects representing public key credentials acceptable to the caller,
+        /// in descending order of the caller’s preference (the first item in the list is the most preferred credential,
+        /// and so on down the list).
+        /// </summary>
+        public PublicKeyCredentialDescriptor[] AllowCredentials { get; set; } = [];
+
+        /// <summary>
+        /// The Relying Party's requirements regarding user verification for the get() operation.
+        /// </summary>
+        public string UserVerification { get; set; } = "preferred";
+
+        /// <summary>
+        /// This time, in milliseconds, that the caller is willing to wait for the call to complete.
+        /// This is treated as a hint, and MAY be overridden by the client.
+        /// </summary>
+        /// <remarks>
+        /// This is not currently supported.
+        /// </remarks>
+        public int? Timeout { get; set; }
+    }
+}
--- a/src/Core/Utilities/Fido2/Fido2ClientAssertCredentialResult.cs
+++ b/src/Core/Utilities/Fido2/Fido2ClientAssertCredentialResult.cs
@@ -0,0 +1,42 @@
+namespace Bit.Core.Utilities.Fido2
+{
+    /// <summary>
+    /// The result of asserting a credential.
+    /// 
+    /// See: https://www.w3.org/TR/webauthn-2/#publickeycredential
+    /// </summary>
+    public class Fido2ClientAssertCredentialResult
+    {
+        /// <summary>
+        /// Base64url encoding of the credential identifer.
+        /// </summary>
+        public required string Id { get; set; }
+
+        /// <summary>
+        /// The credential identifier.
+        /// </summary>
+        public required byte[] RawId { get; set; }
+
+        /// <summary>
+        /// The JSON-compatible serialization of client datapassed to the authenticator by the client in
+        /// order to generate this assertion.
+        /// </summary>
+        public required byte[] ClientDataJSON { get; set; }
+
+        /// <summary>
+        /// The authenticator data returned by the authenticator.
+        /// </summary>
+        public required byte[] AuthenticatorData { get; set; }
+
+        /// <summary>
+        /// The raw signature returned from the authenticator.
+        /// </summary>
+        public required byte[] Signature { get; set; }
+
+        /// <summary>
+        /// The user handle returned from the authenticator, or null if the authenticator did not
+        /// return a user handle.
+        /// </summary>
+        public byte[]? UserHandle { get; set; }
+    }
+}
--- a/src/Core/Utilities/Fido2/Fido2ClientAuthenticatorAssertionResponse.cs
+++ b/src/Core/Utilities/Fido2/Fido2ClientAuthenticatorAssertionResponse.cs
@@ -0,0 +1,35 @@
+namespace Bit.Core.Utilities.Fido2
+{
+    /// <summary>
+    /// This class represents an authenticator's response to a client's request for generation of a 
+    /// new authentication assertion given the WebAuthn Relying Party's challenge.
+    /// This response contains a cryptographic signature proving possession of the credential private key,
+    /// and optionally evidence of user consent to a specific transaction.
+    /// 
+    /// See: https://www.w3.org/TR/webauthn-2/#iface-authenticatorassertionresponse
+    /// </summary>
+    public class Fido2ClientAuthenticatorAssertionResponse
+    {
+        /// <summary>
+        /// The JSON-compatible serialization of client data passed to the authenticator by the client
+        /// in order to generate this assertion. The exact JSON serialization MUST be preserved, as the
+        /// hash of the serialized client data has been computed over it.
+        /// </summary>
+        public required byte[] ClientDataJSON { get; set; }
+
+        /// <summary>
+        /// The authenticator data returned by the authenticator.
+        /// </summary>
+        public required byte[] AuthenticatorData { get; set; }
+
+        /// <summary>
+        /// Raw signature returned from the authenticator.
+        /// </summary>
+        public required byte[] Signature { get; set; }
+
+        /// <summary>
+        /// The user handle returned from the authenticator, or null if the authenticator did not return a user handle. 
+        /// </summary>
+        public byte[] UserHandle { get; set; } = null;
+    }
+}
--- a/src/Core/Utilities/Fido2/Fido2ClientCreateCredentialParams.cs
+++ b/src/Core/Utilities/Fido2/Fido2ClientCreateCredentialParams.cs
@@ -0,0 +1,75 @@
+namespace Bit.Core.Utilities.Fido2
+{
+    #nullable enable
+
+    /// <summary>
+    /// Parameters for creating a new credential.
+    /// </summary>
+    public class Fido2ClientCreateCredentialParams
+    {
+        /// <summary>
+        /// The Relaying Parties origin, see: https://html.spec.whatwg.org/multipage/browsers.html#concept-origin
+        /// </summary>
+        public required string Origin { get; set; }
+
+        /// <summary>
+        /// A value which is true if and only if the caller’s environment settings object is same-origin with its ancestors.
+        /// It is false if caller is cross-origin.
+        /// </summary>
+        public bool SameOriginWithAncestors { get; set; }
+
+        /// <summary>
+        /// The Relying Party's preference for attestation conveyance
+        /// </summary>
+        public string? Attestation { get; set; } = "none";
+
+        /// <summary>
+        /// The Relying Party's requirements of the authenticator used in the creation of the credential.
+        /// </summary>
+        public AuthenticatorSelectionCriteria? AuthenticatorSelection { get; set; }
+
+        /// <summary>
+        /// Challenge intended to be used for generating the newly created credential's attestation object.
+        /// </summary>
+        public required byte[] Challenge { get; set; } // base64url encoded
+
+        /// <summary>
+        /// This member is intended for use by Relying Parties that wish to limit the creation of multiple credentials for
+        /// the same account on a single authenticator. The client is requested to return an error if the new credential would
+        /// be created on an authenticator that also contains one of the credentials enumerated in this parameter.
+        /// </summary>
+        public PublicKeyCredentialDescriptor[]? ExcludeCredentials { get; set; }
+
+        /// <summary>
+        /// This member contains additional parameters requesting additional processing by the client and authenticator.
+        /// Not currently supported.
+        /// </summary>
+        public object? Extensions { get; set; }
+
+        /// <summary>
+        /// This member contains information about the desired properties of the credential to be created.
+        /// The sequence is ordered from most preferred to least preferred.
+        /// The client makes a best-effort to create the most preferred credential that it can.
+        /// </summary>
+        public required PublicKeyCredentialParameters[] PubKeyCredParams { get; set; }
+
+        /// <summary>
+        /// Data about the Relying Party responsible for the request.
+        /// </summary>
+        public required PublicKeyCredentialRpEntity Rp { get; set; }
+
+        /// <summary>
+        /// Data about the user account for which the Relying Party is requesting attestation.
+        /// </summary>
+        public required PublicKeyCredentialUserEntity User { get; set; }
+
+        /// <summary>
+        /// This member specifies a time, in milliseconds, that the caller is willing to wait for the call to complete.
+        /// This is treated as a hint, and MAY be overridden by the client.
+        /// </summary>
+        /// <remarks>
+        /// This is not currently supported.
+        /// </remarks>
+        public int? Timeout { get; set; }
+    }
+}
--- a/src/Core/Utilities/Fido2/Fido2ClientCreateCredentialResult.cs
+++ b/src/Core/Utilities/Fido2/Fido2ClientCreateCredentialResult.cs
@@ -0,0 +1,19 @@
+namespace Bit.Core.Utilities.Fido2
+{
+    /// <summary>
+    /// The result of creating a new credential.
+    /// 
+    /// This class is an extended version of the WebAuthn struct:
+    /// https://www.w3.org/TR/webauthn-3/#credentialcreationdata-attestationobjectresult
+    /// </summary>
+    public class Fido2ClientCreateCredentialResult
+    {
+        public byte[] CredentialId { get; set; }
+        public byte[] ClientDataJSON { get; set; }
+        public byte[] AttestationObject { get; set; }
+        public byte[] AuthData { get; set; }
+        public byte[] PublicKey { get; set; }
+        public int PublicKeyAlgorithm { get; set; }
+        public string[] Transports { get; set; }
+    }
+}
--- a/src/Core/Utilities/Fido2/Fido2ClientException.cs
+++ b/src/Core/Utilities/Fido2/Fido2ClientException.cs
@@ -0,0 +1,25 @@
+namespace Bit.Core.Utilities.Fido2
+{
+    public class Fido2ClientException : Exception
+    {
+        public enum ErrorCode 
+        {
+            NotAllowedError,
+            TypeError,
+            SecurityError,
+            UriBlockedError,
+            NotSupportedError,
+            InvalidStateError,
+            UnknownError
+        }
+
+        public readonly ErrorCode Code;
+        public readonly string Reason;
+
+        public Fido2ClientException(ErrorCode code, string reason) : base($"{code} ({reason})")
+        {
+            Code = code;
+            Reason = reason;
+        }
+    }
+}
--- a/src/Core/Utilities/Fido2/Fido2DelegatedUserInterface.cs
+++ b/src/Core/Utilities/Fido2/Fido2DelegatedUserInterface.cs
@@ -0,0 +1,65 @@
+using Bit.Core.Abstractions;
+
+namespace Bit.Core.Utilities.Fido2
+{
+    /// <summary>
+    /// This implementation is used when all interactions are delegated to the operating system.
+    /// Most often these decisions have already been made by the time the Authenticator is called.
+    /// 
+    /// This is only supported for assertion operations. Attestation requires the user to interact 
+    /// with the app directly.
+    /// </summary>
+    public class Fido2DelegatedUserInterface : IFido2UserInterface
+    {
+        private string _cipherId = null;
+        private bool _userVerified = false;
+        private Func<Task> _ensureUnlockedVaultAsyncCallback;
+
+        /// <summary>
+        /// Indicates that the user has already picked a credential from a list of existing credentials.
+        /// Picking a credential also assumes user presence.
+        /// </summary>
+        public Fido2DelegatedUserInterface UserPickedCredential(string cipherId)
+        {
+            _cipherId = cipherId;
+            return this;
+        }
+
+        /// <summary>
+        /// Indicates that the user was verified by the OS, e.g. by a fingerprint or face scan.
+        /// </summary>
+        public Fido2DelegatedUserInterface UserIsVerified()
+        {
+            _userVerified = true;
+            return this;
+        }
+
+        public Fido2DelegatedUserInterface WithEnsureUnlockedVaultAsyncCallback(Func<Task> callback) 
+        {
+            _ensureUnlockedVaultAsyncCallback = callback;
+            return this;
+        }
+
+        public Task<Fido2PickCredentialResult> PickCredentialAsync(Fido2PickCredentialParams parameters)
+        {
+            return Task.FromResult(new Fido2PickCredentialResult
+            {
+                CipherId = _cipherId,
+                UserVerified = _userVerified
+            });
+        }
+
+        public Task EnsureUnlockedVaultAsync()
+        {
+            if (_ensureUnlockedVaultAsyncCallback != null)
+            {
+                return _ensureUnlockedVaultAsyncCallback();
+            }
+
+            throw new Exception("No callback provided to ensure the vault is unlocked");
+        }
+        
+        public Task InformExcludedCredential(string[] existingCipherIds) => throw new NotImplementedException();
+        public Task<Fido2ConfirmNewCredentialResult> ConfirmNewCredentialAsync(Fido2ConfirmNewCredentialParams parameters) => throw new NotImplementedException();
+    }
+}
--- a/src/Core/Utilities/Fido2/Fido2DomainUtils.cs
+++ b/src/Core/Utilities/Fido2/Fido2DomainUtils.cs
@@ -0,0 +1,37 @@
+using System.Text.RegularExpressions;
+
+namespace Bit.Core.Utilities.Fido2
+{
+    public class Fido2DomainUtils
+    {
+        // TODO: This is a basic implementation of the domain validation logic, and is probably not correct.
+        // It doesn't support IP-adresses, and it doesn't follow the algorithm in the spec:
+        // https://html.spec.whatwg.org/multipage/browsers.html#is-a-registrable-domain-suffix-of-or-is-equal-to
+        public static bool IsValidRpId(string rpId, string origin)
+        {
+            if (rpId == null || origin == null)
+            {
+                return false;
+            }
+
+            // TODO: DomainName doesn't like it when we give it a URL with a protocol or port
+            // So we remove the protocol and port here, while still supporting ipv6 shortform
+            // https is enforced in the client, so we don't need to worry about that here
+            var originWithoutProtocolOrPort = Regex.Replace(origin, @"(https?://)?([^:/]+)(:\d+)?(/.*)?", "$2$4");
+
+            if (rpId == originWithoutProtocolOrPort)
+            {
+                return true;
+            }
+
+            if (!DomainName.TryParse(rpId, out var parsedRpId) || !DomainName.TryParse(originWithoutProtocolOrPort, out var parsedOrgin))
+            {
+                return false;
+            }
+
+            return parsedOrgin.Tld == parsedRpId.Tld && 
+                parsedOrgin.Domain == parsedRpId.Domain && 
+                (parsedOrgin.SubDomain == parsedRpId.SubDomain || parsedOrgin.SubDomain.EndsWith(parsedRpId.SubDomain));
+        }
+    }
+}
--- a/src/Core/Utilities/Fido2/PublicKeyCredentialAlgorithmDescriptor.cs
+++ b/src/Core/Utilities/Fido2/PublicKeyCredentialAlgorithmDescriptor.cs
@@ -0,0 +1,9 @@
+namespace Bit.Core.Utilities.Fido2
+{
+    public class PublicKeyCredentialAlgorithmDescriptor {
+        public byte[] Id {get; set;}
+        public string[] Transports;
+        public string Type;
+        public int Algorithm;
+    }
+}
--- a/src/Core/Utilities/Fido2/PublicKeyCredentialDescriptor.cs
+++ b/src/Core/Utilities/Fido2/PublicKeyCredentialDescriptor.cs
@@ -0,0 +1,9 @@
+namespace Bit.Core.Utilities.Fido2
+{
+    public class PublicKeyCredentialDescriptor {
+        public byte[] Id { get; set; }
+        public string[] Transports { get; set; }
+        public string Type { get; set; }
+    }
+}
+
--- a/src/Core/Utilities/Fido2/PublicKeyCredentialParameters.cs
+++ b/src/Core/Utilities/Fido2/PublicKeyCredentialParameters.cs
@@ -0,0 +1,15 @@
+namespace Bit.Core.Utilities.Fido2
+{
+    /// <summary>
+    /// A description of a key type and algorithm.
+    ///</example>
+    public class PublicKeyCredentialParameters 
+    {
+        public string Type { get; set; }
+
+        /// <summary>
+        /// Cose algorithm identifier, e.g. -7 for ES256.
+        /// </summary>
+        public int Alg { get; set; }
+    }
+}
--- a/src/Core/Utilities/Fido2/PublicKeyCredentialRpEntity.cs
+++ b/src/Core/Utilities/Fido2/PublicKeyCredentialRpEntity.cs
@@ -0,0 +1,9 @@
+namespace Bit.Core.Utilities.Fido2 
+{
+    public class PublicKeyCredentialRpEntity 
+    {
+        public string Id { get; set; }
+
+        public string Name { get; set; }
+    }
+}
--- a/src/Core/Utilities/Fido2/PublicKeyUserCredentialUserEntity.cs
+++ b/src/Core/Utilities/Fido2/PublicKeyUserCredentialUserEntity.cs
@@ -0,0 +1,9 @@
+namespace Bit.Core.Utilities.Fido2
+{
+    public class PublicKeyCredentialUserEntity {
+        public byte[] Id { get; set; }
+        public string Name { get; set; }
+        public string DisplayName { get; set; }
+        public string Icon { get; set; }
+    }
+}
--- a/src/Core/Utilities/GuidExtensions.cs
+++ b/src/Core/Utilities/GuidExtensions.cs
@@ -0,0 +1,70 @@
+using System.Globalization;
+using System.Text.RegularExpressions;
+
+namespace Bit.Core.Utilities
+{
+    /// <summary>
+    /// Extension methods for converting between standard and raw GUID formats.
+    /// 
+    /// Note: Not optimized for performance. Don't use in performance-critical code.
+    /// </summary>
+    public static class GuidExtensions
+    {
+        public static byte[] GuidToRawFormat(this string guidString)
+        {
+            if (guidString == null)
+            {
+                throw new ArgumentException("GUID parameter is null", nameof(guidString));
+            }
+
+            if (!IsValidGuid(guidString)) {
+                throw new FormatException("GUID parameter is invalid");
+            }
+
+            var arr = new byte[16];
+
+            arr[0] = byte.Parse(guidString.Substring(0, 2), NumberStyles.HexNumber); // Parse ##......-....-....-....-............
+            arr[1] = byte.Parse(guidString.Substring(2, 2), NumberStyles.HexNumber); // Parse ..##....-....-....-....-............
+            arr[2] = byte.Parse(guidString.Substring(4, 2), NumberStyles.HexNumber); // Parse ....##..-....-....-....-............
+            arr[3] = byte.Parse(guidString.Substring(6, 2), NumberStyles.HexNumber); // Parse ......##-....-....-....-............
+
+            arr[4] = byte.Parse(guidString.Substring(9, 2), NumberStyles.HexNumber); // Parse ........-##..-....-....-............
+            arr[5] = byte.Parse(guidString.Substring(11, 2), NumberStyles.HexNumber); // Parse ........-..##-....-....-............
+
+            arr[6] = byte.Parse(guidString.Substring(14, 2), NumberStyles.HexNumber); // Parse ........-....-##..-....-............
+            arr[7] = byte.Parse(guidString.Substring(16, 2), NumberStyles.HexNumber); // Parse ........-....-..##-....-............
+
+            arr[8] = byte.Parse(guidString.Substring(19, 2), NumberStyles.HexNumber); // Parse ........-....-....-##..-............
+            arr[9] = byte.Parse(guidString.Substring(21, 2), NumberStyles.HexNumber); // Parse ........-....-....-..##-............
+
+            arr[10] = byte.Parse(guidString.Substring(24, 2), NumberStyles.HexNumber); // Parse ........-....-....-....-##..........
+            arr[11] = byte.Parse(guidString.Substring(26, 2), NumberStyles.HexNumber); // Parse ........-....-....-....-..##........
+            arr[12] = byte.Parse(guidString.Substring(28, 2), NumberStyles.HexNumber); // Parse ........-....-....-....-....##......
+            arr[13] = byte.Parse(guidString.Substring(30, 2), NumberStyles.HexNumber); // Parse ........-....-....-....-......##....
+            arr[14] = byte.Parse(guidString.Substring(32, 2), NumberStyles.HexNumber); // Parse ........-....-....-....-........##..
+            arr[15] = byte.Parse(guidString.Substring(34, 2), NumberStyles.HexNumber); // Parse ........-....-....-....-..........##
+
+            return arr;
+        }
+
+        public static string GuidToStandardFormat(this byte[] guidBytes)
+        {
+            if (guidBytes == null)
+            {
+                throw new ArgumentException("GUID parameter is null", nameof(guidBytes));
+            }
+
+            if (guidBytes.Length != 16)
+            {
+                throw new ArgumentException("Invalid raw GUID format", nameof(guidBytes));
+            }
+
+            return Convert.ToHexString(guidBytes).ToLower().Insert(8, "-").Insert(13, "-").Insert(18, "-").Insert(23, "-" );
+        }
+
+        public static bool IsValidGuid(string guid)
+        {
+            return Regex.IsMatch(guid, @"^[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$", RegexOptions.ECMAScript);
+        }
+    }
+}
--- a/src/Core/Utilities/ServiceContainer.cs
+++ b/src/Core/Utilities/ServiceContainer.cs
@@ -1,9 +1,6 @@
-using System;
-using System.Collections.Concurrent;
-using System.Collections.Generic;
+using System.Collections.Concurrent;
 using System.Globalization;
 using System.Text;
-using System.Threading.Tasks;
 using Bit.Core.Abstractions;
 using Bit.Core.Services;

