For some time I’ve been following posts related to this topic and I keep reading that Chromium based browsers support PRF.
I’m using the Chrome browser running on Windows 11 Home.
However, when trying to log in using a passkey, I get as far as authentication using Windows Hello but then Bitwarden asks me for my master password (which seems to negate any benefit of using a passkey and in fact adds more steps).
Now I gather this must have something to do with the encryption step. This is supported by this message under Security settings:
For this to work, PRF/passkey based encryption must be supported by all of the following:
The service you are logging in to (e.g., Bitwarden Web Vault).
The browser (e.g., Chrome).
The operating system (e.g., Windows 11 Home).
The “wallet” that holds your passkey (e.g., Windows Hello).
I know that Windows 11 Professional supports passkeys with PRF, but I don’t know whether this is also supported in Windows 11 Home.
If it is not the operating system, then it is Windows Hello that is the culprit.
There is no comprehensive list that I know of to document what is and isn’t compatible with PRF, but hopefully other forum users will chime in with their own experiences.
I have the same problem, getting encryption not supported.
I am using a self hosted Bitwarden Server which now has passkey support. However I can’t get it to work on Chrome or Edge using Windows 11 Education (equivalent of Enterprise) and Windows Hello for Business Facial Recognition.
So, for me at least, my money is on Windows Hello.
I’m with my desktop on Windows 11 Home and could successfully create and use passkeys on my YubiKeys (5C NFC) with encryption for the Bitwarden-web-vault-passkey-login (using Brave), so I would guess the “problem” would be the “passkey-wallet” Windows Hello, as @mikael.zewgren bets his money on…
I can confirm that Windows Hello with Win11 does not support encryption for passkey login to BW web vault.
It works perfectly fine with Yubikey5, I have set up 2 of them for passwordless vault login.
No. You said, you could do it with your YubiKeys 5 on Win 11 Home - that shows, that Win 11 Home supports in general the PRF / “with encryption” part. And it seems, that Windows Hello doesn’t support to store passkeys with encryption, at least on Win 11 Home and presumably Win 11 Pro also.
(my laptop has Win 11 Pro - maybe I’ll test it and add the “report” later here…)
Okay, just tested it with my laptop on Win 11 Pro (again with Brave): Yubikey 5 again successfull - storing the passkey in Windows Hello doesn’t even offer me “with encryption” and shows for the created passkey “encryption not supported”.
So - at least with my devices - whether it is Win 11 Home or Pro, it doesn’t work with Windows Hello and is no problem with my YubiKeys 5. (again, all tested with Brave)
Thanks for the testing … your experience matches mine … it seems Windows Hello implementation itself is the culprit. I hope this will change some time in the future.
I agree with @tschap123, it certainly seems that Windows Hello is where the incompatibility lies. Thanks @Nail1684 and @tschap123 for narrowing this down.
I can log in to my web vault using a passkey on Windows 11 home, however this passkey is saved in the Bitwarden app Firefox extension, not Windows itself.
I can however log in to Gmail using a passkey saved in Windows itself, so it does appear to be working in Windows 11 Home for Google, just not Bitwarden.
That is a bit confusing, because my last info is, that in a Bitwarden item, storing “PRF-passkeys” (with encryption) is not possible… and adding to that, Firefox doesn’t support PRF (= you shouldn’t be able to store and/or use a “passkey with encryption” via Firefox )… so, can you login by that passkey without entering the master password? - Could you support some screenshots of your login process doing it like this? (of course without containing personal information)
That is not suprising, I must say. Then it is a normal “login-passkey”, just as to other websites. For Google, the passkey has not to be with encryption. And that you can store passkeys without encryption in Windows Hello etc. is, as I wrote, not surprising.
Perhaps I misspoke. When I try to log in to vault.bitwarden.com using a passkey, it pops up in the bitwarden firefox extension, I confirm it, and then it asks for my master password, so no, I guess I’m not logging in by passkey alone. Strange thing is, If I log in to vault.bitwarden.com using my master password instead of the passkey, it then asks for my 2FA. Either way, it asks me for 2 separate things, those two things being different depending on whether I first select passkey or master password login.
Also, I just verified this exact same behavior presents in the self-hosted bitwarden vault as well, if I use a passkey it asks for master password, if I use a master password it asks for 2FA.
Okay, thanks for the clarification. And just a sidenote - but I think you may be aware of it, but for other readers as well - besides of the testing of these functions, beware of the circulatory setup of this example here. (requiring access to Bitwarden to get access to Bitwarden, is a bit risky, to say the least - but we of course still have the master password and 2FA available at this point)
Well, the last part is logical: if you login “classically” using your master password, of course you are required 2FA also. An answer to using a “login-passkey without encryption”, can be found here I think (see there “How it works” → “Passkeys with encryption turned off”): Log in with Passkeys | Bitwarden Help Center
PS: If I understand it correctly and to put it in simpe terms: the “WebAuthn”-part seems to be included - and that includes every form of 2FA already (or “creates” another 2FA-option for your vault, only for this passkey) ?! - so only the master password is needed for the decryption-part, which the passkey without encryption can’t do.
I completely understand and appreciate you pointing out the logical fact that storing a credential inside of a vault that is required to get into the same vault makes little sense. I also think that everyone is still getting a handle on passkey use cases. Everywhere you look and read they say passkeys are far superior to passwords for so many reasons, but then using the passkey requires the entry of the very same password it would logically be meant to replace. I also appreciate that we are in the transition phase and this could take awhile to shake out.
I agree, it just seems to be another factor, not really a replacement, yet.
)… so, can you login by that passkey without entering the master password? - Could you support some screenshots of your login process doing it like this? (of course without containing personal information)
- but we of course still have the master password and 2FA available at this point)