Hello! I’m in the progress of trying out bitwarden as my new password management solution.
I use the unified image of bitwarden (docker).
So far the basic functionality works fine.
However, I run into a trouble when I try to enable “logon with passkey” which I would like to do before I go into production. I understand this is a beta feature.
When I am logged on into the self-hosted bitwarden system via Chrome browser (I tried both Ubuntu as well Windows 11), I click on “activate” for the feature.
I am being prompted to enter my master-password again.
Bitwarden triggers my browser to display a pop-up which asks me if I want to create a passkey for logon for the service (bitwarden).
It shows “Passkey successfully generated” and asks me for a name.
After entry of the name and clicking “activate” again, it throws an “An unhandled server error has occurred.”
This happens both on Linux and Windows. Any idea? Is this still too beta?
Could you provide a screenshot to that? (because in the non-self hosting versions I think it’s called something like “Turn on”, so I’m wondering if there are more differences)
Did you try to store the login-passkey for Bitwarden in your Bitwarden vault? – If you tried to create the passkey “with encryption” then that will fail in every case, as it’s not possible to store passkeys with PRF in the Bitwarden vault right now.
Did you try to store the login-passkey somewhere else as well? Does that also fail?
This is the first method how I tried to enable the feature. The other option is at “Security” and “Two Step Login”. However, there it throws the same error.
I’m not entirely sure what you mean by this. I followed the above description of steps exactly.
BTW, these are two different features, so there is no second method to create login-passkeys. – In Security → Two-Step Login, you can create a FIDO2-2FA credential, which Bitwarden unfortunately also just calls “passkey” [@dwbit]. But those two “passkeys” – a login-passkey and a 2FA-“passkey” – are not the same kind of credential and don’t have the same function for the Bitwarden account/vault.
What I want to achieve is the following: I want to secure my password-vault itself with best practice security, before I move all my credentials in there.
Besides setting up a good master-password, this means setting up a second factor in combination to protect access to my password-vault. I already set-up my google authenticator app for that, but I’d like to also add Passkeys within my important devices (like my browser of my main workstation), so I can use biometric methods to authenticate/unlock my vault.
Then, please follow this guide to set up a FIDO2-2FA-“passkey”. – Setting up a full-login-passkey doesn’t work as 2FA for Bitwarden, so not the thing you want here at the moment…
Then here my question again: where do you want to or tried to store that 2FA-“passkey”? (it must be saved somewhere - so, where?)
Okay, if you want to fully login, then you indeed need an (additional) “login-passkey”.
And you want to store that in the password manager of your browser? Then, the Bitwarden “save passkey”-popup would be the wrong “location” as that would store the passkey in the Bitwarden browser extension. (BTW, I’m not sure which browsers support passkey-storage in their built-in-password manager?!)
Just for the terminology of things: “unlocking with a full-login-passkey” is currently not possible with Bitwarden. Only login, and only to the web vault.
Thank you for bearing with me. I just spent time again to bring this to work.
I did follow this guide. I tried different methods: Both using a hardware key (Yubikey) and also the OS-integrated variant (Windows Hello) of creating a Passkey. In both cases, Bitwarden throws the error I mentioned before.
As I stated before, I’d like to use the OS-integrated methods of creating passkeys, which are then tied to biometric devices (fingerprint-reader) or PINs (Windows Hello). As far as I know, this is a software-only variant of creating and using Passkeys. I do use those successfully in other applications.
Yes, I want to use the password manager of browser/OS to store and manage the passkey needed to unlock Bitwarden.
No, I definitely don’t use Bitwarden’s “save passkey” popup - I haven’t even installed the Bitwarden extension for the browser yet. Before I do that, I would like to protect the account properly.
The fact that also the creation of a FIDO2-2FA-passkey using Yubikey, which I also possess, didn’t work (same error) tells me that there is some fundamental problem here. According to the document you linked that should definitely work, no?
I have now two ideas: Perhaps I just create a test-account at Bitwarden’s official service (opposed to the self-hosted variant) and test if it makes a difference. The other idea is to install the browser extension. What would you say?
I just played around with the cloud-provided version of Bitwarden (hosted on bitwarden.eu).
There, I could save all different passkeys I have (both hardware and software implemented) into my Bitwarden instance and I could use it to both logon directly or as a second factor together with Master-Password. Only limitation was that for logon with Passkey (without Master-PW) I could only use the Yubikey-one. That’s because it’s not viable for encryption. However, as a second factor, I could use it (which is what I want).
So, conclusion: Everything works fine as expected with the cloud-variant of Bitwarden. It has to be a problem with the unified-image. I will open a support-case for that.
I don’t self-host, so I can’t be of much help here. Personally, I would also check if everything is set up and configured as it should be. Contacting customer support would also be advisable. If it turns out it could be a bug, then you could report it on GitHub.
]. But those two “passkeys” – a login-passkey and a 2FA-“passkey” – are not the same kind of credential and don’t have the same function for the Bitwarden account/vault.