@@ -118,6 +115,7 @@ namespace Bit.Core.Utilities
            Register<IUsernameGenerationService>(usernameGenerationService);
            Register<IDeviceTrustCryptoService>(deviceTrustCryptoService);
            Register<IPasswordResetEnrollmentService>(passwordResetEnrollmentService);
+            Register<IFido2AuthenticationService>(new Fido2AuthenticationService());
        }

        public static void Register<T>(string serviceName, T obj)
--- a/src/Xamarin.AndroidX.Credentials/Additions/AboutAdditions.txt
+++ b/src/Xamarin.AndroidX.Credentials/Additions/AboutAdditions.txt
@@ -0,0 +1,48 @@
+Additions allow you to add arbitrary C# to the generated classes
+before they are compiled.  This can be helpful for providing convenience
+methods or adding pure C# classes.
+
+== Adding Methods to Generated Classes ==
+
+Let's say the library being bound has a Rectangle class with a constructor
+that takes an x and y position, and a width and length size.  It will look like
+this:
+
+public partial class Rectangle
+{
+    public Rectangle (int x, int y, int width, int height)
+    {
+        // JNI bindings
+    }
+}
+
+Imagine we want to add a constructor to this class that takes a Point and
+Size structure instead of 4 ints.  We can add a new file called Rectangle.cs
+with a partial class containing our new method:
+
+public partial class Rectangle
+{
+    public Rectangle (Point location, Size size) :
+        this (location.X, location.Y, size.Width, size.Height)
+    {
+    }
+}
+
+At compile time, the additions class will be added to the generated class
+and the final assembly will a Rectangle class with both constructors.
+
+
+== Adding C# Classes ==
+
+Another thing that can be done is adding fully C# managed classes to the
+generated library.  In the above example, let's assume that there isn't a
+Point class available in Java or our library.  The one we create doesn't need
+to interact with Java, so we'll create it like a normal class in C#.
+
+By adding a Point.cs file with this class, it will end up in the binding library:
+
+public class Point
+{
+    public int X { get; set; }
+    public int Y { get; set; }
+}
--- a/src/Xamarin.AndroidX.Credentials/Transforms/EnumFields.xml
+++ b/src/Xamarin.AndroidX.Credentials/Transforms/EnumFields.xml
@@ -0,0 +1,15 @@
+<enum-field-mappings>
+  <!--
+  This example converts the constants Fragment_id, Fragment_name,
+  and Fragment_tag from android.support.v4.app.FragmentActivity.FragmentTag
+  to an enum called Android.Support.V4.App.FragmentTagType with values
+  Id, Name, and Tag.
+  
+  <mapping jni-class="android/support/v4/app/FragmentActivity$FragmentTag" clr-enum-type="Android.Support.V4.App.FragmentTagType">
+    <field jni-name="Fragment_name" clr-name="Name" value="0" />
+    <field jni-name="Fragment_id" clr-name="Id" value="1" />
+    <field jni-name="Fragment_tag" clr-name="Tag" value="2" />
+  </mapping>
+  -->
+</enum-field-mappings>
+
--- a/src/Xamarin.AndroidX.Credentials/Transforms/EnumMethods.xml
+++ b/src/Xamarin.AndroidX.Credentials/Transforms/EnumMethods.xml
@@ -0,0 +1,14 @@
+<enum-method-mappings>
+  <!--
+  This example changes the Java method:
+    android.support.v4.app.Fragment.SavedState.writeToParcel (int flags)
+  to be:
+    android.support.v4.app.Fragment.SavedState.writeToParcel (Android.OS.ParcelableWriteFlags flags)
+  when bound in C#.
+  
+  <mapping jni-class="android/support/v4/app/Fragment.SavedState">
+    <method jni-name="writeToParcel" parameter="flags" clr-enum-type="Android.OS.ParcelableWriteFlags" />
+  </mapping>
+  -->
+</enum-method-mappings>
+
--- a/src/Xamarin.AndroidX.Credentials/Transforms/Metadata.xml
+++ b/src/Xamarin.AndroidX.Credentials/Transforms/Metadata.xml
@@ -0,0 +1,12 @@
+<metadata>
+  <attr path="/api/package[@name='androidx.credentials']" name="managedName">AndroidX.Credentials</attr>
+  <attr path="/api/package[@name='androidx.credentials.provider']" name="managedName">AndroidX.Credentials.Provider</attr>
+  <attr path="/api/package[@name='androidx.credentials.exceptions']" name="managedName">AndroidX.Credentials.Exceptions</attr>
+  <attr path="/api/package[@name='androidx.credentials.webauthn']" name="managedName">AndroidX.Credentials.WebAuthn</attr>
+
+  <!-- fix companions -->
+  <attr path="/api/package/class[substring(@name,string-length(@name)-9)='.Companion']" name="managedName">CompanionStatic</attr>
+  <remove-node path="/api/package/class[substring(@name,string-length(@name)-9)='.Companion' and count(method)=0 and count(field)=0]" />
+  <attr path="/api/package/class[substring(@name,string-length(@name)-7)='.Default']" name="managedName">DefaultStatic</attr>
+  <remove-node path="/api/package/class[substring(@name,string-length(@name)-7)='.Default' and count(method)=0 and count(field)=0]" />
+</metadata>
--- a/src/Xamarin.AndroidX.Credentials/Xamarin.AndroidX.Credentials.csproj
+++ b/src/Xamarin.AndroidX.Credentials/Xamarin.AndroidX.Credentials.csproj
@@ -0,0 +1,18 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net8.0-android</TargetFramework>
+    <SupportedOSPlatformVersion>21</SupportedOSPlatformVersion>
+
+    
+	<!--<SupportedOSPlatformVersion Condition="$([MSBuild]::GetTargetPlatformIdentifier('$(TargetFramework)')) == 'ios'">11.0</SupportedOSPlatformVersion>
+	<SupportedOSPlatformVersion Condition="$([MSBuild]::GetTargetPlatformIdentifier('$(TargetFramework)')) == 'android'">21.0</SupportedOSPlatformVersion>-->
+
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <RootNamespace>XamarinBinding.AndroidX.Credentials</RootNamespace>
+  </PropertyGroup>
+  <ItemGroup>
+
+    <PackageReference Include="Xamarin.Kotlin.StdLib" Version="1.9.10.1" />
+  </ItemGroup>
+</Project>
--- a/src/Xamarin.AndroidX.Credentials/credentials-1.2.0.aar
+++ b/src/Xamarin.AndroidX.Credentials/credentials-1.2.0.aar
--- a/src/iOS.Autofill/CredentialProviderViewController.Passkeys.cs
+++ b/src/iOS.Autofill/CredentialProviderViewController.Passkeys.cs
@@ -0,0 +1,380 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+using AuthenticationServices;
+using Bit.App.Abstractions;
+using Bit.Core.Abstractions;
+using Bit.Core.Models.View;
+using Bit.Core.Services;
+using Bit.Core.Utilities;
+using Bit.Core.Utilities.Fido2;
+using Bit.iOS.Core.Utilities;
+using Foundation;
+using Microsoft.Maui.ApplicationModel;
+using ObjCRuntime;
+using UIKit;
+
+namespace Bit.iOS.Autofill
+{
+    public partial class CredentialProviderViewController : ASCredentialProviderViewController, IAccountsManagerHost, IFido2UserInterface
+    {
+        private readonly LazyResolve<ICipherService> _cipherService = new LazyResolve<ICipherService>();
+
+        private readonly Fido2DelegatedUserInterface _userInterface = new Fido2DelegatedUserInterface();
+
+        private IFido2AuthenticatorService _fido2AuthService;
+        private IFido2AuthenticatorService Fido2AuthService
+        {
+            get
+            {
+                if (_fido2AuthService is null)
+                {
+                    _fido2AuthService = ServiceContainer.Resolve<IFido2AuthenticatorService>();
+                    _fido2AuthService.Init(_userInterface);
+                }
+                return _fido2AuthService;
+            }
+        }
+
+        public override async void PrepareInterfaceForPasskeyRegistration(IASCredentialRequest registrationRequest)
+        {
+            if (!UIDevice.CurrentDevice.CheckSystemVersion(17, 0))
+            {
+                return;
+            }
+
+            ClipLogger.Log($"PIFPR(IASC)");
+
+            try
+            {
+                switch (registrationRequest?.Type)
+                {
+                    case ASCredentialRequestType.PasskeyAssertion:
+                        ClipLogger.Log($"PIFPR(IASC) -> Passkey");
+                        var passkeyRegistrationRequest = Runtime.GetNSObject<ASPasskeyCredentialRequest>(registrationRequest.GetHandle());
+                        await PrepareInterfaceForPasskeyRegistrationAsync(passkeyRegistrationRequest);
+                        break;
+                    default:
+                        ClipLogger.Log($"PIFPR(IASC) -> Type not PA");
+                        CancelRequest(ASExtensionErrorCode.Failed);
+                        break;
+                }
+
+            }
+            catch (Exception ex)
+            {
+                OnProvidingCredentialException(ex);
+            }
+        }
+
+        private async Task PrepareInterfaceForPasskeyRegistrationAsync(ASPasskeyCredentialRequest passkeyRegistrationRequest)
+        {
+            if (!UIDevice.CurrentDevice.CheckSystemVersion(17, 0) || passkeyRegistrationRequest?.CredentialIdentity is null)
+            {
+                ClipLogger.Log($"PIFPR Not iOS 17 or null passkey request/identity");
+                return;
+            }
+
+            InitAppIfNeeded();
+
+            if (!await IsAuthed())
+            {
+                ClipLogger.Log($"PIFPR Not Authed");
+                await _accountsManager.NavigateOnAccountChangeAsync(false);
+                return;
+            }
+
+            _context.PasskeyCredentialRequest = passkeyRegistrationRequest;
+            _context.IsCreatingPasskey = true;
+
+            var credIdentity = Runtime.GetNSObject<ASPasskeyCredentialIdentity>(passkeyRegistrationRequest.CredentialIdentity.GetHandle());
+
+            ClipLogger.Log($"PIFPR MakeCredentialAsync");
+            ClipLogger.Log($"PIFPR MakeCredentialAsync RpID: {credIdentity.RelyingPartyIdentifier}");
+            ClipLogger.Log($"PIFPR MakeCredentialAsync UserName: {credIdentity.UserName}");
+            ClipLogger.Log($"PIFPR MakeCredentialAsync UVP: {passkeyRegistrationRequest.UserVerificationPreference}");
+            ClipLogger.Log($"PIFPR MakeCredentialAsync SA: {passkeyRegistrationRequest.SupportedAlgorithms?.Select(a => (int)a)}");
+            ClipLogger.Log($"PIFPR MakeCredentialAsync UH: {credIdentity.UserHandle.GetBase64EncodedString(NSDataBase64EncodingOptions.None)}");
+
+            var result = await Fido2AuthService.MakeCredentialAsync(new Bit.Core.Utilities.Fido2.Fido2AuthenticatorMakeCredentialParams
+            {
+                Hash = passkeyRegistrationRequest.ClientDataHash.ToArray(),
+                CredTypesAndPubKeyAlgs = GetCredTypesAndPubKeyAlgs(passkeyRegistrationRequest.SupportedAlgorithms),
+                RequireUserVerification = passkeyRegistrationRequest.UserVerificationPreference == "required",
+                RequireResidentKey = true,
+                RpEntity = new PublicKeyCredentialRpEntity
+                {
+                    Id = credIdentity.RelyingPartyIdentifier,
+                    Name = credIdentity.RelyingPartyIdentifier
+                },
+                UserEntity = new PublicKeyCredentialUserEntity
+                {
+                    Id = credIdentity.UserHandle.ToArray(),
+                    Name = credIdentity.UserName,
+                    DisplayName = credIdentity.UserName
+                }
+            });
+
+            await ASHelpers.ReplaceAllIdentitiesAsync();
+
+            ClipLogger.Log($"PIFPR Completing");
+            ClipLogger.Log($"PIFPR Completing - RpId: {credIdentity.RelyingPartyIdentifier}");
+            ClipLogger.Log($"PIFPR Completing - CDH: {passkeyRegistrationRequest.ClientDataHash.GetBase64EncodedString(NSDataBase64EncodingOptions.None)}");
+            ClipLogger.Log($"PIFPR Completing - CID: {Convert.ToBase64String(result.CredentialId, Base64FormattingOptions.None)}");
+            ClipLogger.Log($"PIFPR Completing - AO: {Convert.ToBase64String(result.AttestationObject, Base64FormattingOptions.None)}");
+
+            var expired = await ExtensionContext.CompleteRegistrationRequestAsync(new ASPasskeyRegistrationCredential(
+                            credIdentity.RelyingPartyIdentifier,
+                            passkeyRegistrationRequest.ClientDataHash,
+                            NSData.FromArray(result.CredentialId),
+                            NSData.FromArray(result.AttestationObject)));
+
+            ClipLogger.Log($"CompleteRegistrationRequestAsync: {expired}");
+        }
+
+        private PublicKeyCredentialParameters[] GetCredTypesAndPubKeyAlgs(NSNumber[] supportedAlgorithms)
+        {
+            if (supportedAlgorithms?.Any() != true)
+            {
+                return new PublicKeyCredentialParameters[]
+                {
+                    new PublicKeyCredentialParameters
+                    {
+                        Type = Bit.Core.Constants.DefaultFido2CredentialType,
+                        Alg = (int)Fido2AlgorithmIdentifier.ES256
+                    },
+                    new PublicKeyCredentialParameters
+                    {
+                        Type = Bit.Core.Constants.DefaultFido2CredentialType,
+                        Alg = (int)Fido2AlgorithmIdentifier.RS256
+                    }
+                };
+            }
+
+            return supportedAlgorithms
+                .Where(alg => (int)alg == (int)Fido2AlgorithmIdentifier.ES256)
+                .Select(alg => new PublicKeyCredentialParameters
+                {
+                    Type = Bit.Core.Constants.DefaultFido2CredentialType,
+                    Alg = (int)alg
+                }).ToArray();
+        }
+
+        public class UserInteractionRequiredException : Exception {}
+
+        private async Task ProvideCredentialWithoutUserInteractionAsync(ASPasskeyCredentialRequest passkeyCredentialRequest)
+        {
+            InitAppIfNeeded();
+            await _stateService.Value.SetPasswordRepromptAutofillAsync(false);
+            await _stateService.Value.SetPasswordVerifiedAutofillAsync(false);
+            _context.PasskeyCredentialRequest = passkeyCredentialRequest;
+
+            try {
+                await ProvideCredentialAsync(false);
+            } catch (UserInteractionRequiredException) {
+                CancelRequest(ASExtensionErrorCode.UserInteractionRequired);
+            }
+        }
+
+        public async Task CompleteAssertionRequestAsync(string rpId, NSData userHandleData, NSData credentialIdData, string cipherId)
+        {
+            if (!UIDevice.CurrentDevice.CheckSystemVersion(17, 0))
+            {
+                OnProvidingCredentialException(new InvalidOperationException("Trying to complete assertion request before iOS 17"));
+                return;
+            }
+
+            if (_context.PasskeyCredentialRequest is null)
+            {
+                OnProvidingCredentialException(new InvalidOperationException("Trying to complete assertion request without a PasskeyCredentialRequest"));
+                return;
+            }
+
+            try
+            {
+                ClipLogger.Log($"ClientDataHash: {_context.PasskeyCredentialRequest.ClientDataHash}");
+                ClipLogger.Log($"ClientDataHash BA: {_context.PasskeyCredentialRequest.ClientDataHash.ToByteArray()}");
+                ClipLogger.Log($"ClientDataHash base64: {_context.PasskeyCredentialRequest.ClientDataHash.GetBase64EncodedString(NSDataBase64EncodingOptions.None)}");
+                ClipLogger.Log($"ClientDataHash base64 from bytes: {Convert.ToBase64String(_context.PasskeyCredentialRequest.ClientDataHash.ToByteArray(), Base64FormattingOptions.None)}");
+
+                var fido2AssertionResult = await Fido2AuthService.GetAssertionAsync(new Bit.Core.Utilities.Fido2.Fido2AuthenticatorGetAssertionParams
+                {
+                    RpId = rpId,
+                    Hash = _context.PasskeyCredentialRequest.ClientDataHash.ToArray(),
+                    RequireUserVerification = _context.PasskeyCredentialRequest.UserVerificationPreference == "required",
+                    RequireUserPresence = false,
+                    AllowCredentialDescriptorList = new Bit.Core.Utilities.Fido2.PublicKeyCredentialDescriptor[]
+                    {
+                        new Bit.Core.Utilities.Fido2.PublicKeyCredentialDescriptor
+                        {
+                            Id = credentialIdData.ToArray()
+                        }
+                    }
+                });
+
+                _userInterface.UserPickedCredential(cipherId);
+                // if (os.PerformedFaceID) {
+                _userInterface.UserIsVerified();
+                //}
+
+                ClipLogger.Log("fido2AssertionResult:" + fido2AssertionResult);
+
+                var selectedUserHandleData = fido2AssertionResult.SelectedCredential != null
+                    ? NSData.FromArray(fido2AssertionResult.SelectedCredential.UserHandle)
+                    : (NSData)userHandleData;
+
+
+                ClipLogger.Log("selectedUserHandleData:" + selectedUserHandleData);
+
+                var selectedCredentialIdData = fido2AssertionResult.SelectedCredential != null
+                    ? NSData.FromArray(fido2AssertionResult.SelectedCredential.Id)
+                    : credentialIdData;
+
+                ClipLogger.Log("selectedCredentialIdData:" + selectedCredentialIdData);
+
+                await CompleteAssertionRequest(new ASPasskeyAssertionCredential(
+                    selectedUserHandleData,
+                    rpId,
+                    NSData.FromArray(fido2AssertionResult.Signature),
+                    _context.PasskeyCredentialRequest.ClientDataHash,
+                    NSData.FromArray(fido2AssertionResult.AuthenticatorData),
+                    selectedCredentialIdData
+                ));
+            }
+            catch (InvalidOperationException)
+            {
+                ClipLogger.Log("CompleteAssertionRequestAsync -> InvalidOperationException NoOp");
+                return;
+            }
+        }
+
+        public async Task CompleteAssertionRequest(ASPasskeyAssertionCredential assertionCredential)
+        {
+            try
+            {
+            ClipLogger.Log("CompleteAssertionRequest(ASPasskeyAssertionCredential assertionCredential");
+            if (assertionCredential is null)
+            {
+                ClipLogger.Log("CompleteAssertionRequest(ASPasskeyAssertionCredential assertionCredential -> assertionCredential is null");
+                ServiceContainer.Reset();
+                CancelRequest(ASExtensionErrorCode.UserCanceled);
+                return;
+            }
+
+            //NSRunLoop.Main.BeginInvokeOnMainThread(() =>
+            //{
+                ServiceContainer.Reset();
+#pragma warning disable CA1416 // Validate platform compatibility
+                ClipLogger.Log("CompleteAssertionRequest(ASPasskeyAssertionCredential assertionCredential -> completing");
+            var expired = await ExtensionContext.CompleteAssertionRequestAsync(assertionCredential);
+                //ExtensionContext.CompleteAssertionRequest(assertionCredential, expired =>
+                //{
+                //    ClipLogger.Log($"ASExtensionContext?.CompleteAssertionRequest: {expired}");
+                //});
+
+                ClipLogger.Log($"CompleteAssertionRequest(ASPasskeyAssertionCredential assertionCredential -> Completed {expired}");
+#pragma warning restore CA1416 // Validate platform compatibility
+                //});
+
+            }
+            catch (Exception ex)
+            {
+                ClipLogger.Log($"CompleteAssertionRequest(ASPasskeyAssertionCredential assertionCredential -> failed {ex}");
+            }
+        }
+
+        private bool CanProvideCredentialOnPasskeyRequest(CipherView cipherView)
+        {
+            return _context.PasskeyCredentialRequest != null && !cipherView.Login.HasFido2Credentials;
+        }
+
+        // IFido2UserInterface
+
+        public Task<Fido2PickCredentialResult> PickCredentialAsync(Fido2PickCredentialParams pickCredentialParams)
+        {
+            return Task.FromResult(new Fido2PickCredentialResult());
+        }
+
+        public Task InformExcludedCredential(string[] existingCipherIds)
+        {
+            return Task.CompletedTask;
+        }
+
+        public async Task<Fido2ConfirmNewCredentialResult> ConfirmNewCredentialAsync(Fido2ConfirmNewCredentialParams confirmNewCredentialParams)
+        {
+            // TODO: Show interface so the user can choose whether to create a new passkey or select one to add the passkey to.
+            var newCipher = new CipherView
+            {
+                Name = confirmNewCredentialParams.RpId,
+                Type = Bit.Core.Enums.CipherType.Login,
+                Login = new LoginView
+                {
+                    Uris = new List<LoginUriView>
+                {
+                    new LoginUriView
+                    {
+                        Uri = confirmNewCredentialParams.RpId
+                    }
+                }
+                },
+                Card = new CardView(),
+                Identity = new IdentityView(),
+                SecureNote = new SecureNoteView
+                {
+                    Type = Bit.Core.Enums.SecureNoteType.Generic
+                },
+                Reprompt = Bit.Core.Enums.CipherRepromptType.None
+            };
+
+            var encryptedCipher = await _cipherService.Value.EncryptAsync(newCipher);
+            await _cipherService.Value.SaveWithServerAsync(encryptedCipher);
+
+            return new Fido2ConfirmNewCredentialResult
+            {
+                CipherId = encryptedCipher.Id,
+                UserVerified = true
+            };
+        }
+
+        public async Task EnsureUnlockedVaultAsync()
+        {
+            if (_context.IsCreatingPasskey)
+            {
+                ClipLogger.Log($"EnsureUnlockedVaultAsync creating passkey");
+                if (!await IsLocked())
+                {
+                    ClipLogger.Log($"EnsureUnlockedVaultAsync not locked");
+                    return;
+                }
+
+                _context._unlockVaultTcs?.SetCanceled();
+                _context._unlockVaultTcs = new TaskCompletionSource<bool>();
+                MainThread.BeginInvokeOnMainThread(() =>
+                {
+                    try
+                    {
+                        ClipLogger.Log($"EnsureUnlockedVaultAsync performing lock segue");
+                        PerformSegue("lockPasswordSegue", this);
+                    }
+                    catch (Exception ex)
+                    {
+                        ClipLogger.Log($"EnsureUnlockedVaultAsync {ex}");
+                    }
+                });
+
+                ClipLogger.Log($"EnsureUnlockedVaultAsync awaiting for unlock");
+                await _context._unlockVaultTcs.Task;
+                return;
+            }
+
+            ClipLogger.Log($"EnsureUnlockedVaultAsync Passkey selection");
+            if (!await IsAuthed() || await IsLocked())
+            {
+                CancelRequest(ASExtensionErrorCode.UserInteractionRequired);
+                throw new InvalidOperationException("Not authed or locked");
+            }
+        }
+    }
+}
+
--- a/src/iOS.Autofill/CredentialProviderViewController.cs
+++ b/src/iOS.Autofill/CredentialProviderViewController.cs
@@ -20,7 +20,10 @@ using Foundation;
 using Microsoft.Maui.ApplicationModel;
 using Microsoft.Maui.Controls;
 using Microsoft.Maui.Platform;
+using ObjCRuntime;
 using UIKit;
+using static CoreFoundation.DispatchSource;
+using static Microsoft.Maui.ApplicationModel.Permissions;

 namespace Bit.iOS.Autofill
 {
@@ -45,8 +48,12 @@ namespace Bit.iOS.Autofill
        {
            try
            {
+                ClipLogger.Log("ViewDidLoad");
+
                InitAppIfNeeded();

+                ClipLogger.Log("Inited");
+
                base.ViewDidLoad();

                Logo.Image = new UIImage(ThemeHelpers.LightTheme ? "logo.png" : "logo_white.png");
@@ -56,11 +63,12 @@ namespace Bit.iOS.Autofill
                    ExtContext = ExtensionContext
                };

+                ClipLogger.Log("ViewDidLoad completed");
            }
            catch (Exception ex)
            {
-                LoggerHelper.LogEvenIfCantBeResolved(ex);
-                throw;
+                ClipLogger.Log($"ViewDidLoad ex: {ex}");
+                OnProvidingCredentialException(ex);
            }
        }

@@ -68,6 +76,7 @@ namespace Bit.iOS.Autofill
        {
            try
            {
+                ClipLogger.Log("PrepareCredentialList(ASCredentialServiceIdentifier[] serviceIdentifiers");
                InitAppIfNeeded();
                _context.ServiceIdentifiers = serviceIdentifiers;
                if (serviceIdentifiers.Length > 0)
@@ -101,59 +110,201 @@ namespace Bit.iOS.Autofill
            }
            catch (Exception ex)
            {
-                LoggerHelper.LogEvenIfCantBeResolved(ex);
-                throw;
+                OnProvidingCredentialException(ex);
            }
        }

-        public override async void ProvideCredentialWithoutUserInteraction(ASPasswordCredentialIdentity credentialIdentity)
+        [Export("prepareCredentialListForServiceIdentifiers:requestParameters:")]
+        public override async void PrepareCredentialList(ASCredentialServiceIdentifier[] serviceIdentifiers, ASPasskeyCredentialRequestParameters requestParameters)
        {
            try
            {
+                ClipLogger.Log("PrepareCredentialList(ASCredentialServiceIdentifier[] serviceIdentifiers, ASPasskeyCredentialRequestParameters requestParameters");
                InitAppIfNeeded();
-                await _stateService.Value.SetPasswordRepromptAutofillAsync(false);
-                await _stateService.Value.SetPasswordVerifiedAutofillAsync(false);
-                if (!await IsAuthed() || await IsLocked())
+                _context.ServiceIdentifiers = serviceIdentifiers;
+                if (serviceIdentifiers.Length > 0)
                {
-                    var err = new NSError(new NSString("ASExtensionErrorDomain"),
-                        Convert.ToInt32(ASExtensionErrorCode.UserInteractionRequired), null);
-                    ExtensionContext.CancelRequest(err);
-                    return;
+                    var uri = serviceIdentifiers[0].Identifier;
+                    if (serviceIdentifiers[0].Type == ASCredentialServiceIdentifierType.Domain)
+                    {
+                        uri = string.Concat("https://", uri);
+                    }
+                    _context.UrlString = uri;
                }
-                _context.CredentialIdentity = credentialIdentity;
-                await ProvideCredentialAsync(false);
-            }
-            catch (Exception ex)
-            {
-                LoggerHelper.LogEvenIfCantBeResolved(ex);
-                throw;
-            }
-        }
-
-        public override async void PrepareInterfaceToProvideCredential(ASPasswordCredentialIdentity credentialIdentity)
-        {
-            try
-            {
-                InitAppIfNeeded();
                if (!await IsAuthed())
                {
                    await _accountsManager.NavigateOnAccountChangeAsync(false);
-                    return;
                }
-                _context.CredentialIdentity = credentialIdentity;
-                await CheckLockAsync(async () => await ProvideCredentialAsync());
+                else if (await IsLocked())
+                {
+                    PerformSegue("lockPasswordSegue", this);
+                }
+                else
+                {
+                    if (_context.ServiceIdentifiers == null || _context.ServiceIdentifiers.Length == 0)
+                    {
+                        PerformSegue("loginSearchSegue", this);
+                    }
+                    else
+                    {
+                        PerformSegue("loginListSegue", this);
+                    }
+                }
            }
            catch (Exception ex)
            {
-                LoggerHelper.LogEvenIfCantBeResolved(ex);
-                throw;
+                OnProvidingCredentialException(ex);
            }
        }

+        [Export("provideCredentialWithoutUserInteractionForRequest:")]
+        public override async void ProvideCredentialWithoutUserInteraction(IASCredentialRequest credentialRequest)
+        {
+            if (!UIDevice.CurrentDevice.CheckSystemVersion(17, 0))
+            {
+                return;
+            }
+
+            try
+            {
+                ClipLogger.Log("ProvideCredentialWithoutUserInteraction(IASCredentialRequest credentialRequest");
+
+                //ClipLogger.Log($"PCWUI(IASC) -> R: {credentialRequest?.GetType().FullName}");
+                //ClipLogger.Log($"PCWUI(IASC) -> I: {credentialRequest?.CredentialIdentity?.GetType().FullName}");
+
+                //ClipLogger.Log($"PCWUI(IASC) -> R k: {asPasskeyCredentialRequest?.GetType().FullName}");
+                //ClipLogger.Log($"PCWUI(IASC) -> I k: {asPasskeyCredentialRequest?.CredentialIdentity?.GetType().FullName}");
+
+                //var crType = asPasskeyCredentialRequest.GetType();
+                //foreach (var item in crType.GetProperties())
+                //{
+                //    ClipLogger.Log($"PCWUI(IASC) -> R -> {item.Name} -- {item.PropertyType}");
+                //}
+
+                //var ciType = asPasskeyCredentialRequest.CredentialIdentity.GetType();
+                //foreach (var item in ciType.GetProperties())
+                //{
+                //    ClipLogger.Log($"PCWUI(IASC) -> I -> {item.Name} -- {item.PropertyType}");
+                //}
+
+
+                switch (credentialRequest?.Type)
+                {
+                    case ASCredentialRequestType.Password:
+                        var passwordCredentialIdentity = Runtime.GetNSObject<ASPasswordCredentialIdentity>(credentialRequest.CredentialIdentity.GetHandle());
+                        ClipLogger.Log($"PCWUI(IASC) -> Type P {passwordCredentialIdentity}");
+                        await ProvideCredentialWithoutUserInteractionAsync(passwordCredentialIdentity);
+                        break;
+                    case ASCredentialRequestType.PasskeyAssertion:
+                        var asPasskeyCredentialRequest = Runtime.GetNSObject<ASPasskeyCredentialRequest>(credentialRequest.GetHandle());
+                        await ProvideCredentialWithoutUserInteractionAsync(asPasskeyCredentialRequest);
+                        break;
+                    default:
+                        ClipLogger.Log($"PCWUI(IASC) -> Type not P nor PA");
+                        CancelRequest(ASExtensionErrorCode.Failed);
+                        break;
+                }
+
+                //switch (credentialRequest)
+                //{
+                //    case ASPasswordCredentialRequest passwordRequest:
+                //        await ProvideCredentialWithoutUserInteractionAsync(passwordRequest.CredentialIdentity as ASPasswordCredentialIdentity);
+                //        break;
+                //    case ASPasskeyCredentialRequest passkeyRequest:
+                //        await ProvideCredentialWithoutUserInteractionAsync(passkeyRequest);
+                //        break;
+                //    default:
+                //        CancelRequest(ASExtensionErrorCode.Failed);
+                //        break;
+                //}
+            }
+            catch (Exception ex)
+            {
+                OnProvidingCredentialException(ex);
+            }
+        }
+
+        //public override async void ProvideCredentialWithoutUserInteraction(ASPasswordCredentialIdentity credentialIdentity)
+        //{
+        //    try
+        //    {
+        //        ClipLogger.Log("ProvideCredentialWithoutUserInteraction(ASPasswordCredentialIdentity credentialIdentity");
+        //        await ProvideCredentialWithoutUserInteractionAsync(credentialIdentity);
+        //    }
+        //    catch (Exception ex)
+        //    {
+        //        OnProvidingCredentialException(ex);
+        //    }
+        //}
+
+        [Export("prepareInterfaceToProvideCredentialForRequest:")]
+        public override async void PrepareInterfaceToProvideCredential(IASCredentialRequest credentialRequest)
+        {
+            if (!UIDevice.CurrentDevice.CheckSystemVersion(17, 0))
+            {
+                return;
+            }
+
+            try
+            {
+                ClipLogger.Log("PrepareInterfaceToProvideCredential(IASCredentialRequest credentialRequest");
+
+                switch (credentialRequest?.Type)
+                {
+                    case ASCredentialRequestType.Password:
+                        var passwordCredentialIdentity = Runtime.GetNSObject<ASPasswordCredentialIdentity>(credentialRequest.CredentialIdentity.GetHandle());
+                        ClipLogger.Log($"PITPC(IASCR) -> Type P {credentialRequest.CredentialIdentity}");
+                        await PrepareInterfaceToProvideCredentialAsync(c => c.PasswordCredentialIdentity = passwordCredentialIdentity);
+                        break;
+                    case ASCredentialRequestType.PasskeyAssertion:
+                        var asPasskeyCredentialRequest = Runtime.GetNSObject<ASPasskeyCredentialRequest>(credentialRequest.GetHandle());
+                        await PrepareInterfaceToProvideCredentialAsync(c => c.PasskeyCredentialRequest = asPasskeyCredentialRequest);
+                        break;
+                    default:
+                        ClipLogger.Log($"PITPC(IASCR) -> Type not P nor PA");
+                        CancelRequest(ASExtensionErrorCode.Failed);
+                        break;
+                }
+
+
+                //switch (credentialRequest)
+                //{
+                //    case ASPasswordCredentialRequest passwordRequest:
+                //        //PrepareInterfaceToProvideCredential(passwordRequest.CredentialIdentity as ASPasswordCredentialIdentity);
+                //        await PrepareInterfaceToProvideCredentialAsync(c => c.PasswordCredentialIdentity = passwordRequest.CredentialIdentity as ASPasswordCredentialIdentity);
+                //        break;
+                //    case ASPasskeyCredentialRequest passkeyRequest:
+                //        await PrepareInterfaceToProvideCredentialAsync(c => c.PasskeyCredentialRequest = passkeyRequest);
+                //        break;
+                //    default:
+                //        CancelRequest(ASExtensionErrorCode.Failed);
+                //        break;
+                //}
+            }
+            catch (Exception ex)
+            {
+                OnProvidingCredentialException(ex);
+            }
+        }
+
+        //public override async void PrepareInterfaceToProvideCredential(ASPasswordCredentialIdentity credentialIdentity)
+        //{
+        //    try
+        //    {
+        //        ClipLogger.Log("PrepareInterfaceToProvideCredential(ASPasswordCredentialIdentity credentialIdentity");
+        //        await PrepareInterfaceToProvideCredentialAsync(c => c.PasswordCredentialIdentity = credentialIdentity);
+        //    }
+        //    catch (Exception ex)
+        //    {
+        //        OnProvidingCredentialException(ex);
+        //    }
+        //}
+
        public override async void PrepareInterfaceForExtensionConfiguration()
        {
            try
            {
+                ClipLogger.Log("PrepareInterfaceForExtensionConfiguration");
                InitAppIfNeeded();
                _context.Configuring = true;
                if (!await IsAuthed())
@@ -165,14 +316,44 @@ namespace Bit.iOS.Autofill
            }
            catch (Exception ex)
            {
-                LoggerHelper.LogEvenIfCantBeResolved(ex);
-                throw;
+                OnProvidingCredentialException(ex);
            }
        }
+        
+        private async Task ProvideCredentialWithoutUserInteractionAsync(ASPasswordCredentialIdentity credentialIdentity)
+        {
+            ClipLogger.Log("ProvideCredentialWithoutUserInteractionAsync(ASPasswordCredentialIdentity credentialIdentity");
+            InitAppIfNeeded();
+            await _stateService.Value.SetPasswordRepromptAutofillAsync(false);
+            await _stateService.Value.SetPasswordVerifiedAutofillAsync(false);
+            if (!await IsAuthed() || await IsLocked())
+            {
+                var err = new NSError(new NSString("ASExtensionErrorDomain"),
+                    Convert.ToInt32(ASExtensionErrorCode.UserInteractionRequired), null);
+                ExtensionContext.CancelRequest(err);
+                return;
+            }
+            _context.PasswordCredentialIdentity = credentialIdentity;
+            await ProvideCredentialAsync(false);
+        }
+
+        private async Task PrepareInterfaceToProvideCredentialAsync(Action<Context> updateContext)
+        {
+            ClipLogger.Log("PrepareInterfaceToProvideCredentialAsync(Action<Context> updateContext");
+            InitAppIfNeeded();
+            if (!await IsAuthed())
+            {
+                await _accountsManager.NavigateOnAccountChangeAsync(false);
+                return;
+            }
+            updateContext(_context);
+            await CheckLockAsync(async () => await ProvideCredentialAsync());
+        }

        public void CompleteRequest(string id = null, string username = null,
            string password = null, string totp = null)
        {
+            ClipLogger.Log("CompleteRequest");
            if ((_context?.Configuring ?? true) && string.IsNullOrWhiteSpace(password))
            {
                ServiceContainer.Reset();
@@ -207,10 +388,25 @@ namespace Bit.iOS.Autofill
            });
        }

+        private void OnProvidingCredentialException(Exception ex)
+        {
+            LoggerHelper.LogEvenIfCantBeResolved(ex);
+            CancelRequest(ASExtensionErrorCode.Failed);
+        }
+
+        private void CancelRequest(ASExtensionErrorCode code)
+        {
+            ClipLogger.Log("CancelRequest" + code);
+            //var err = new NSError(new NSString("ASExtensionErrorDomain"), Convert.ToInt32(code), null);
+            var err = new NSError(ASExtensionErrorCodeExtensions.GetDomain(code), (int)code);
+            ExtensionContext?.CancelRequest(err);
+        }
+
        public override void PrepareForSegue(UIStoryboardSegue segue, NSObject sender)
        {
            try
            {
+                ClipLogger.Log("Preparing for Segue");
                if (segue.DestinationViewController is UINavigationController navController)
                {
                    if (navController.TopViewController is LoginListViewController listLoginController)
@@ -245,18 +441,19 @@ namespace Bit.iOS.Autofill
            }
            catch (Exception ex)
            {
-                LoggerHelper.LogEvenIfCantBeResolved(ex);
-                throw;
+                OnProvidingCredentialException(ex);
            }
        }

-        public async void DismissLockAndContinue()
+        public void DismissLockAndContinue()
        {
+            ClipLogger.Log("DismissLockAndContinue");
            DismissViewController(false, async () => await OnLockDismissedAsync());
        }

        private void NavigateToPage(ContentPage page)
        {
+            ClipLogger.Log("NavigateToPage" + page.GetType().FullName);
            var navigationPage = new NavigationPage(page);
            var uiController = navigationPage.ToUIViewController(MauiContextSingleton.Instance.MauiContext);
            uiController.ModalPresentationStyle = UIModalPresentationStyle.FullScreen;
@@ -268,90 +465,136 @@ namespace Bit.iOS.Autofill
        {
            try
            {
-                if (_context.CredentialIdentity != null)
+                ClipLogger.Log("OnLockDismissedAsync");
+
+                if (_context.IsCreatingPasskey)
                {
+                    ClipLogger.Log("OnLockDismissedAsync -> IsCreatingPasskey");
+                    _context._unlockVaultTcs.SetResult(true);
+                    return;
+                }
+
+                if (_context.PasswordCredentialIdentity != null || _context.IsPasskey)
+                {
+                    ClipLogger.Log("OnLockDismissedAsync -> ProvideCredentialAsync");
                    await MainThread.InvokeOnMainThreadAsync(() => ProvideCredentialAsync());
                    return;
                }
                if (_context.Configuring)
                {
+                    ClipLogger.Log("OnLockDismissedAsync -> Configuring");
                    await MainThread.InvokeOnMainThreadAsync(() => PerformSegue("setupSegue", this));
                    return;
                }

                if (_context.ServiceIdentifiers == null || _context.ServiceIdentifiers.Length == 0)
                {
+                    ClipLogger.Log("OnLockDismissedAsync -> loginSearchSegue");
                    await MainThread.InvokeOnMainThreadAsync(() => PerformSegue("loginSearchSegue", this));
                }
                else
                {
+                    ClipLogger.Log("OnLockDismissedAsync -> loginListSegue");
                    await MainThread.InvokeOnMainThreadAsync(() => PerformSegue("loginListSegue", this));
                }
            }
            catch (Exception ex)
            {
-                LoggerHelper.LogEvenIfCantBeResolved(ex);
-                throw;
+                OnProvidingCredentialException(ex);
            }
        }

        private async Task ProvideCredentialAsync(bool userInteraction = true)
        {
+            _userInterface.WithEnsureUnlockedVaultAsyncCallback(async () => {
+                if (!userInteraction && (!await IsAuthed() || await IsLocked())) {
+                    throw new UserInteractionRequiredException();
+                }
+
+                await EnsureUnlockedVaultAsync();
+            });
            try
            {
-                var cipherService = ServiceContainer.Resolve<ICipherService>("cipherService", true);
-                Bit.Core.Models.Domain.Cipher cipher = null;
-                var cancel = cipherService == null || _context.CredentialIdentity?.RecordIdentifier == null;
-                if (!cancel)
+                ClipLogger.Log("ProvideCredentialAsync");
+                
+                if (_context.IsPasskey && UIDevice.CurrentDevice.CheckSystemVersion(17, 0))
                {
-                    cipher = await cipherService.GetAsync(_context.CredentialIdentity.RecordIdentifier);
-                    cancel = cipher == null || cipher.Type != Bit.Core.Enums.CipherType.Login || cipher.Login == null;
+                    if (_context.PasskeyCredentialIdentity is null)
+                    {
+                        ClipLogger.Log("ProvideCredentialAsync -> IsPasskey failed");
+                        CancelRequest(ASExtensionErrorCode.Failed);
+                    }
+
+                    ClipLogger.Log("ProvideCredentialAsync -> IsPasskey");
+                    ClipLogger.Log($"ProvideCredentialAsync -> IsPasskey - RP: {_context.PasskeyCredentialIdentity.RelyingPartyIdentifier}");
+                    ClipLogger.Log($"ProvideCredentialAsync -> IsPasskey - UH: {_context.PasskeyCredentialIdentity.UserHandle}");
+                    ClipLogger.Log($"ProvideCredentialAsync -> IsPasskey - CID: {_context.PasskeyCredentialIdentity.CredentialId}");
+                    ClipLogger.Log($"ProvideCredentialAsync -> IsPasskey - RI: {_context.RecordIdentifier}");
+
+                    await CompleteAssertionRequestAsync(_context.PasskeyCredentialIdentity.RelyingPartyIdentifier,
+                        _context.PasskeyCredentialIdentity.UserHandle,
+                        _context.PasskeyCredentialIdentity.CredentialId,
+                        _context.RecordIdentifier);
+                    return;
                }
-                if (cancel)
+
+                if (!ServiceContainer.TryResolve<ICipherService>(out var cipherService)
+                    ||
+                    _context.RecordIdentifier == null)
                {
-                    var err = new NSError(new NSString("ASExtensionErrorDomain"),
-                        Convert.ToInt32(ASExtensionErrorCode.CredentialIdentityNotFound), null);
-                    ExtensionContext?.CancelRequest(err);
+                    ClipLogger.Log("ProvideCredentialAsync -> CredentialIdentityNotFound");
+                    CancelRequest(ASExtensionErrorCode.CredentialIdentityNotFound);
+                    return;
+                }
+
+                ClipLogger.Log("ProvideCredentialAsync -> IsPassword");
+                var cipher = await cipherService.GetAsync(_context.RecordIdentifier);
+                if (cipher?.Login is null || cipher.Type != CipherType.Login)
+                {
+                    CancelRequest(ASExtensionErrorCode.CredentialIdentityNotFound);
                    return;
                }

                var decCipher = await cipher.DecryptAsync();
-                if (decCipher.Reprompt != Bit.Core.Enums.CipherRepromptType.None)
+
+                if (!CanProvideCredentialOnPasskeyRequest(decCipher))
+                {
+                    CancelRequest(ASExtensionErrorCode.CredentialIdentityNotFound);
+                    return;
+                }
+
+                if (decCipher.Reprompt != CipherRepromptType.None)
                {
                    // Prompt for password using either the lock screen or dialog unless
                    // already verified the password.
                    if (!userInteraction)
                    {
                        await _stateService.Value.SetPasswordRepromptAutofillAsync(true);
-                        var err = new NSError(new NSString("ASExtensionErrorDomain"),
-                        Convert.ToInt32(ASExtensionErrorCode.UserInteractionRequired), null);
-                        ExtensionContext?.CancelRequest(err);
+                        CancelRequest(ASExtensionErrorCode.UserInteractionRequired);
                        return;
                    }
-                    else if (!await _stateService.Value.GetPasswordVerifiedAutofillAsync())
+
+                    if (!await _stateService.Value.GetPasswordVerifiedAutofillAsync())
                    {
                        // Add a timeout to resolve keyboard not always showing up.
                        await Task.Delay(250);
-                        var passwordRepromptService = ServiceContainer.Resolve<IPasswordRepromptService>("passwordRepromptService");
+                        var passwordRepromptService = ServiceContainer.Resolve<IPasswordRepromptService>();
                        if (!await passwordRepromptService.PromptAndCheckPasswordIfNeededAsync())
                        {
-                            var err = new NSError(new NSString("ASExtensionErrorDomain"),
-                                Convert.ToInt32(ASExtensionErrorCode.UserCanceled), null);
-                            ExtensionContext?.CancelRequest(err);
+                            CancelRequest(ASExtensionErrorCode.UserCanceled);
                            return;
                        }
                    }
                }
+
                string totpCode = null;
-                var disableTotpCopy = await _stateService.Value.GetDisableAutoTotpCopyAsync();
-                if (!disableTotpCopy.GetValueOrDefault(false))
+                if (await _stateService.Value.GetDisableAutoTotpCopyAsync() != true)
                {
-                    var canAccessPremiumAsync = await _stateService.Value.CanAccessPremiumAsync();
-                    if (!string.IsNullOrWhiteSpace(decCipher.Login.Totp) &&
-                        (canAccessPremiumAsync || cipher.OrganizationUseTotp))
+                    if (!string.IsNullOrWhiteSpace(decCipher.Login.Totp)
+                        &&
+                        (cipher.OrganizationUseTotp || await _stateService.Value.CanAccessPremiumAsync()))
                    {
-                        var totpService = ServiceContainer.Resolve<ITotpService>("totpService");
-                        totpCode = await totpService.GetCodeAsync(decCipher.Login.Totp);
+                        totpCode = await ServiceContainer.Resolve<ITotpService>().GetCodeAsync(decCipher.Login.Totp);
                    }
                }

@@ -359,13 +602,13 @@ namespace Bit.iOS.Autofill
            }
            catch (Exception ex)
            {
-                LoggerHelper.LogEvenIfCantBeResolved(ex);
-                throw;
+                OnProvidingCredentialException(ex);
            }
        }

        private async Task CheckLockAsync(Action notLockedAction)
        {
+            ClipLogger.Log("CheckLockAsync");
            if (await IsLocked() || await _stateService.Value.GetPasswordRepromptAutofillAsync())
            {
                DispatchQueue.MainQueue.DispatchAsync(() => PerformSegue("lockPasswordSegue", this));
@@ -389,6 +632,7 @@ namespace Bit.iOS.Autofill

        private void LogoutIfAuthed()
        {
+            ClipLogger.Log("LogoutIfAuthed");
            NSRunLoop.Main.BeginInvokeOnMainThread(async () =>
            {
                try
@@ -411,12 +655,14 @@ namespace Bit.iOS.Autofill

        private void InitApp()
        {
+            ClipLogger.Log("InitApp");
            iOSCoreHelpers.InitApp(this, Bit.Core.Constants.iOSAutoFillClearCiphersCacheKey,
                _nfcSession, out _nfcDelegate, out _accountsManager);
        }

        private void InitAppIfNeeded()
        {
+            ClipLogger.Log("InitAppIfNeeded");
            if (ServiceContainer.RegisteredServices == null || ServiceContainer.RegisteredServices.Count == 0)
            {
                InitApp();
@@ -614,6 +860,7 @@ namespace Bit.iOS.Autofill

        public void Navigate(NavigationTarget navTarget, INavigationParams navParams = null)
        {
+            ClipLogger.Log("Navigate" + navTarget);
            switch (navTarget)
            {
                case NavigationTarget.HomeLogin:
--- a/src/iOS.Autofill/Info.plist
+++ b/src/iOS.Autofill/Info.plist
@@ -93,8 +93,15 @@
 		<string>com.apple.authentication-services-credential-provider-ui</string>
 		<key>NSExtensionAttributes</key>
 		<dict>
-			<key>ASCredentialProviderExtensionShowsConfigurationUI</key>
-			<true/>
+			<key>ASCredentialProviderExtensionCapabilities</key>
+			<dict>
+				<key>ProvidesPasskeys</key>
+				<true/>
+				<key>ProvidesPasswords</key>
+				<true/>
+				<key>ShowsConfigurationUI</key>
+				<true/>
+			</dict>
 		</dict>
 	</dict>
 </dict>
--- a/src/iOS.Autofill/LoginListViewController.cs
+++ b/src/iOS.Autofill/LoginListViewController.cs
@@ -62,7 +62,7 @@ namespace Bit.iOS.Autofill
                Core.Constants.AutofillNeedsIdentityReplacementKey);
            if (needsAutofillReplacement.GetValueOrDefault())
            {
-                await ASHelpers.ReplaceAllIdentities();
+                await ASHelpers.ReplaceAllIdentitiesAsync();
            }

            _accountSwitchingOverlayHelper = new AccountSwitchingOverlayHelper();
--- a/src/iOS.Autofill/Models/Context.cs
+++ b/src/iOS.Autofill/Models/Context.cs
@@ -1,6 +1,9 @@
-using AuthenticationServices;
+using System.Threading.Tasks;
+using AuthenticationServices;
 using Bit.iOS.Core.Models;
 using Foundation;
+using ObjCRuntime;
+using UIKit;

 namespace Bit.iOS.Autofill.Models
 {
@@ -8,7 +11,42 @@ namespace Bit.iOS.Autofill.Models
    {
        public NSExtensionContext ExtContext { get; set; }
        public ASCredentialServiceIdentifier[] ServiceIdentifiers { get; set; }
-        public ASPasswordCredentialIdentity CredentialIdentity { get; set; }
+        public ASPasswordCredentialIdentity PasswordCredentialIdentity { get; set; }
+        public ASPasskeyCredentialRequest PasskeyCredentialRequest { get; set; }
        public bool Configuring { get; set; }
+        public bool IsCreatingPasskey { get; set; }
+        public TaskCompletionSource<bool> _unlockVaultTcs { get; set; }
+
+        public ASPasskeyCredentialIdentity PasskeyCredentialIdentity
+        {
+            get
+            {
+                if (PasskeyCredentialRequest != null && UIDevice.CurrentDevice.CheckSystemVersion(17, 0))
+                {
+                    return Runtime.GetNSObject<ASPasskeyCredentialIdentity>(PasskeyCredentialRequest.CredentialIdentity.GetHandle());
+                }
+                return null;
+            }
+        }
+
+        public string? RecordIdentifier
+        {
+            get
+            {
+                if (PasswordCredentialIdentity?.RecordIdentifier is string id)
+                {
+                    return id;
+                }
+
+                if (UIDevice.CurrentDevice.CheckSystemVersion(17, 0))
+                {
+                    return PasskeyCredentialIdentity?.RecordIdentifier;
+                }
+
+                return null;
+            }
+        }
+
+        public bool IsPasskey => PasskeyCredentialRequest != null;
    }
 }
--- a/src/iOS.Autofill/SetupViewController.cs
+++ b/src/iOS.Autofill/SetupViewController.cs
@@ -31,7 +31,7 @@ namespace Bit.iOS.Autofill

            BackButton.Title = AppResources.Back;
            base.ViewDidLoad();
-            var task = ASHelpers.ReplaceAllIdentities();
+            var task = ASHelpers.ReplaceAllIdentitiesAsync();
        }

        partial void BackButton_Activated(UIBarButtonItem sender)
--- a/src/iOS.Autofill/iOS.Autofill.csproj
+++ b/src/iOS.Autofill/iOS.Autofill.csproj
@@ -81,6 +81,7 @@
    <Compile Include="Models\Context.cs" />
    <BundleResource Include="Resources\MaterialIcons_Regular.ttf" />
    <BundleResource Include="Resources\bwi-font.ttf" />
+    <Compile Include="CredentialProviderViewController.Passkeys.cs" />
  </ItemGroup>
  <ItemGroup>
    <BundleResource Include="Resources\check.png" />
--- a/src/iOS.Core/Controllers/LoginAddViewController.cs
+++ b/src/iOS.Core/Controllers/LoginAddViewController.cs
@@ -188,18 +188,17 @@ namespace Bit.iOS.Core.Controllers
                await _cipherService.SaveWithServerAsync(cipherDomain);
                await loadingAlert.DismissViewControllerAsync(true);
                await _storageService.SaveAsync(Bit.Core.Constants.ClearCiphersCacheKey, true);
-                if (await ASHelpers.IdentitiesCanIncremental())
+                if (await ASHelpers.IdentitiesSupportIncrementalAsync())
                {
-                    var identity = await ASHelpers.GetCipherIdentityAsync(cipherDomain.Id);
+                    var identity = await ASHelpers.GetCipherPasswordIdentityAsync(cipherDomain.Id);
                    if (identity != null)
                    {
-                        await ASCredentialIdentityStore.SharedStore.SaveCredentialIdentitiesAsync(
-                            new ASPasswordCredentialIdentity[] { identity });
+                        await ASCredentialIdentityStoreExtensions.SaveCredentialIdentitiesAsync(identity);
                    }
                }
                else
                {
-                    await ASHelpers.ReplaceAllIdentities();
+                    await ASHelpers.ReplaceAllIdentitiesAsync();
                }
                Success(cipherDomain.Id);
            }
@@ -229,7 +228,7 @@ namespace Bit.iOS.Core.Controllers
            var appOptions = new AppOptions { IosExtension = true };
            var app = new App.App(appOptions);

-            var generatorPage = new GeneratorPage(false, selectAction: async (username) =>
+            var generatorPage = new GeneratorPage(false, selectAction: (username) =>
            {
                UsernameCell.TextField.Text = username;
                DismissViewController(false, null);
--- a/src/iOS.Core/Services/AutofillHandler.cs
+++ b/src/iOS.Core/Services/AutofillHandler.cs
@@ -11,9 +11,11 @@ namespace Bit.iOS.Core.Services
    {
        public bool SupportsAutofillService() => false;
        public bool AutofillServiceEnabled() => false;
+        public void DisableCredentialProviderService() => throw new NotImplementedException();
        public void Autofill(CipherView cipher) => throw new NotImplementedException();
        public bool AutofillAccessibilityOverlayPermitted() => false;
        public bool AutofillAccessibilityServiceRunning() => false;
+        public bool CredentialProviderServiceEnabled() => throw new NotImplementedException();
        public bool AutofillServicesEnabled() => false;
        public void CloseAutofill() => throw new NotImplementedException();
        public void DisableAutofillService() => throw new NotImplementedException();
--- a/src/iOS.Core/Services/DeviceActionService.cs
+++ b/src/iOS.Core/Services/DeviceActionService.cs
@@ -301,6 +301,8 @@ namespace Bit.iOS.Core.Services
            throw new NotImplementedException();
        }

+        public void OpenCredentialProviderSettings() => throw new NotImplementedException();
+
        public void OpenAutofillSettings()
        {
            throw new NotImplementedException();
@@ -339,6 +341,8 @@ namespace Bit.iOS.Core.Services
            return false;
        }

+        public bool SupportsCredentialProviderService() => throw new NotImplementedException();
+
        public bool SupportsAutofillServices() => UIDevice.CurrentDevice.CheckSystemVersion(12, 0);
        public bool SupportsInlineAutofill() => false;
        public bool SupportsDrawOver() => false;
@@ -375,7 +379,7 @@ namespace Bit.iOS.Core.Services

        public async Task OnAccountSwitchCompleteAsync()
        {
-            await ASHelpers.ReplaceAllIdentities();
+            await ASHelpers.ReplaceAllIdentitiesAsync();
        }

        public Task SetScreenCaptureAllowedAsync()
--- a/src/iOS.Core/Utilities/ASCredentialIdentityStoreExtensions.cs
+++ b/src/iOS.Core/Utilities/ASCredentialIdentityStoreExtensions.cs
@@ -0,0 +1,39 @@
+using AuthenticationServices;
+using Foundation;
+using UIKit;
+
+namespace Bit.iOS.Core.Utilities
+{
+    public static class ASCredentialIdentityStoreExtensions
+    {
+        /// <summary>
+        /// Saves password credential identities to the shared store of <see cref="ASCredentialIdentityStore"/>
+        /// Note: This is added to provide the proper method depending on the OS version.
+        /// </summary>
+        /// <param name="identities">Password identities to save</param>
+        public static Task<Tuple<bool, NSError>> SaveCredentialIdentitiesAsync(params ASPasswordCredentialIdentity[] identities)
+        {
+            if (UIDevice.CurrentDevice.CheckSystemVersion(17, 0))
+            {
+                return ASCredentialIdentityStore.SharedStore.SaveCredentialIdentityEntriesAsync(identities);
+            }
+
+            return ASCredentialIdentityStore.SharedStore.SaveCredentialIdentitiesAsync(identities);
+        }
+
+        /// <summary>
+        /// Removes password credential identities of the shared store of <see cref="ASCredentialIdentityStore"/>
+        /// Note: This is added to provide the proper method depending on the OS version.
+        /// </summary>
+        /// <param name="identities">Password identities to remove</param>
+        public static Task<Tuple<bool, NSError>> RemoveCredentialIdentitiesAsync(params ASPasswordCredentialIdentity[] identities)
+        {
+            if (UIDevice.CurrentDevice.CheckSystemVersion(17, 0))
+            {
+                return ASCredentialIdentityStore.SharedStore.RemoveCredentialIdentityEntriesAsync(identities);
+            }
+
+            return ASCredentialIdentityStore.SharedStore.RemoveCredentialIdentitiesAsync(identities);
+        }
+    }
+}
--- a/src/iOS.Core/Utilities/ASHelpers.cs
+++ b/src/iOS.Core/Utilities/ASHelpers.cs
@@ -1,93 +1,125 @@
-using System.Collections.Generic;
-using System.Linq;
-using System.Threading.Tasks;
-using AuthenticationServices;
+using AuthenticationServices;
 using Bit.Core.Abstractions;
 using Bit.Core.Enums;
 using Bit.Core.Models.View;
 using Bit.Core.Utilities;
+using Foundation;
+using UIKit;

 namespace Bit.iOS.Core.Utilities
 {
    public static class ASHelpers
    {
-        public static async Task ReplaceAllIdentities()
+        public static async Task ReplaceAllIdentitiesAsync()
        {
-            if (await AutofillEnabled())
+            if (!await IsAutofillEnabledAsync())
            {
-                var storageService = ServiceContainer.Resolve<IStorageService>("storageService");
-                var stateService = ServiceContainer.Resolve<IStateService>("stateService");
-                var timeoutAction = await stateService.GetVaultTimeoutActionAsync();
-                if (timeoutAction == VaultTimeoutAction.Logout)
-                {
-                    await ASCredentialIdentityStore.SharedStore?.RemoveAllCredentialIdentitiesAsync();
-                    return;
-                }
-                var vaultTimeoutService = ServiceContainer.Resolve<IVaultTimeoutService>("vaultTimeoutService");
-                if (await vaultTimeoutService.IsLockedAsync())
-                {
-                    await ASCredentialIdentityStore.SharedStore?.RemoveAllCredentialIdentitiesAsync();
-                    await storageService.SaveAsync(Constants.AutofillNeedsIdentityReplacementKey, true);
-                    return;
-                }
-                var cipherService = ServiceContainer.Resolve<ICipherService>("cipherService");
-                var identities = new List<ASPasswordCredentialIdentity>();
-                var ciphers = await cipherService.GetAllDecryptedAsync();
-                foreach (var cipher in ciphers.Where(x => !x.IsDeleted))
-                {
-                    var identity = ToCredentialIdentity(cipher);
-                    if (identity != null)
-                    {
-                        identities.Add(identity);
-                    }
-                }
-                if (identities.Any())
-                {
-                    await ASCredentialIdentityStore.SharedStore?.ReplaceCredentialIdentitiesAsync(identities.ToArray());
-                    await storageService.SaveAsync(Constants.AutofillNeedsIdentityReplacementKey, false);
-                    return;
-                }
-                await ASCredentialIdentityStore.SharedStore?.RemoveAllCredentialIdentitiesAsync();
+                return;
+            }
+
+            var storageService = ServiceContainer.Resolve<IStorageService>("storageService");
+            var stateService = ServiceContainer.Resolve<IStateService>();
+            var timeoutAction = await stateService.GetVaultTimeoutActionAsync();
+            if (timeoutAction == VaultTimeoutAction.Logout)
+            {
+                await ASCredentialIdentityStore.SharedStore.RemoveAllCredentialIdentitiesAsync();
+                return;
+            }
+
+            var vaultTimeoutService = ServiceContainer.Resolve<IVaultTimeoutService>();
+            if (await vaultTimeoutService.IsLockedAsync())
+            {
+                await ASCredentialIdentityStore.SharedStore.RemoveAllCredentialIdentitiesAsync();
+                await storageService.SaveAsync(Constants.AutofillNeedsIdentityReplacementKey, true);
+                return;
+            }
+
+            var cipherService = ServiceContainer.Resolve<ICipherService>();
+            if (UIDevice.CurrentDevice.CheckSystemVersion(17, 0))
+            {
+                await ReplaceAllIdentitiesIOS17Async(cipherService, storageService);
+            }
+            else
+            {
+                await ReplaceAllIdentitiesIOS12Async(cipherService, storageService);
            }
        }

-        public static async Task<bool> IdentitiesCanIncremental()
+        private static async Task ReplaceAllIdentitiesIOS12Async(ICipherService cipherService, IStorageService storageService)
        {
-            var stateService = ServiceContainer.Resolve<IStateService>("stateService");
+            var ciphers = await cipherService.GetAllDecryptedAsync();
+            var identities = ciphers.Where(c => !c.IsDeleted)
+                                    .Select(ToPasswordCredentialIdentity)
+                                    .Where(i => i != null)
+                                    .Cast<ASPasswordCredentialIdentity>()
+                                    .ToList();
+            if (!identities.Any())
+            {
+                await ASCredentialIdentityStore.SharedStore.RemoveAllCredentialIdentitiesAsync();
+                return;
+            }
+
+#pragma warning disable CA1422 // Validate platform compatibility
+            await ASCredentialIdentityStore.SharedStore.ReplaceCredentialIdentitiesAsync(identities.ToArray());
+#pragma warning restore CA1422 // Validate platform compatibility
+            await storageService.SaveAsync(Constants.AutofillNeedsIdentityReplacementKey, false);
+        }
+
+        private static async Task ReplaceAllIdentitiesIOS17Async(ICipherService cipherService, IStorageService storageService)
+        {
+            var ciphers = await cipherService.GetAllDecryptedAsync();
+            var identities = ciphers.Where(c => !c.IsDeleted)
+                                    .Select(ToCredentialIdentity)
+                                    .Where(i => i != null)
+                                    .Cast<IASCredentialIdentity>()
+                                    .ToList();
+            if (!identities.Any())
+            {
+                await ASCredentialIdentityStore.SharedStore.RemoveAllCredentialIdentitiesAsync();
+                return;
+            }
+
+            await ASCredentialIdentityStore.SharedStore.ReplaceCredentialIdentityEntriesAsync(identities.ToArray());
+            await storageService.SaveAsync(Constants.AutofillNeedsIdentityReplacementKey, false);
+        }
+
+        public static async Task<bool> IdentitiesSupportIncrementalAsync()
+        {
+            var stateService = ServiceContainer.Resolve<IStateService>();
            var timeoutAction = await stateService.GetVaultTimeoutActionAsync();
            if (timeoutAction == VaultTimeoutAction.Logout)
            {
                return false;
            }
-            var state = await ASCredentialIdentityStore.SharedStore?.GetCredentialIdentityStoreStateAsync();
+            var state = await ASCredentialIdentityStore.SharedStore.GetCredentialIdentityStoreStateAsync();
            return state != null && state.Enabled && state.SupportsIncrementalUpdates;
        }

-        public static async Task<bool> AutofillEnabled()
+        public static async Task<bool> IsAutofillEnabledAsync()
        {
-            var state = await ASCredentialIdentityStore.SharedStore?.GetCredentialIdentityStoreStateAsync();
+            var state = await ASCredentialIdentityStore.SharedStore.GetCredentialIdentityStoreStateAsync();
            return state != null && state.Enabled;
        }

-        public static async Task<ASPasswordCredentialIdentity> GetCipherIdentityAsync(string cipherId)
+        public static async Task<ASPasswordCredentialIdentity?> GetCipherPasswordIdentityAsync(string cipherId)
        {
-            var cipherService = ServiceContainer.Resolve<ICipherService>("cipherService");
+            var cipherService = ServiceContainer.Resolve<ICipherService>();
            var cipher = await cipherService.GetAsync(cipherId);
            if (cipher == null)
            {
                return null;
            }
            var cipherView = await cipher.DecryptAsync();
-            return ToCredentialIdentity(cipherView);
+            return ToPasswordCredentialIdentity(cipherView);
        }

-        public static ASPasswordCredentialIdentity ToCredentialIdentity(CipherView cipher)
+        public static ASPasswordCredentialIdentity? ToPasswordCredentialIdentity(CipherView cipher)
        {
-            if (!cipher?.Login?.Uris?.Any() ?? true)
+            if (cipher?.Login?.Uris?.Any() != true)
            {
                return null;
            }
-            var uri = cipher.Login.Uris.FirstOrDefault(u => u.Match != Bit.Core.Enums.UriMatchType.Never)?.Uri;
+            var uri = cipher.Login.Uris.FirstOrDefault(u => u.Match != UriMatchType.Never)?.Uri;
            if (string.IsNullOrWhiteSpace(uri))
            {
                return null;
@@ -100,5 +132,24 @@ namespace Bit.iOS.Core.Utilities
            var serviceId = new ASCredentialServiceIdentifier(uri, ASCredentialServiceIdentifierType.Url);
            return new ASPasswordCredentialIdentity(serviceId, username, cipher.Id);
        }
+
+        public static IASCredentialIdentity? ToCredentialIdentity(CipherView cipher)
+        {
+            if (!cipher.HasFido2Credential)
+            {
+                return ToPasswordCredentialIdentity(cipher);
+            }
+
+            if (!cipher.Login.MainFido2Credential.DiscoverableValue)
+            {
+                return null;
+            }
+
+            return new ASPasskeyCredentialIdentity(cipher.Login.MainFido2Credential.RpId,
+                cipher.Login.MainFido2Credential.UserName,
+                NSData.FromArray(cipher.Login.MainFido2Credential.CredentialId.GuidToRawFormat()),
+                cipher.Login.MainFido2Credential.UserHandle,
+                cipher.Id);
+        }
    }
 }
--- a/src/iOS.Core/Utilities/NSDataExtensions.cs
+++ b/src/iOS.Core/Utilities/NSDataExtensions.cs
@@ -0,0 +1,15 @@
+using System.Runtime.InteropServices;
+using Foundation;
+
+namespace Bit.iOS.Core.Utilities
+{
+    public static class NSDataExtensions
+    {
+        public static byte[] ToByteArray(this NSData data)
+        {
+            var bytes = new byte[data.Length];
+            Marshal.Copy(data.Bytes, bytes, 0, Convert.ToInt32(data.Length));
+            return bytes;
+        }
+    }
+}
--- a/src/iOS.Core/Utilities/iOSCoreHelpers.cs
+++ b/src/iOS.Core/Utilities/iOSCoreHelpers.cs
@@ -123,7 +123,7 @@ namespace Bit.iOS.Core.Utilities
            else
            { 
 #if DEBUG
-                logger = DebugLogger.Instance;
+                logger = ClipLogger.Instance;
 #else
                logger = Logger.Instance;
 #endif
@@ -138,6 +138,7 @@ namespace Bit.iOS.Core.Utilities
                logger!.Exception(nreAppGroupContainer);
                throw nreAppGroupContainer;
            }
+
            var liteDbStorage = new LiteDbStorageService(
                Path.Combine(appGroupContainer.Path, "Library", "bitwarden.db"));
            var localizeService = new LocalizeService();
@@ -189,6 +190,11 @@ namespace Bit.iOS.Core.Utilities

        public static void RegisterFinallyBeforeBootstrap()
        {
+            ServiceContainer.Register<IFido2AuthenticatorService>(new Fido2AuthenticatorService(
+                ServiceContainer.Resolve<ICipherService>(),
+                ServiceContainer.Resolve<ISyncService>(),
+                ServiceContainer.Resolve<ICryptoFunctionService>()));
+
            ServiceContainer.Register<IWatchDeviceService>(new WatchDeviceService(ServiceContainer.Resolve<ICipherService>(),
                ServiceContainer.Resolve<IEnvironmentService>(),
                ServiceContainer.Resolve<IStateService>(),
--- a/test/Core.Test/Core.Test.csproj
+++ b/test/Core.Test/Core.Test.csproj
@@ -13,6 +13,7 @@
  <ItemGroup>
    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.7.0" />
    <PackageReference Include="NSubstitute" Version="5.0.0" />
+    <PackageReference Include="System.Formats.Cbor" Version="8.0.0" />
    <PackageReference Include="xunit" Version="2.5.0" />
    <PackageReference Include="xunit.runner.visualstudio" Version="2.5.0">
      <PrivateAssets>all</PrivateAssets>
--- a/test/Core.Test/Services/Fido2AuthenticatorGetAssertionTests.cs
+++ b/test/Core.Test/Services/Fido2AuthenticatorGetAssertionTests.cs
@@ -0,0 +1,373 @@
+using System;
+using System.Threading.Tasks;
+using Bit.Core.Abstractions;
+using Bit.Core.Services;
+using Bit.Core.Models.Domain;
+using Bit.Core.Models.View;
+using Bit.Core.Enums;
+using Bit.Core.Utilities.Fido2;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using NSubstitute.ExceptionExtensions;
+using Xunit;
+using Bit.Core.Utilities;
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.Cryptography;
+
+namespace Bit.Core.Test.Services
+{
+    public class Fido2AuthenticatorGetAssertionTests : IDisposable
+    {
+        private readonly string _rpId = "bitwarden.com";
+        private readonly SutProvider<Fido2AuthenticatorService> _sutProvider = new SutProvider<Fido2AuthenticatorService>().Create();
+        private readonly IFido2UserInterface _userInterface = Substitute.For<IFido2UserInterface>();
+
+        private List<Guid> _credentialIds;
+        private List<CipherView> _ciphers;
+        private Fido2AuthenticatorGetAssertionParams _params;
+        private CipherView _selectedCipher;
+
+        /// <summary>
+        /// Sets up a working environment for the tests.
+        /// </summary>
+        public Fido2AuthenticatorGetAssertionTests()
+        {
+            _credentialIds =  [ Guid.NewGuid(), Guid.NewGuid(), Guid.NewGuid(), Guid.NewGuid() ];
+            _ciphers = [
+                CreateCipherView(_credentialIds[0].ToString(), _rpId, false),
+                CreateCipherView(_credentialIds[1].ToString(), _rpId, true),
+            ];
+            _selectedCipher = _ciphers[0];
+            _params = CreateParams(
+                rpId: _rpId, 
+                allowCredentialDescriptorList: [
+                    new PublicKeyCredentialDescriptor {
+                        Id = _credentialIds[0].ToByteArray(),
+                        Type = "public-key"
+                    },
+                    new PublicKeyCredentialDescriptor {
+                        Id = _credentialIds[1].ToByteArray(),
+                        Type = "public-key"
+                    },
+                ],
+                requireUserVerification: false
+            );
+            _sutProvider.GetDependency<ICipherService>().GetAllDecryptedAsync().Returns(_ciphers);
+            _userInterface.PickCredentialAsync(Arg.Any<Fido2PickCredentialParams>()).Returns(new Fido2PickCredentialResult {
+                CipherId = _ciphers[0].Id,
+                UserVerified = false
+            });
+            _sutProvider.Sut.Init(_userInterface);
+        }
+
+        public void Dispose() 
+        {
+        }
+
+        #region missing non-discoverable credential
+
+        [Fact]
+        // Spec: If credentialOptions is now empty, return an error code equivalent to "NotAllowedError" and terminate the operation.
+        public async Task GetAssertionAsync_ThrowsNotAllowed_NoCredentialsExists()
+        {
+            // Arrange
+            _ciphers.Clear();
+
+            // Act & Assert
+            await Assert.ThrowsAsync<NotAllowedError>(() => _sutProvider.Sut.GetAssertionAsync(_params));
+        }
+
+        [Fact]
+        public async Task GetAssertionAsync_ThrowsNotAllowed_CredentialExistsButRpIdDoesNotMatch()
+        {
+            // Arrange
+            _params.RpId = "mismatch-rpid";
+
+            // Act & Assert
+            await Assert.ThrowsAsync<NotAllowedError>(() => _sutProvider.Sut.GetAssertionAsync(_params));
+        }
+
+        #endregion
+
+        #region vault contains credential
+
+        [Fact]
+        public async Task GetAssertionAsync_AsksForAllCredentials_ParamsContainsAllowedCredentialsList()
+        {
+            // Arrange
+            _params.AllowCredentialDescriptorList = [
+                new PublicKeyCredentialDescriptor {
+                    Id = _credentialIds[0].ToByteArray(),
+                    Type = "public-key"
+                },
+                new PublicKeyCredentialDescriptor {
+                    Id = _credentialIds[1].ToByteArray(),
+                    Type = "public-key"
+                },
+            ];
+
+            // Act
+            await _sutProvider.Sut.GetAssertionAsync(_params);
+
+            // Assert
+            await _userInterface.Received().PickCredentialAsync(Arg.Is<Fido2PickCredentialParams>(
+                (pickCredentialParams) => pickCredentialParams.CipherIds.SequenceEqual(_ciphers.Select((cipher) => cipher.Id))
+            ));
+        }
+
+        [Fact]
+        public async Task GetAssertionAsync_AsksForDiscoverableCredentials_ParamsDoesNotContainAllowedCredentialsList()
+        {
+            // Arrange
+            _params.AllowCredentialDescriptorList = null;
+            var discoverableCiphers = _ciphers.Where((cipher) => cipher.Login.MainFido2Credential.DiscoverableValue).ToList();
+            _userInterface.PickCredentialAsync(Arg.Any<Fido2PickCredentialParams>()).Returns(new Fido2PickCredentialResult {
+                CipherId = discoverableCiphers[0].Id,
+                UserVerified = false
+            });
+
+            // Act
+            await _sutProvider.Sut.GetAssertionAsync(_params);
+
+            // Assert
+            await _userInterface.Received().PickCredentialAsync(Arg.Is<Fido2PickCredentialParams>(
+                (pickCredentialParams) => pickCredentialParams.CipherIds.SequenceEqual(discoverableCiphers.Select((cipher) => cipher.Id))
+            ));
+        }
+
+        [Fact]
+        // Spec: Prompt the user to select a public key credential source `selectedCredential` from `credentialOptions`.
+        //       If requireUserVerification is true, the authorization gesture MUST include user verification.
+        public async Task GetAssertionAsync_RequestsUserVerification_ParamsRequireUserVerification() {
+            // Arrange
+            _params.RequireUserVerification = true;
+            _userInterface.PickCredentialAsync(Arg.Any<Fido2PickCredentialParams>()).Returns(new Fido2PickCredentialResult {
+                CipherId = _ciphers[0].Id,
+                UserVerified = true
+            });
+
+            // Act
+            await _sutProvider.Sut.GetAssertionAsync(_params);
+
+            // Assert
+            await _userInterface.Received().PickCredentialAsync(Arg.Is<Fido2PickCredentialParams>(
+                (pickCredentialParams) => pickCredentialParams.UserVerification == true
+            ));
+        }
+
+        [Fact]
+        // Spec: Prompt the user to select a public key credential source `selectedCredential` from `credentialOptions`.
+        //       If `requireUserPresence` is true, the authorization gesture MUST include a test of user presence.
+        // Comment: User presence is implied by the UI returning a credential.
+        public async Task GetAssertionAsync_DoesNotRequestUserVerification_ParamsDoNotRequireUserVerification() {
+            // Arrange
+            _params.RequireUserVerification = false;
+
+            // Act
+            await _sutProvider.Sut.GetAssertionAsync(_params);
+
+            // Assert
+            await _userInterface.Received().PickCredentialAsync(Arg.Is<Fido2PickCredentialParams>(
+                (pickCredentialParams) => pickCredentialParams.UserVerification == false
+            ));
+        }
+
+        [Fact]
+        // Spec: If the user does not consent, return an error code equivalent to "NotAllowedError" and terminate the operation.
+        public async Task GetAssertionAsync_ThrowsNotAllowed_UserDoesNotConsent() {
+            // Arrange
+            _userInterface.PickCredentialAsync(Arg.Any<Fido2PickCredentialParams>()).Returns(new Fido2PickCredentialResult {
+                CipherId = null,
+                UserVerified = false
+            });
+
+            // Act & Assert
+            await Assert.ThrowsAsync<NotAllowedError>(() => _sutProvider.Sut.GetAssertionAsync(_params));
+        }
+
+        [Fact]
+        // Spec: If the user does not consent, return an error code equivalent to "NotAllowedError" and terminate the operation.
+        public async Task GetAssertionAsync_ThrowsNotAllowed_NoUserVerificationWhenRequired() {
+            // Arrange
+            _params.RequireUserVerification = true;
+            _userInterface.PickCredentialAsync(Arg.Any<Fido2PickCredentialParams>()).Returns(new Fido2PickCredentialResult {
+                CipherId = _selectedCipher.Id,
+                UserVerified = false
+            });
+
+            // Act and assert
+            await Assert.ThrowsAsync<NotAllowedError>(() => _sutProvider.Sut.GetAssertionAsync(_params));
+        }
+
+        [Fact]
+        // Spec: If the user does not consent, return an error code equivalent to "NotAllowedError" and terminate the operation.
+        public async Task GetAssertionAsync_ThrowsNotAllowed_NoUserVerificationForCipherWithReprompt() {
+            // Arrange
+            _selectedCipher.Reprompt = CipherRepromptType.Password;
+            _params.RequireUserVerification = false;
+            _userInterface.PickCredentialAsync(Arg.Any<Fido2PickCredentialParams>()).Returns(new Fido2PickCredentialResult {
+                CipherId = _selectedCipher.Id,
+                UserVerified = false
+            });
+
+            // Act & Assert
+            await Assert.ThrowsAsync<NotAllowedError>(() => _sutProvider.Sut.GetAssertionAsync(_params));
+        }
+
+        #endregion
+
+        #region assertion of credential
+
+        [Theory]
+        [InlineCustomAutoData(new[] { typeof(SutProviderCustomization) })]
+        // Spec: Increment the credential associated signature counter
+        public async Task GetAssertionAsync_IncrementsCounter_CounterIsLargerThanZero(Cipher encryptedCipher) {
+            // Arrange
+            _selectedCipher.Login.MainFido2Credential.CounterValue = 9000;
+            _sutProvider.GetDependency<ICipherService>().EncryptAsync(_selectedCipher).Returns(encryptedCipher);
+            
+            // Act
+            await _sutProvider.Sut.GetAssertionAsync(_params);
+
+            // Assert
+            await _sutProvider.GetDependency<ICipherService>().Received().SaveWithServerAsync(encryptedCipher);
+            await _sutProvider.GetDependency<ICipherService>().Received().EncryptAsync(Arg.Is<CipherView>(
+                (cipher) => cipher.Login.MainFido2Credential.CounterValue == 9001
+            ));
+        }
+
+        [Theory]
+        [InlineCustomAutoData(new[] { typeof(SutProviderCustomization) })]
+        // Spec: Increment the credential associated signature counter
+        public async Task GetAssertionAsync_DoesNotIncrementsCounter_CounterIsZero(Cipher encryptedCipher) {
+            // Arrange
+            _selectedCipher.Login.MainFido2Credential.CounterValue = 0;
+            _sutProvider.GetDependency<ICipherService>().EncryptAsync(_selectedCipher).Returns(encryptedCipher);
+            
+            // Act
+            await _sutProvider.Sut.GetAssertionAsync(_params);
+
+            // Assert
+            await _sutProvider.GetDependency<ICipherService>().Received().SaveWithServerAsync(encryptedCipher);
+            await _sutProvider.GetDependency<ICipherService>().Received().EncryptAsync(Arg.Is<CipherView>(
+                (cipher) => cipher.Login.MainFido2Credential.CounterValue == 0
+            ));
+        }
+
+        [Fact]
+        public async Task GetAssertionAsync_ReturnsAssertion() {
+            // Arrange
+            var keyPair = GenerateKeyPair();
+            var rpIdHashMock = RandomBytes(32);
+            _params.Hash = RandomBytes(32);
+            _params.RequireUserVerification = true;
+            _selectedCipher.Login.MainFido2Credential.CounterValue = 9000;
+            _selectedCipher.Login.MainFido2Credential.KeyValue = CoreHelpers.Base64UrlEncode(keyPair.ExportPkcs8PrivateKey());
+            _sutProvider.GetDependency<ICryptoFunctionService>().HashAsync(_params.RpId, CryptoHashAlgorithm.Sha256).Returns(rpIdHashMock);
+            _userInterface.PickCredentialAsync(Arg.Any<Fido2PickCredentialParams>()).Returns(new Fido2PickCredentialResult {
+                CipherId = _selectedCipher.Id,
+                UserVerified = true
+            });
+            
+            // Act
+            var result = await _sutProvider.Sut.GetAssertionAsync(_params);
+
+            // Assert
+            var authData = result.AuthenticatorData;
+            var rpIdHash = authData.Take(32);
+            var flags = authData.Skip(32).Take(1);
+            var counter = authData.Skip(33).Take(4);
+
+            Assert.Equal(Guid.Parse(_selectedCipher.Login.MainFido2Credential.CredentialId).ToByteArray(), result.SelectedCredential.Id);
+            Assert.Equal(CoreHelpers.Base64UrlDecode(_selectedCipher.Login.MainFido2Credential.UserHandle), result.SelectedCredential.UserHandle);
+            Assert.Equal(rpIdHashMock, rpIdHash);
+            Assert.Equal(new byte[] { 0b00011101 }, flags); // UP = true, UV = true, BS = true, BE = true
+            Assert.Equal(new byte[] { 0, 0, 0x23, 0x29 }, counter); // 9001 in binary big-endian format
+            Assert.True(keyPair.VerifyData(authData.Concat(_params.Hash).ToArray(), result.Signature, HashAlgorithmName.SHA256, DSASignatureFormat.Rfc3279DerSequence), "Signature verification failed");
+        }
+
+        [Fact]
+        public async Task GetAssertionAsync_DoesNotAskForConfirmation_ParamsContainsOneAllowedCredentialAndUserPresenceIsFalse()
+        {
+            // Arrange
+            var rpIdHashMock = RandomBytes(32);
+            _params.RequireUserPresence = false;
+            _params.AllowCredentialDescriptorList = [
+                new PublicKeyCredentialDescriptor {
+                    Id = _credentialIds[0].ToByteArray(),
+                    Type = "public-key"
+                },
+            ];
+            _sutProvider.GetDependency<ICryptoFunctionService>().HashAsync(_params.RpId, CryptoHashAlgorithm.Sha256).Returns(rpIdHashMock);
+            
+            // Act
+            var result = await _sutProvider.Sut.GetAssertionAsync(_params);
+
+            // Assert
+            await _userInterface.DidNotReceive().PickCredentialAsync(Arg.Any<Fido2PickCredentialParams>());
+            var authData = result.AuthenticatorData;
+            var flags = authData.Skip(32).Take(1);
+            Assert.Equal(new byte[] { 0b00011000 }, flags); // UP = false, UV = false, BE = true, BS = true
+        }
+
+        [Fact]
+        public async Task GetAssertionAsync_ThrowsUnknownError_SaveFails() {
+            // Arrange
+            _sutProvider.GetDependency<ICipherService>().SaveWithServerAsync(Arg.Any<Cipher>()).Throws(new Exception());
+
+            // Act & Assert
+            await Assert.ThrowsAsync<UnknownError>(() => _sutProvider.Sut.GetAssertionAsync(_params));
+        }
+
+        #endregion
+
+        private byte[] RandomBytes(int length)
+        {
+            var bytes = new byte[length];
+            new Random().NextBytes(bytes);
+            return bytes;
+        }
+
+        private ECDsa GenerateKeyPair()
+        {
+            var dsa = ECDsa.Create();
+            dsa.GenerateKey(ECCurve.NamedCurves.nistP256);
+
+            return dsa;
+        }
+
+        #nullable enable
+        private CipherView CreateCipherView(string? credentialId, string? rpId, bool? discoverable)
+        {
+            return new CipherView {
+                Type = CipherType.Login,
+                Id = Guid.NewGuid().ToString(),
+                Reprompt = CipherRepromptType.None,
+                Login = new LoginView {
+                    Fido2Credentials = new List<Fido2CredentialView> {
+                        new Fido2CredentialView {
+                            CredentialId = credentialId ?? Guid.NewGuid().ToString(),
+                            RpId = rpId ?? "bitwarden.com",
+                            Discoverable = discoverable.HasValue ? discoverable.ToString() : "true",
+                            UserHandleValue = RandomBytes(32),
+                            KeyValue = "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgO4wC7AlY4eJP7uedRUJGYsAIJAd6gN1Vp7uJh6xXAp6hRANCAARGvr56F_t27DEG1Tzl-qJRhrTUtC7jOEbasAEEZcE3TiMqoWCan0sxKDPylhRYk-1qyrBC_feN1UtGWH57sROa"
+                        }
+                    }
+                }
+            };
+        }
+
+        private Fido2AuthenticatorGetAssertionParams CreateParams(string? rpId = null, byte[]? hash = null, PublicKeyCredentialDescriptor[]? allowCredentialDescriptorList = null, bool? requireUserPresence = null, bool? requireUserVerification = null)
+        {
+            return new Fido2AuthenticatorGetAssertionParams {
+                RpId = rpId ?? "bitwarden.com",
+                Hash = hash ?? RandomBytes(32),
+                AllowCredentialDescriptorList = allowCredentialDescriptorList ?? null,
+                RequireUserPresence = requireUserPresence ?? true,
+                RequireUserVerification = requireUserPresence ?? false
+            };
+        }
+    }
+}
--- a/test/Core.Test/Services/Fido2AuthenticatorMakeCredentialTests.cs
+++ b/test/Core.Test/Services/Fido2AuthenticatorMakeCredentialTests.cs
@@ -0,0 +1,396 @@
+using System;
+using System.Threading.Tasks;
+using Bit.Core.Abstractions;
+using Bit.Core.Services;
+using Bit.Core.Models.Domain;
+using Bit.Core.Models.View;
+using Bit.Core.Enums;
+using Bit.Core.Utilities.Fido2;
+using Bit.Test.Common.AutoFixture;
+using NSubstitute;
+using NSubstitute.ExceptionExtensions;
+using Xunit;
+using Bit.Core.Utilities;
+using System.Collections.Generic;
+using System.Linq;
+using System.Formats.Cbor;
+
+namespace Bit.Core.Test.Services
+{
+    public class Fido2AuthenticatorMakeCredentialTests : IDisposable
+    {
+        private readonly string _rpId = "bitwarden.com";
+        private readonly SutProvider<Fido2AuthenticatorService> _sutProvider = new SutProvider<Fido2AuthenticatorService>().Create();
+
+        private Cipher _encryptedSelectedCipher;
+        private CipherView _selectedCipherView;
+        private Fido2AuthenticatorMakeCredentialParams _params;
+        private List<Guid> _credentialIds;
+        private List<CipherView> _ciphers;
+        
+
+        public Fido2AuthenticatorMakeCredentialTests() {
+            _credentialIds = [ Guid.NewGuid(), Guid.NewGuid() ];
+            _ciphers = [ 
+                CreateCipherView(true, _credentialIds[0].ToString(), "bitwarden.com", false),
+                CreateCipherView(true, _credentialIds[1].ToString(), "bitwarden.com", true)
+            ];
+            _selectedCipherView = _ciphers[0];
+            _encryptedSelectedCipher = CreateCipher();
+            _encryptedSelectedCipher.Id = _selectedCipherView.Id;
+            _params = new Fido2AuthenticatorMakeCredentialParams {
+                UserEntity = new PublicKeyCredentialUserEntity {
+                    Id = RandomBytes(32),
+                    Name = "test"
+                },
+                RpEntity = new PublicKeyCredentialRpEntity {
+                    Id = _rpId,
+                    Name = "Bitwarden"
+                },
+                CredTypesAndPubKeyAlgs = [
+                    new PublicKeyCredentialParameters {
+                        Type = "public-key",
+                        Alg = -7 // ES256
+                    }
+                ],
+                RequireResidentKey = false,
+                RequireUserVerification = false,
+                ExcludeCredentialDescriptorList = null
+            };
+
+            _sutProvider.GetDependency<ICipherService>().GetAllDecryptedAsync().Returns(_ciphers);
+            _sutProvider.GetDependency<ICipherService>().EncryptAsync(Arg.Any<CipherView>()).Returns(_encryptedSelectedCipher);
+            _sutProvider.GetDependency<ICipherService>().GetAsync(Arg.Is(_encryptedSelectedCipher.Id)).Returns(_encryptedSelectedCipher);
+            _sutProvider.GetDependency<IFido2UserInterface>().ConfirmNewCredentialAsync(Arg.Any<Fido2ConfirmNewCredentialParams>()).Returns(new Fido2ConfirmNewCredentialResult {
+                CipherId = _selectedCipherView.Id,
+                UserVerified = false
+            });
+
+            var cryptoServiceMock = Substitute.For<ICryptoService>();
+            ServiceContainer.Register(typeof(CryptoService), cryptoServiceMock);
+        }
+
+        public void Dispose()
+        {
+            ServiceContainer.Reset();
+        }
+        
+        #region invalid input parameters
+
+        [Fact]
+        // Spec: Check if at least one of the specified combinations of PublicKeyCredentialType and cryptographic parameters in credTypesAndPubKeyAlgs is supported. If not, return an error code equivalent to "NotSupportedError" and terminate the operation.
+        public async Task MakeCredentialAsync_ThrowsNotSupported_NoSupportedAlgorithm()
+        {
+            // Arrange
+            _params.CredTypesAndPubKeyAlgs = [
+                new PublicKeyCredentialParameters {
+                    Type = "public-key",
+                    Alg = -257 // RS256 which we do not support
+                }
+            ];
+
+            // Act & Assert
+            await Assert.ThrowsAsync<NotSupportedError>(() => _sutProvider.Sut.MakeCredentialAsync(_params));
+        }
+
+        #endregion
+
+        #region vault contains excluded credential
+
+        [Fact]
+        // Spec: collect an authorization gesture confirming user consent for creating a new credential.
+        // Deviation: Consent is not asked and the user is simply informed of the situation.
+        public async Task MakeCredentialAsync_InformsUser_ExcludedCredentialFound()
+        {
+            // Arrange
+            _params.ExcludeCredentialDescriptorList = [
+                new PublicKeyCredentialDescriptor {
+                    Type = "public-key",
+                    Id = _credentialIds[0].ToByteArray()
+                }
+            ];
+
+            // Act
+            try
+            { 
+                await _sutProvider.Sut.MakeCredentialAsync(_params);
+            }
+            catch {}
+
+            // Assert
+            await _sutProvider.GetDependency<IFido2UserInterface>().Received().InformExcludedCredential(Arg.Is<string[]>(
+                (c) => c.SequenceEqual(new string[] { _ciphers[0].Id })
+            ));
+        }
+
+        [Fact]
+        // Spec: return an error code equivalent to "NotAllowedError" and terminate the operation.
+        public async Task MakeCredentialAsync_ThrowsNotAllowed_ExcludedCredentialFound()
+        {
+            _params.ExcludeCredentialDescriptorList = [
+                new PublicKeyCredentialDescriptor {
+                    Type = "public-key",
+                    Id = _credentialIds[0].ToByteArray()
+                }
+            ];
+
+            await Assert.ThrowsAsync<NotAllowedError>(() => _sutProvider.Sut.MakeCredentialAsync(_params));
+        }
+
+        [Fact]
+        // Deviation: Organization ciphers are not checked against excluded credentials, even if the user has access to them.
+        public async Task MakeCredentialAsync_DoesNotInformAboutExcludedCredential_ExcludedCredentialBelongsToOrganization()
+        {
+            _ciphers[0].OrganizationId = "someOrganizationId";
+            _params.ExcludeCredentialDescriptorList = [
+                new PublicKeyCredentialDescriptor {
+                    Type = "public-key",
+                    Id = _credentialIds[0].ToByteArray()
+                }
+            ];
+
+            await _sutProvider.Sut.MakeCredentialAsync(_params);
+
+            await _sutProvider.GetDependency<IFido2UserInterface>().DidNotReceive().InformExcludedCredential(Arg.Any<string[]>());
+        }
+
+        #endregion
+
+        #region credential creation
+
+        [Fact]
+        public async Task MakeCredentialAsync_RequestsUserVerification_ParamsRequireUserVerification()
+        {
+            // Arrange
+            _params.RequireUserVerification = true;
+            _sutProvider.GetDependency<IFido2UserInterface>().ConfirmNewCredentialAsync(Arg.Any<Fido2ConfirmNewCredentialParams>()).Returns(new Fido2ConfirmNewCredentialResult {
+                CipherId = _selectedCipherView.Id,
+                UserVerified = true
+            });
+
+            // Act
+            await _sutProvider.Sut.MakeCredentialAsync(_params);
+
+            // Assert
+            await _sutProvider.GetDependency<IFido2UserInterface>().Received().ConfirmNewCredentialAsync(Arg.Is<Fido2ConfirmNewCredentialParams>(
+                (p) => p.UserVerification == true
+            ));
+        }
+
+        [Fact]
+        public async Task MakeCredentialAsync_DoesNotRequestUserVerification_ParamsDoNotRequireUserVerification()
+        {
+            // Arrange
+            _params.RequireUserVerification = false;
+
+            // Act
+            await _sutProvider.Sut.MakeCredentialAsync(_params);
+
+            // Assert
+            await _sutProvider.GetDependency<IFido2UserInterface>().Received().ConfirmNewCredentialAsync(Arg.Is<Fido2ConfirmNewCredentialParams>(
+                (p) => p.UserVerification == false
+            ));
+        }
+
+        [Fact]
+        public async Task MakeCredentialAsync_SavesNewCredential_RequestConfirmedByUser()
+        {
+            // Arrange
+            _params.RequireResidentKey = true;
+
+            // Act
+            await _sutProvider.Sut.MakeCredentialAsync(_params);
+
+            // Assert
+            await _sutProvider.GetDependency<ICipherService>().Received().EncryptAsync(Arg.Is<CipherView>(
+                (c) => 
+                    c.Login.MainFido2Credential.KeyType == "public-key" &&
+                    c.Login.MainFido2Credential.KeyAlgorithm == "ECDSA" &&
+                    c.Login.MainFido2Credential.KeyCurve == "P-256" &&
+                    c.Login.MainFido2Credential.RpId == _params.RpEntity.Id &&
+                    c.Login.MainFido2Credential.RpName == _params.RpEntity.Name &&
+                    c.Login.MainFido2Credential.UserHandle == CoreHelpers.Base64UrlEncode(_params.UserEntity.Id) &&
+                    c.Login.MainFido2Credential.UserName == _params.UserEntity.Name &&
+                    c.Login.MainFido2Credential.CounterValue == 0 &&
+                    // c.Login.MainFido2Credential.UserDisplayName == _params.UserEntity.DisplayName &&
+                    c.Login.MainFido2Credential.DiscoverableValue == true
+            ));
+            await _sutProvider.GetDependency<ICipherService>().Received().SaveWithServerAsync(_encryptedSelectedCipher);
+        }
+
+        [Fact]
+        // Spec: If the user does not consent or if user verification fails, return an error code equivalent to "NotAllowedError" and terminate the operation.
+        public async Task MakeCredentialAsync_ThrowsNotAllowed_RequestNotConfirmedByUser()
+        {
+            // Arrange
+            _sutProvider.GetDependency<IFido2UserInterface>().ConfirmNewCredentialAsync(Arg.Any<Fido2ConfirmNewCredentialParams>()).Returns(new Fido2ConfirmNewCredentialResult {
+                CipherId = null,
+                UserVerified = false
+            });
+
+            // Act & Assert
+            await Assert.ThrowsAsync<NotAllowedError>(() => _sutProvider.Sut.MakeCredentialAsync(_params));
+        }
+
+        [Fact]
+        public async Task MakeCredentialAsync_ThrowsNotAllowed_NoUserVerificationWhenRequiredByParams()
+        {
+            // Arrange
+            _params.RequireUserVerification = true;
+            _sutProvider.GetDependency<IFido2UserInterface>().ConfirmNewCredentialAsync(Arg.Any<Fido2ConfirmNewCredentialParams>()).Returns(new Fido2ConfirmNewCredentialResult {
+                CipherId = _encryptedSelectedCipher.Id,
+                UserVerified = false
+            });
+
+            // Act & Assert
+            await Assert.ThrowsAsync<NotAllowedError>(() => _sutProvider.Sut.MakeCredentialAsync(_params));
+        }
+
+        [Fact]
+        public async Task MakeCredentialAsync_ThrowsNotAllowed_NoUserVerificationForCipherWithReprompt()
+        {
+            // Arrange
+            _params.RequireUserVerification = false;
+            _encryptedSelectedCipher.Reprompt = CipherRepromptType.Password;
+            _sutProvider.GetDependency<IFido2UserInterface>().ConfirmNewCredentialAsync(Arg.Any<Fido2ConfirmNewCredentialParams>()).Returns(new Fido2ConfirmNewCredentialResult {
+                CipherId = _encryptedSelectedCipher.Id,
+                UserVerified = false
+            });
+
+            // Act & Assert
+            await Assert.ThrowsAsync<NotAllowedError>(() => _sutProvider.Sut.MakeCredentialAsync(_params));
+        }
+
+        [Fact]
+        public async Task MakeCredentialAsync_ThrowsUnknownError_SavingCipherFails()
+        {
+            // Arrange
+            _sutProvider.GetDependency<ICipherService>().SaveWithServerAsync(Arg.Any<Cipher>()).Throws(new Exception("Error"));
+
+            // Act & Assert
+            await Assert.ThrowsAsync<UnknownError>(() => _sutProvider.Sut.MakeCredentialAsync(_params));
+        }
+
+        [Fact]
+        public async Task MakeCredentialAsync_ReturnsAttestation()
+        {
+            // Arrange
+            var rpIdHashMock = RandomBytes(32);
+            _sutProvider.GetDependency<ICryptoFunctionService>().HashAsync(_params.RpEntity.Id, CryptoHashAlgorithm.Sha256).Returns(rpIdHashMock);
+            CipherView generatedCipherView = null;
+            _sutProvider.GetDependency<ICipherService>().EncryptAsync(Arg.Any<CipherView>()).Returns((call) => {
+                generatedCipherView = call.Arg<CipherView>();
+                return _encryptedSelectedCipher;
+            });
+
+            // Act
+            var result = await _sutProvider.Sut.MakeCredentialAsync(_params);
+
+            // Assert
+            var credentialIdBytes = Guid.Parse(generatedCipherView.Login.MainFido2Credential.CredentialId).ToByteArray();
+            var attestationObject = DecodeAttestationObject(result.AttestationObject);
+            Assert.Equal("none", attestationObject.Fmt);
+
+            var authData = attestationObject.AuthData;
+            var rpIdHash = authData.Take(32).ToArray();
+            var flags = authData.Skip(32).Take(1).ToArray();
+            var counter = authData.Skip(33).Take(4).ToArray();
+            var aaguid = authData.Skip(37).Take(16).ToArray();
+            var credentialIdLength = authData.Skip(53).Take(2).ToArray();
+            var credentialId = authData.Skip(55).Take(16).ToArray();
+            // Unsure how to test public key
+            // const publicKey = authData.Skip(71).ToArray(); // Key data is 77 bytes long
+
+            Assert.Equal(71 + 77, authData.Length);
+            Assert.Equal(rpIdHashMock, rpIdHash);
+            Assert.Equal([0b01000001], flags); // UP = true, AD = true
+            Assert.Equal([0, 0, 0, 0], counter);
+            Assert.Equal(Fido2AuthenticatorService.AAGUID, aaguid);
+            Assert.Equal([0, 16], credentialIdLength); // 16 bytes because we're using GUIDs
+            Assert.Equal(credentialIdBytes, credentialId);
+        }
+
+        #endregion
+
+        private byte[] RandomBytes(int length)
+        {
+            var bytes = new byte[length];
+            new Random().NextBytes(bytes);
+            return bytes;
+        }
+
+        #nullable enable
+        private CipherView CreateCipherView(bool? withFido2Credential, string? credentialId = null, string? rpId = null, bool? discoverable = null)
+        {
+            return new CipherView {
+                Type = CipherType.Login,
+                Id = Guid.NewGuid().ToString(),
+                Reprompt = CipherRepromptType.None,
+                Login = new LoginView {
+                    Fido2Credentials = withFido2Credential.HasValue && withFido2Credential.Value ? new List<Fido2CredentialView> {
+                        new Fido2CredentialView {
+                            CredentialId = credentialId ?? Guid.NewGuid().ToString(),
+                            RpId = rpId ?? "bitwarden.com",
+                            Discoverable = discoverable.HasValue ? discoverable.ToString() : "true",
+                            UserHandleValue = RandomBytes(32)
+                        }
+                    } : null
+                }
+            };
+        }
+
+        private Cipher CreateCipher()
+        {
+            return new Cipher {
+                Id = Guid.NewGuid().ToString(),
+                Type = CipherType.Login,
+                Key = null,
+                Attachments = [],
+                Login = new Login {},
+            };
+        }
+
+        private struct AttestationObject
+        {
+            public string? Fmt { get; set; }
+            public object? AttStmt { get; set; }
+            public byte[]? AuthData { get; set; }
+        }
+
+        private AttestationObject DecodeAttestationObject(byte[] attestationObject) 
+        {
+            string? fmt = null;
+            object? attStmt = null;
+            byte[]? authData = null;
+
+            var reader = new CborReader(attestationObject, CborConformanceMode.Ctap2Canonical);
+            reader.ReadStartMap();
+
+            while (reader.BytesRemaining != 0)
+            {
+                var key = reader.ReadTextString();
+                switch (key)
+                {
+                    case "fmt":
+                        fmt = reader.ReadTextString();
+                        break;
+                    case "attStmt":
+                        reader.ReadStartMap();
+                        reader.ReadEndMap();
+                        break;
+                    case "authData":
+                        authData = reader.ReadByteString();
+                        break;
+                    default:
+                        throw new Exception("Unknown key");
+                }
+            }
+
+            return new AttestationObject {
+                Fmt = fmt,
+                AttStmt = attStmt,
+                AuthData = authData
+            };
+        }
+    }
+}
--- a/test/Core.Test/Services/Fido2AuthenticatorSilentCredentialDiscoveryTests.cs
+++ b/test/Core.Test/Services/Fido2AuthenticatorSilentCredentialDiscoveryTests.cs
@@ -0,0 +1,123 @@
+using System;
+using System.Threading.Tasks;
+using Bit.Core.Abstractions;
+using Bit.Core.Services;
+using Bit.Core.Models.View;
+using Bit.Core.Enums;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+using System.Collections.Generic;
+using System.Linq;
+using System.Diagnostics.CodeAnalysis;
+
+namespace Bit.Core.Test.Services
+{
+    public class Fido2AuthenticatorSilentCredentialDiscoveryTests
+    {
+        [Theory]
+        [InlineCustomAutoData(new[] { typeof(SutProviderCustomization) })]
+        public async Task SilentCredentialDiscoveryAsync_ReturnsEmptyArray_NoCredentialsExist(SutProvider<Fido2AuthenticatorService> sutProvider)
+        {
+            sutProvider.GetDependency<ICipherService>().GetAllDecryptedAsync().Returns([]);
+
+            var result = await sutProvider.Sut.SilentCredentialDiscoveryAsync("bitwarden.com");
+
+            Assert.Empty(result);
+        }
+
+        [Theory]
+        [InlineCustomAutoData(new[] { typeof(SutProviderCustomization) })]
+        public async Task SilentCredentialDiscoveryAsync_ReturnsEmptyArray_OnlyNonDiscoverableCredentialsExist(SutProvider<Fido2AuthenticatorService> sutProvider)
+        {
+            sutProvider.GetDependency<ICipherService>().GetAllDecryptedAsync().Returns([
+                CreateCipherView("bitwarden.com", false),
+                CreateCipherView("bitwarden.com", false),
+                CreateCipherView("bitwarden.com", false)
+            ]);
+
+            var result = await sutProvider.Sut.SilentCredentialDiscoveryAsync("bitwarden.com");
+
+            Assert.Empty(result);
+        }
+
+        [Theory]
+        [InlineCustomAutoData(new[] { typeof(SutProviderCustomization) })]
+        public async Task SilentCredentialDiscoveryAsync_ReturnsEmptyArray_NoCredentialsWithMatchingRpIdExist(SutProvider<Fido2AuthenticatorService> sutProvider)
+        {
+            sutProvider.GetDependency<ICipherService>().GetAllDecryptedAsync().Returns([
+                CreateCipherView("a.bitwarden.com", true),
+                CreateCipherView("example.com", true)
+            ]);
+
+            var result = await sutProvider.Sut.SilentCredentialDiscoveryAsync("bitwarden.com");
+
+            Assert.Empty(result);
+        }
+
+        [Theory]
+        [InlineCustomAutoData(new[] { typeof(SutProviderCustomization) })]
+        public async Task SilentCredentialDiscoveryAsync_ReturnsCredentials_DiscoverableCredentialsWithMatchingRpIdExist(SutProvider<Fido2AuthenticatorService> sutProvider)
+        {
+            var matchingCredentials = new List<CipherView> {
+                CreateCipherView("bitwarden.com", true),
+                CreateCipherView("bitwarden.com", true)
+            };
+            var nonMatchingCredentials = new List<CipherView> {
+                CreateCipherView("example.com", true)
+            };
+            sutProvider.GetDependency<ICipherService>().GetAllDecryptedAsync().Returns(
+                matchingCredentials.Concat(nonMatchingCredentials).ToList()
+            );
+
+            var result = await sutProvider.Sut.SilentCredentialDiscoveryAsync("bitwarden.com");
+
+            Assert.True(
+                result.SequenceEqual(matchingCredentials.Select(c => new Fido2AuthenticatorDiscoverableCredentialMetadata {
+                    Type = "public-key",
+                    Id = Guid.Parse(c.Login.MainFido2Credential.CredentialId).ToByteArray(),
+                    RpId = "bitwarden.com",
+                    UserHandle = c.Login.MainFido2Credential.UserHandleValue,
+                    UserName = c.Login.MainFido2Credential.UserName
+                }), new MetadataComparer())
+            );
+        }
+
+        private byte[] RandomBytes(int length)
+        {
+            var bytes = new byte[length];
+            new Random().NextBytes(bytes);
+            return bytes;
+        }
+
+        #nullable enable
+        private CipherView CreateCipherView(string rpId, bool discoverable)
+        {
+            return new CipherView {
+                Type = CipherType.Login,
+                Id = Guid.NewGuid().ToString(),
+                Reprompt = CipherRepromptType.None,
+                Login = new LoginView {
+                    Fido2Credentials = new List<Fido2CredentialView> {
+                        new Fido2CredentialView {
+                            CredentialId = Guid.NewGuid().ToString(),
+                            RpId = rpId ?? "null.com",
+                            DiscoverableValue = discoverable,
+                            UserHandleValue = RandomBytes(32),
+                            KeyValue = "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgO4wC7AlY4eJP7uedRUJGYsAIJAd6gN1Vp7uJh6xXAp6hRANCAARGvr56F_t27DEG1Tzl-qJRhrTUtC7jOEbasAEEZcE3TiMqoWCan0sxKDPylhRYk-1qyrBC_feN1UtGWH57sROa"
+                        }
+                    }
+                }
+            };
+        }
+
+        private class MetadataComparer : IEqualityComparer<Fido2AuthenticatorDiscoverableCredentialMetadata>
+        {
+            public int GetHashCode([DisallowNull] Fido2AuthenticatorDiscoverableCredentialMetadata obj) => throw new NotImplementedException();
+
+            public bool Equals(Fido2AuthenticatorDiscoverableCredentialMetadata? a, Fido2AuthenticatorDiscoverableCredentialMetadata? b) =>
+                a != null && b != null && a.Type == b.Type && a.RpId == b.RpId && a.UserName == b.UserName && a.Id.SequenceEqual(b.Id) && a.UserHandle.SequenceEqual(b.UserHandle);
+        }
+    }
+}
--- a/test/Core.Test/Services/Fido2ClientAssertCredentialTests.cs
+++ b/test/Core.Test/Services/Fido2ClientAssertCredentialTests.cs
@@ -0,0 +1,222 @@
+using System;
+using System.Text;
+using System.Text.Json;
+using System.Text.Json.Nodes;
+using System.Threading.Tasks;
+using Bit.Core.Abstractions;
+using Bit.Core.Services;
+using Bit.Core.Utilities;
+using Bit.Core.Utilities.Fido2;
+using Bit.Test.Common.AutoFixture;
+using NSubstitute;
+using NSubstitute.ExceptionExtensions;
+using Xunit;
+
+namespace Bit.Core.Test.Services
+{
+    public class Fido2ClientAssertCredentialTests : IDisposable
+    {
+        private readonly SutProvider<Fido2ClientService> _sutProvider = new SutProvider<Fido2ClientService>().Create();
+
+        private Fido2ClientAssertCredentialParams _params;
+
+        public Fido2ClientAssertCredentialTests()
+        {
+            _params = new Fido2ClientAssertCredentialParams {
+                Origin = "https://bitwarden.com",
+                Challenge = RandomBytes(32),
+                RpId = "bitwarden.com",
+                UserVerification = "required",
+                AllowCredentials = [
+                    new PublicKeyCredentialDescriptor {
+                        Id = RandomBytes(32),
+                        Type = "public-key"
+                    }
+                ],
+                Timeout = 60000,
+            };
+
+            _sutProvider.GetDependency<IStateService>().GetAutofillBlacklistedUrisAsync().Returns([]);
+            _sutProvider.GetDependency<IStateService>().IsAuthenticatedAsync().Returns(true);
+        }
+
+        public void Dispose() 
+        {
+        }
+
+        [Fact(Skip = "Not sure how to check this, or if it matters.")]
+        // Spec: If callerOrigin is an opaque origin, return a DOMException whose name is "NotAllowedError", and terminate this algorithm.
+        public Task AssertCredentialAsync_ThrowsNotAllowedError_OriginIsOpaque() => throw new NotImplementedException();
+
+        [Fact]
+        // Spec: Let effectiveDomain be the callerOrigin’s effective domain. If effective domain is not a valid domain, 
+        //       then return a DOMException whose name is "SecurityError" and terminate this algorithm.
+        public async Task AssertCredentialAsync_ThrowsSecurityError_OriginIsNotValidDomain()
+        {
+            // Arrange
+            _params.Origin = "invalid-domain-name";
+
+            // Act
+            var exception = await Assert.ThrowsAsync<Fido2ClientException>(() => _sutProvider.Sut.AssertCredentialAsync(_params));
+
+            // Assert
+            Assert.Equal(Fido2ClientException.ErrorCode.SecurityError, exception.Code);
+        }
+
+        [Fact]
+        // Spec: If options.rp.id is not a registrable domain suffix of and is not equal to effectiveDomain, 
+        //       return a DOMException whose name is "SecurityError", and terminate this algorithm.
+        public async Task AssertCredentialAsync_ThrowsSecurityError_RpIdIsNotValidForOrigin()
+        {
+            // Arrange
+            _params.Origin = "https://passwordless.dev";
+            _params.RpId = "bitwarden.com";
+
+            // Act
+            var exception = await Assert.ThrowsAsync<Fido2ClientException>(() => _sutProvider.Sut.AssertCredentialAsync(_params));
+
+            // Assert
+            Assert.Equal(Fido2ClientException.ErrorCode.SecurityError, exception.Code);
+        }
+
+        [Fact]
+        // Spec: The origin's scheme must be https.
+        public async Task AssertCredentialAsync_ThrowsSecurityError_OriginIsNotHttps()
+        {
+            // Arrange
+            _params.Origin = "http://bitwarden.com";
+            _params.RpId = "bitwarden.com";
+
+            // Act
+            var exception = await Assert.ThrowsAsync<Fido2ClientException>(() => _sutProvider.Sut.AssertCredentialAsync(_params));
+
+            // Assert
+            Assert.Equal(Fido2ClientException.ErrorCode.SecurityError, exception.Code);
+        }
+
+        [Fact]
+        // Spec: If the origin's hostname is a blocked uri, then return UriBlockedError.
+        public async Task AssertCredentialAsync_ThrowsUriBlockedError_OriginIsBlocked()
+        {
+            // Arrange
+            _params.Origin = "https://sub.bitwarden.com";
+            _sutProvider.GetDependency<IStateService>().GetAutofillBlacklistedUrisAsync().Returns([
+                "sub.bitwarden.com"
+            ]);
+
+            // Act
+            var exception = await Assert.ThrowsAsync<Fido2ClientException>(() => _sutProvider.Sut.AssertCredentialAsync(_params));
+
+            // Assert
+            Assert.Equal(Fido2ClientException.ErrorCode.UriBlockedError, exception.Code);
+        }
+
+        [Fact]
+        public async Task AssertCredentialAsync_ThrowsInvalidStateError_AuthenticatorThrowsInvalidStateError()
+        {
+            // Arrange
+            _sutProvider.GetDependency<IFido2AuthenticatorService>()
+                .GetAssertionAsync(Arg.Any<Fido2AuthenticatorGetAssertionParams>())
+                .Throws(new InvalidStateError());
+
+            // Act
+            var exception = await Assert.ThrowsAsync<Fido2ClientException>(() => _sutProvider.Sut.AssertCredentialAsync(_params));
+
+            // Assert
+            Assert.Equal(Fido2ClientException.ErrorCode.InvalidStateError, exception.Code);
+        }
+
+        [Fact]
+        // This keeps sensetive information form leaking
+        public async Task AssertCredentialAsync_ThrowsUnknownError_AuthenticatorThrowsUnknownError()
+        {
+            // Arrange
+            _sutProvider.GetDependency<IFido2AuthenticatorService>()
+                .GetAssertionAsync(Arg.Any<Fido2AuthenticatorGetAssertionParams>())
+                .Throws(new Exception("unknown error"));
+
+            // Act
+            var exception = await Assert.ThrowsAsync<Fido2ClientException>(() => _sutProvider.Sut.AssertCredentialAsync(_params));
+
+            // Assert
+            Assert.Equal(Fido2ClientException.ErrorCode.UnknownError, exception.Code);
+        }
+
+        [Fact]
+        public async Task AssertCredentialAsync_ThrowsInvalidStateError_UserIsLoggedOut()
+        {
+            // Arrange
+            _sutProvider.GetDependency<IStateService>().IsAuthenticatedAsync().Returns(false);
+
+            // Act
+            var exception = await Assert.ThrowsAsync<Fido2ClientException>(() => _sutProvider.Sut.AssertCredentialAsync(_params));
+
+            // Assert
+            Assert.Equal(Fido2ClientException.ErrorCode.InvalidStateError, exception.Code);
+        }
+
+        [Fact]
+        public async Task AssertCredentialAsync_ThrowsNotAllowedError_OriginIsBitwardenVault()
+        {
+            // Arrange
+            _params.Origin = "https://vault.bitwarden.com";
+            _sutProvider.GetDependency<IEnvironmentService>().GetWebVaultUrl().Returns("https://vault.bitwarden.com");
+
+            // Act
+            var exception = await Assert.ThrowsAsync<Fido2ClientException>(() => _sutProvider.Sut.AssertCredentialAsync(_params));
+
+            // Assert
+            Assert.Equal(Fido2ClientException.ErrorCode.NotAllowedError, exception.Code);
+        }
+
+        [Fact]
+        public async Task AssertCredentialAsync_ReturnsAssertion()
+        {
+            // Arrange
+            _params.UserVerification = "required";
+            var authenticatorResult = new Fido2AuthenticatorGetAssertionResult {
+                AuthenticatorData = RandomBytes(32),
+                SelectedCredential = new Fido2AuthenticatorGetAssertionSelectedCredential {
+                    Id = RandomBytes(16),
+                    UserHandle = RandomBytes(32)
+                },
+                Signature = RandomBytes(32)
+            };
+            _sutProvider.GetDependency<IFido2AuthenticatorService>()
+                .GetAssertionAsync(Arg.Any<Fido2AuthenticatorGetAssertionParams>())
+                .Returns(authenticatorResult);
+
+            // Act
+            var result = await _sutProvider.Sut.AssertCredentialAsync(_params);
+
+            // Assert
+            await _sutProvider.GetDependency<IFido2AuthenticatorService>()
+                .Received()
+                .GetAssertionAsync(Arg.Is<Fido2AuthenticatorGetAssertionParams>(x =>
+                    x.RpId == _params.RpId &&
+                    x.RequireUserPresence == true &&
+                    x.RequireUserVerification == true &&
+                    x.AllowCredentialDescriptorList.Length == 1 &&
+                    x.AllowCredentialDescriptorList[0].Id == _params.AllowCredentials[0].Id
+                ));
+
+            Assert.Equal(authenticatorResult.SelectedCredential.Id, result.RawId);
+            Assert.Equal(CoreHelpers.Base64UrlEncode(authenticatorResult.SelectedCredential.Id), result.Id);
+            Assert.Equal(authenticatorResult.AuthenticatorData, result.AuthenticatorData);
+            Assert.Equal(authenticatorResult.Signature, result.Signature);
+
+            var clientDataJSON = JsonSerializer.Deserialize<JsonObject>(Encoding.UTF8.GetString(result.ClientDataJSON));
+            Assert.Equal("webauthn.get", clientDataJSON["type"].GetValue<string>());
+            Assert.Equal(CoreHelpers.Base64UrlEncode(_params.Challenge), clientDataJSON["challenge"].GetValue<string>());
+            Assert.Equal(_params.Origin, clientDataJSON["origin"].GetValue<string>());
+            Assert.Equal(!_params.SameOriginWithAncestors, clientDataJSON["crossOrigin"].GetValue<bool>());
+        }
+
+        private byte[] RandomBytes(int length)
+        {
+            var bytes = new byte[length];
+            new Random().NextBytes(bytes);
+            return bytes;
+        }
+    }
+}
--- a/test/Core.Test/Services/Fido2ClientCreateCredentialTests.cs
+++ b/test/Core.Test/Services/Fido2ClientCreateCredentialTests.cs
@@ -0,0 +1,305 @@
+using System;
+using System.Text;
+using System.Text.Json;
+using System.Text.Json.Nodes;
+using System.Threading.Tasks;
+using Bit.Core.Abstractions;
+using Bit.Core.Services;
+using Bit.Core.Utilities;
+using Bit.Core.Utilities.Fido2;
+using Bit.Test.Common.AutoFixture;
+using NSubstitute;
+using NSubstitute.ExceptionExtensions;
+using Xunit;
+
+namespace Bit.Core.Test.Services
+{
+    public class Fido2ClientCreateCredentialTests : IDisposable
+    {
+        private readonly SutProvider<Fido2ClientService> _sutProvider = new SutProvider<Fido2ClientService>().Create();
+
+        private Fido2ClientCreateCredentialParams _params;
+
+        public Fido2ClientCreateCredentialTests()
+        {
+            _params = new Fido2ClientCreateCredentialParams {
+                Origin = "https://bitwarden.com",
+                SameOriginWithAncestors = true,
+                Attestation = "none",
+                Challenge = RandomBytes(32),
+                PubKeyCredParams = [
+                    new PublicKeyCredentialParameters {
+                        Type = "public-key",
+                        Alg = -7
+                    }
+                ],
+                Rp = new PublicKeyCredentialRpEntity {
+                    Id = "bitwarden.com",
+                    Name = "Bitwarden"
+                },
+                User = new PublicKeyCredentialUserEntity {
+                    Id = RandomBytes(32),
+                    Name = "user@bitwarden.com",
+                    DisplayName = "User"
+                }
+            };
+
+            _sutProvider.GetDependency<IStateService>().GetAutofillBlacklistedUrisAsync().Returns([]);
+            _sutProvider.GetDependency<IStateService>().IsAuthenticatedAsync().Returns(true);
+        }
+
+        public void Dispose() 
+        {
+        }
+
+        [Fact]
+        // Spec: If sameOriginWithAncestors is false, return a "NotAllowedError" DOMException.
+        public async Task CreateCredentialAsync_ThrowsNotAllowedError_SameOriginWithAncestorsIsFalse()
+        {
+            // Arrange
+            _params.SameOriginWithAncestors = false;
+
+            // Act
+            var exception = await Assert.ThrowsAsync<Fido2ClientException>(() => _sutProvider.Sut.CreateCredentialAsync(_params));
+
+            // Assert
+            Assert.Equal(Fido2ClientException.ErrorCode.NotAllowedError, exception.Code);
+        }
+        
+        [Fact]
+        // Spec: If the length of options.user.id is not between 1 and 64 bytes (inclusive) then return a TypeError.
+        public async Task CreateCredentialAsync_ThrowsTypeError_UserIdIsTooSmall()
+        {
+            // Arrange
+            _params.User.Id = RandomBytes(0);
+
+            // Act
+            var exception = await Assert.ThrowsAsync<Fido2ClientException>(() => _sutProvider.Sut.CreateCredentialAsync(_params));
+
+            // Assert
+            Assert.Equal(Fido2ClientException.ErrorCode.TypeError, exception.Code);
+        }
+
+        [Fact]
+        // Spec: If the length of options.user.id is not between 1 and 64 bytes (inclusive) then return a TypeError.
+        public async Task CreateCredentialAsync_ThrowsTypeError_UserIdIsTooLarge()
+        {
+            // Arrange
+            _params.User.Id = RandomBytes(65);
+
+            // Act
+            var exception = await Assert.ThrowsAsync<Fido2ClientException>(() => _sutProvider.Sut.CreateCredentialAsync(_params));
+
+            // Assert
+            Assert.Equal(Fido2ClientException.ErrorCode.TypeError, exception.Code);
+        }
+
+        [Fact(Skip = "Not sure how to check this, or if it matters.")]
+        // Spec: If callerOrigin is an opaque origin, return a DOMException whose name is "NotAllowedError", and terminate this algorithm.
+        public Task CreateCredentialAsync_ThrowsNotAllowedError_OriginIsOpaque() => throw new NotImplementedException();
+
+        [Fact]
+        // Spec: Let effectiveDomain be the callerOrigin’s effective domain. If effective domain is not a valid domain, 
+        //       then return a DOMException whose name is "SecurityError" and terminate this algorithm.
+        public async Task CreateCredentialAsync_ThrowsSecurityError_OriginIsNotValidDomain()
+        {
+            // Arrange
+            _params.Origin = "invalid-domain-name";
+
+            // Act
+            var exception = await Assert.ThrowsAsync<Fido2ClientException>(() => _sutProvider.Sut.CreateCredentialAsync(_params));
+
+            // Assert
+            Assert.Equal(Fido2ClientException.ErrorCode.SecurityError, exception.Code);
+        }
+
+        [Fact]
+        // Spec: If options.rp.id is not a registrable domain suffix of and is not equal to effectiveDomain, 
+        //       return a DOMException whose name is "SecurityError", and terminate this algorithm.
+        public async Task CreateCredentialAsync_ThrowsSecurityError_RpIdIsNotValidForOrigin()
+        {
+            // Arrange
+            _params.Origin = "https://passwordless.dev";
+            _params.Rp.Id = "bitwarden.com";
+
+            // Act
+            var exception = await Assert.ThrowsAsync<Fido2ClientException>(() => _sutProvider.Sut.CreateCredentialAsync(_params));
+
+            // Assert
+            Assert.Equal(Fido2ClientException.ErrorCode.SecurityError, exception.Code);
+        }
+
+        [Fact]
+        // Spec: The origin's scheme must be https.
+        public async Task CreateCredentialAsync_ThrowsSecurityError_OriginIsNotHttps()
+        {
+            // Arrange
+            _params.Origin = "http://bitwarden.com";
+            _params.Rp.Id = "bitwarden.com";
+
+            // Act
+            var exception = await Assert.ThrowsAsync<Fido2ClientException>(() => _sutProvider.Sut.CreateCredentialAsync(_params));
+
+            // Assert
+            Assert.Equal(Fido2ClientException.ErrorCode.SecurityError, exception.Code);
+        }
+
+        [Fact]
+        // Spec: If the origin's hostname is a blocked uri, then return UriBlockedError.
+        public async Task CreateCredentialAsync_ThrowsUriBlockedError_OriginIsBlocked()
+        {
+            // Arrange
+            _params.Origin = "https://sub.bitwarden.com";
+            _sutProvider.GetDependency<IStateService>().GetAutofillBlacklistedUrisAsync().Returns([
+                "sub.bitwarden.com"
+            ]);
+
+            // Act
+            var exception = await Assert.ThrowsAsync<Fido2ClientException>(() => _sutProvider.Sut.CreateCredentialAsync(_params));
+
+            // Assert
+            Assert.Equal(Fido2ClientException.ErrorCode.UriBlockedError, exception.Code);
+        }
+
+        [Fact]
+        // Spec: If credTypesAndPubKeyAlgs is empty, return a DOMException whose name is "NotSupportedError", and terminate this algorithm.
+        public async Task CreateCredentialAsync_ThrowsNotSupportedError_CredTypesAndPubKeyAlgsIsEmpty()
+        {
+            // Arrange
+            _params.PubKeyCredParams = [
+                new PublicKeyCredentialParameters {
+                    Type = "not-supported",
+                    Alg = -7
+                },
+                new PublicKeyCredentialParameters {
+                    Type = "public-key",
+                    Alg = -9001
+                }
+            ];
+
+            // Act
+            var exception = await Assert.ThrowsAsync<Fido2ClientException>(() => _sutProvider.Sut.CreateCredentialAsync(_params));
+
+            // Assert
+            Assert.Equal(Fido2ClientException.ErrorCode.NotSupportedError, exception.Code);
+        }
+
+        [Fact(Skip = "Not implemented")]
+        // Spec: If the options.signal is present and its aborted flag is set to true, return a DOMException whose name is "AbortError" and terminate this algorithm.
+        public Task CreateCredentialAsync_ThrowsAbortError_AbortedByCaller() => throw new NotImplementedException();
+
+        [Fact]
+        public async Task CreateCredentialAsync_ReturnsNewCredential()
+        {
+            // Arrange
+            _params.AuthenticatorSelection = new AuthenticatorSelectionCriteria {
+                ResidentKey = "required",
+                UserVerification = "required"
+            };
+            var authenticatorResult = new Fido2AuthenticatorMakeCredentialResult {
+                CredentialId = RandomBytes(32),
+                AttestationObject = RandomBytes(32),
+                AuthData = RandomBytes(32),
+                PublicKey = RandomBytes(32),
+                PublicKeyAlgorithm = -7,
+            };
+            _sutProvider.GetDependency<IFido2AuthenticatorService>()
+                .MakeCredentialAsync(Arg.Any<Fido2AuthenticatorMakeCredentialParams>())
+                .Returns(authenticatorResult);
+
+            // Act
+            var result = await _sutProvider.Sut.CreateCredentialAsync(_params);
+
+            // Assert
+            await _sutProvider.GetDependency<IFido2AuthenticatorService>()
+                .Received()
+                .MakeCredentialAsync(Arg.Is<Fido2AuthenticatorMakeCredentialParams>(x =>
+                    x.RequireResidentKey == true &&
+                    x.RequireUserVerification == true &&
+                    x.RpEntity.Id == _params.Rp.Id &&
+                    x.UserEntity.DisplayName == _params.User.DisplayName
+                ));
+            Assert.Equal(authenticatorResult.CredentialId, result.CredentialId);
+            Assert.Equal(authenticatorResult.AttestationObject, result.AttestationObject);
+            Assert.Equal(authenticatorResult.AuthData, result.AuthData);
+            Assert.Equal(authenticatorResult.PublicKey, result.PublicKey);
+            Assert.Equal(authenticatorResult.PublicKeyAlgorithm, result.PublicKeyAlgorithm);
+            Assert.Equal(["internal"], result.Transports);
+
+            var clientDataJSON = JsonSerializer.Deserialize<JsonObject>(Encoding.UTF8.GetString(result.ClientDataJSON));
+            Assert.Equal("webauthn.create", clientDataJSON["type"].GetValue<string>());
+            Assert.Equal(CoreHelpers.Base64UrlEncode(_params.Challenge), clientDataJSON["challenge"].GetValue<string>());
+            Assert.Equal(_params.Origin, clientDataJSON["origin"].GetValue<string>());
+            Assert.Equal(!_params.SameOriginWithAncestors, clientDataJSON["crossOrigin"].GetValue<bool>());
+        }
+
+        [Fact]
+        public async Task CreateCredentialAsync_ThrowsInvalidStateError_AuthenticatorThrowsInvalidStateError()
+        {
+            // Arrange
+            _params.AuthenticatorSelection = new AuthenticatorSelectionCriteria {
+                ResidentKey = "required",
+                UserVerification = "required"
+            };
+            _sutProvider.GetDependency<IFido2AuthenticatorService>()
+                .MakeCredentialAsync(Arg.Any<Fido2AuthenticatorMakeCredentialParams>())
+                .Throws(new InvalidStateError());
+
+            // Act
+            var exception = await Assert.ThrowsAsync<Fido2ClientException>(() => _sutProvider.Sut.CreateCredentialAsync(_params));
+
+            // Assert
+            Assert.Equal(Fido2ClientException.ErrorCode.InvalidStateError, exception.Code);
+        }
+
+        [Fact]
+        // This keeps sensetive information form leaking
+        public async Task CreateCredentialAsync_ThrowsUnknownError_AuthenticatorThrowsUnknownError()
+        {
+            // Arrange
+            _sutProvider.GetDependency<IFido2AuthenticatorService>()
+                .MakeCredentialAsync(Arg.Any<Fido2AuthenticatorMakeCredentialParams>())
+                .Throws(new Exception("unknown error"));
+
+            // Act
+            var exception = await Assert.ThrowsAsync<Fido2ClientException>(() => _sutProvider.Sut.CreateCredentialAsync(_params));
+
+            // Assert
+            Assert.Equal(Fido2ClientException.ErrorCode.UnknownError, exception.Code);
+        }
+
+        [Fact]
+        public async Task CreateCredentialAsync_ThrowsInvalidStateError_UserIsLoggedOut()
+        {
+            // Arrange
+            _sutProvider.GetDependency<IStateService>().IsAuthenticatedAsync().Returns(false);
+
+            // Act
+            var exception = await Assert.ThrowsAsync<Fido2ClientException>(() => _sutProvider.Sut.CreateCredentialAsync(_params));
+
+            // Assert
+            Assert.Equal(Fido2ClientException.ErrorCode.InvalidStateError, exception.Code);
+        }
+
+        [Fact]
+        public async Task CreateCredentialAsync_ThrowsNotAllowedError_OriginIsBitwardenVault()
+        {
+            // Arrange
+            _params.Origin = "https://vault.bitwarden.com";
+            _sutProvider.GetDependency<IEnvironmentService>().GetWebVaultUrl().Returns("https://vault.bitwarden.com");
+
+            // Act
+            var exception = await Assert.ThrowsAsync<Fido2ClientException>(() => _sutProvider.Sut.CreateCredentialAsync(_params));
+
+            // Assert
+            Assert.Equal(Fido2ClientException.ErrorCode.NotAllowedError, exception.Code);
+        }
+
+        private byte[] RandomBytes(int length)
+        {
+            var bytes = new byte[length];
+            new Random().NextBytes(bytes);
+            return bytes;
+        }
+    }
+}
--- a/test/Core.Test/Utilities/Fido2/Fido2DomainUtilsTests.cs
+++ b/test/Core.Test/Utilities/Fido2/Fido2DomainUtilsTests.cs
@@ -0,0 +1,40 @@
+using Bit.Core.Utilities.Fido2;
+using Xunit;
+
+namespace Bit.Core.Test.Utilities.Fido2
+{
+    public class Fido2DomainUtilsTests
+    {
+        [Theory]
+        // From https://html.spec.whatwg.org/multipage/browsers.html#is-a-registrable-domain-suffix-of-or-is-equal-to
+        // [InlineData("0.0.0.0", "0.0.0.0", true)] // IP-addresses not allowed by WebAuthn spec
+        // [InlineData("0x10203", "0.1.2.3", true)]
+        // [InlineData("[0::1]", "::1", true)]
+        [InlineData("example.com", "example.com", true)]
+        [InlineData("example.com", "example.com.", false)]
+        [InlineData("example.com.", "example.com", false)]
+        [InlineData("example.com", "www.example.com", true)]
+        [InlineData("com", "example.com", false)]
+        [InlineData("example", "example", true)]
+        [InlineData("compute.amazonaws.com", "example.compute.amazonaws.com", false)]
+        [InlineData("example.compute.amazonaws.com", "www.example.compute.amazonaws.com", false)]
+        [InlineData("amazonaws.com", "www.example.compute.amazonaws.com", false)]
+        [InlineData("amazonaws.com", "test.amazonaws.com", true)]
+        // Custom tests
+        [InlineData("sub.login.bitwarden.com", "https://login.bitwarden.com:1337", false)]
+        [InlineData("passwordless.dev", "https://login.bitwarden.com:1337", false)]
+        [InlineData("login.passwordless.dev", "https://login.bitwarden.com:1337", false)]
+        [InlineData("bitwarden", "localhost", false)]
+        [InlineData("bitwarden", "bitwarden", true)]
+        [InlineData("127.0.0.1", "127.0.0.1", false)]
+        [InlineData("localhost", "https://localhost:8080", true)]
+        [InlineData("bitwarden.com", "https://bitwarden.com", true)]
+        [InlineData("bitwarden.com", "https://login.bitwarden.com:1337", true)]
+        [InlineData("login.bitwarden.com", "https://login.bitwarden.com:1337", true)]
+        [InlineData("login.bitwarden.com", "https://sub.login.bitwarden.com:1337", true)]
+        public void ValidateRpId(string rpId, string origin, bool isValid)
+        {
+            Assert.Equal(isValid, Fido2DomainUtils.IsValidRpId(rpId, origin));
+        }
+    }
+}
--- a/test/Core.Test/Utilities/GuidExtensionsTests.cs
+++ b/test/Core.Test/Utilities/GuidExtensionsTests.cs
@@ -0,0 +1,81 @@
+using System;
+using Bit.Core.Utilities;
+using Xunit;
+
+namespace Bit.Core.Test.Utilities.Fido2
+{
+    public class GuidExtensionsTests
+    {
+        [Theory]
+        [InlineData("59788da2-4221-4725-8503-52fea66df0b2", new byte[] {0x59, 0x78, 0x8d, 0xa2, 0x42, 0x21, 0x47, 0x25, 0x85, 0x03, 0x52, 0xfe, 0xa6, 0x6d, 0xf0, 0xb2})]
+        [InlineData("e7895b55-2149-4cad-9e53-989192320a8a", new byte[] {0xe7, 0x89, 0x5b, 0x55, 0x21, 0x49, 0x4c, 0xad, 0x9e, 0x53, 0x98, 0x91, 0x92, 0x32, 0x0a, 0x8a})]
+        [InlineData("d12f1371-5c89-4d20-a72f-0522674bdec7", new byte[] {0xd1, 0x2f, 0x13, 0x71, 0x5c, 0x89, 0x4d, 0x20, 0xa7, 0x2f, 0x05, 0x22, 0x67, 0x4b, 0xde, 0xc7})]
+        [InlineData("040b76e4-aff1-4090-aaa2-7f781eb1f1ac", new byte[] {0x04, 0x0b, 0x76, 0xe4, 0xaf, 0xf1, 0x40, 0x90, 0xaa, 0xa2, 0x7f, 0x78, 0x1e, 0xb1, 0xf1, 0xac})]
+        [InlineData("bda63808-9bf6-427b-97b6-37f3b8d8f0ea", new byte[] {0xbd, 0xa6, 0x38, 0x08, 0x9b, 0xf6, 0x42, 0x7b, 0x97, 0xb6, 0x37, 0xf3, 0xb8, 0xd8, 0xf0, 0xea})]
+        [InlineData("5dfb0c92-0243-4c39-bf2b-29ffea097b96", new byte[] {0x5d, 0xfb, 0x0c, 0x92, 0x02, 0x43, 0x4c, 0x39, 0xbf, 0x2b, 0x29, 0xff, 0xea, 0x09, 0x7b, 0x96})]
+        [InlineData("5a65a8aa-6b88-4c72-bc11-a8a80ba9431e", new byte[] {0x5a, 0x65, 0xa8, 0xaa, 0x6b, 0x88, 0x4c, 0x72, 0xbc, 0x11, 0xa8, 0xa8, 0x0b, 0xa9, 0x43, 0x1e})]
+        [InlineData("76e7c061-892a-4740-a33c-2a52ea7ccb57", new byte[] {0x76, 0xe7, 0xc0, 0x61, 0x89, 0x2a, 0x47, 0x40, 0xa3, 0x3c, 0x2a, 0x52, 0xea, 0x7c, 0xcb, 0x57})]
+        [InlineData("322d5ade-6f81-4d7e-ab9c-8155d9a6a50f", new byte[] {0x32, 0x2d, 0x5a, 0xde, 0x6f, 0x81, 0x4d, 0x7e, 0xab, 0x9c, 0x81, 0x55, 0xd9, 0xa6, 0xa5, 0x0f})]
+        [InlineData("51927742-4e17-40af-991c-d958514ceedb", new byte[] {0x51, 0x92, 0x77, 0x42, 0x4e, 0x17, 0x40, 0xaf, 0x99, 0x1c, 0xd9, 0x58, 0x51, 0x4c, 0xee, 0xdb})]
+        public void GuidToRawFormat_ReturnsRawFormat_GivenCorrectlyFormattedGuid(string standardFormat, byte[] rawFormat)
+        {
+            var result = GuidExtensions.GuidToRawFormat(standardFormat);
+
+            Assert.Equal(rawFormat, result);
+        }
+
+        [Theory]
+        [InlineData("59788da-4221-4725-8503-52fea66df0b2")]
+        [InlineData("e7895b552-149-4cad-9e53-989192320a8a")]
+        [InlineData("x12f1371-5c89-4d20-a72f-0522674bdec7")]
+        [InlineData("040b76e4-aff1-4090-Aaa2-7f781eb1f1ac")]
+        [InlineData("bda63808-9bf6-427b-97b63-7f3b8d8f0ea")]
+        [InlineData("")]
+        public void GuidToRawFormat_ThrowsFormatException_IncorrectlyFormattedGuid(string standardFormat)
+        {
+            Assert.Throws<FormatException>(() => GuidExtensions.GuidToRawFormat(standardFormat));
+        }
+
+        [Fact]
+        public void GuidToRawFormat_ThrowsArgumentException_NullArgument()
+        {
+            Assert.Throws<ArgumentException>(() => GuidExtensions.GuidToRawFormat(null));
+        }
+
+        [Theory]
+        [InlineData(new byte[] {0x59, 0x78, 0x8d, 0xa2, 0x42, 0x21, 0x47, 0x25, 0x85, 0x03, 0x52, 0xfe, 0xa6, 0x6d, 0xf0, 0xb2}, "59788da2-4221-4725-8503-52fea66df0b2")]
+        [InlineData(new byte[] {0xe7, 0x89, 0x5b, 0x55, 0x21, 0x49, 0x4c, 0xad, 0x9e, 0x53, 0x98, 0x91, 0x92, 0x32, 0x0a, 0x8a}, "e7895b55-2149-4cad-9e53-989192320a8a")]
+        [InlineData(new byte[] {0xd1, 0x2f, 0x13, 0x71, 0x5c, 0x89, 0x4d, 0x20, 0xa7, 0x2f, 0x05, 0x22, 0x67, 0x4b, 0xde, 0xc7}, "d12f1371-5c89-4d20-a72f-0522674bdec7")]
+        [InlineData(new byte[] {0x04, 0x0b, 0x76, 0xe4, 0xaf, 0xf1, 0x40, 0x90, 0xaa, 0xa2, 0x7f, 0x78, 0x1e, 0xb1, 0xf1, 0xac}, "040b76e4-aff1-4090-aaa2-7f781eb1f1ac")]
+        [InlineData(new byte[] {0xbd, 0xa6, 0x38, 0x08, 0x9b, 0xf6, 0x42, 0x7b, 0x97, 0xb6, 0x37, 0xf3, 0xb8, 0xd8, 0xf0, 0xea}, "bda63808-9bf6-427b-97b6-37f3b8d8f0ea")]
+        [InlineData(new byte[] {0x5d, 0xfb, 0x0c, 0x92, 0x02, 0x43, 0x4c, 0x39, 0xbf, 0x2b, 0x29, 0xff, 0xea, 0x09, 0x7b, 0x96}, "5dfb0c92-0243-4c39-bf2b-29ffea097b96")]
+        [InlineData(new byte[] {0x5a, 0x65, 0xa8, 0xaa, 0x6b, 0x88, 0x4c, 0x72, 0xbc, 0x11, 0xa8, 0xa8, 0x0b, 0xa9, 0x43, 0x1e}, "5a65a8aa-6b88-4c72-bc11-a8a80ba9431e")]
+        [InlineData(new byte[] {0x76, 0xe7, 0xc0, 0x61, 0x89, 0x2a, 0x47, 0x40, 0xa3, 0x3c, 0x2a, 0x52, 0xea, 0x7c, 0xcb, 0x57}, "76e7c061-892a-4740-a33c-2a52ea7ccb57")]
+        [InlineData(new byte[] {0x32, 0x2d, 0x5a, 0xde, 0x6f, 0x81, 0x4d, 0x7e, 0xab, 0x9c, 0x81, 0x55, 0xd9, 0xa6, 0xa5, 0x0f}, "322d5ade-6f81-4d7e-ab9c-8155d9a6a50f")]
+        [InlineData(new byte[] {0x51, 0x92, 0x77, 0x42, 0x4e, 0x17, 0x40, 0xaf, 0x99, 0x1c, 0xd9, 0x58, 0x51, 0x4c, 0xee, 0xdb}, "51927742-4e17-40af-991c-d958514ceedb")]
+        public void GuidToStandardFormat(byte[] rawFormat, string standardFormat)
+        {
+            var result = GuidExtensions.GuidToStandardFormat(rawFormat);
+
+            Assert.Equal(standardFormat, result);
+        }
+
+        [Fact]
+        public void GuidToStandardFormat_ThrowsArgumentException_NullArgument()
+        {
+            Assert.Throws<ArgumentException>(() => GuidExtensions.GuidToStandardFormat(null));
+        }
+
+        [Fact]
+        public void GuidToStandardFormat_ThrowsArgumentException_TooLarge()
+        {
+            Assert.Throws<ArgumentException>(() => GuidExtensions.GuidToStandardFormat(new byte[17]));
+        }
+
+        [Fact]
+        public void GuidToStandardFormat_ThrowsArgumentException_TooShort()
+        {
+            Assert.Throws<ArgumentException>(() => GuidExtensions.GuidToStandardFormat(new byte[15]));
+        }
+    }
+}