The process is roughly as follows: the browser initiates FIDO2 authentication, the Bitwarden browser extension adds a new feature (QR code), an Android/Apple phone is used to scan the code, and after the interaction is completed via cloud + Bluetooth, FIDO BLE is used to connect to the passkey to complete authentication.
Specifically, it is based on the FIDO CTAP 2.2 standard, with a Tunnel Server ID greater than 255, allowing dynamic tunnel domains.
This feature relies on Bluetooth and the network. It is suggested that the browser extension design distinguishes between scenarios with no account login and account login, to differentiate between home and public settings.
The proposal aims to bypass Microsoftâs tedious menu selections and is intended to be usable on other systems as well.
So, such a feature would involve the BW browser extension, which âinterceptedâ the passkey request and presents a QR code, that can be scanned with the mobile app?
First, itâs already possible with the mobile app to scan passkey QR codes â and isnât a system thatâs independent from the existence of the BW browser extension even more flexible? Especially sinceâŚ:
Second, when you have the BW browser extension already in use on a given system, wouldnât it be much easier just to use the BW extension directly for passkey login?
Ah, could you clarify if you (still) mean âlogin to Bitwarden (e.g. the extension)â or logging in to other services using passkeys stored in Bitwarden?
Iâm confused. What does âscenarios with no account loginâ mean if youâre talking about an option for âlogin to your Bitwarden accountâ?
PS: And if you mean âlogin to the BW extensionâ, I donât see how this would be less tedious than the existing QR code login / cross-device authentication mechanism.
This feature relies on the BW browser extension, which âinterceptsâ passkey requests and displays a QR code. Note that this uses a protocol starting with âfido:â, which standard Google scanning apps can recognize. It does not involve the BW mobile app at this stage.
This QR code represents FIDO BLE. You can think of it as a ârelay stationâ that transmits requests via BLE (Bluetooth Low Energy). The interaction can then be completed using the BW mobile app or even a USB/NFC security key. For now, this feature can be referred to as âFIDO Bluetooth.â
Use Cases:
Public Computers: When using devices in public placesâsuch as libraries, internet cafes, or a friendâs houseâI donât need to manually enter my username and password. I can simply use âFIDO Bluetooth.â
At Home: When I am logged into Bitwarden on my own computer and initiate FIDO2 verification, I have the flexibility to choose between the BW extension, a physical security key, or this new âFIDO Bluetoothâ option.
Additional Note:
I havenât been able to find this functionality on Linux yet. While Windows 10/11 currently has a version of this implementation, the menu navigation is extremely complex. I hope this new feature will provide a faster and more seamless user experience.
Help me understand the Public Computers scenario âŚ
You are using a public/untrusted computer that has the Bitwarden extension installed on it.
The BW extension on this untrusted computer displays a QR code that you scan with your trusted phone.
After which, your vault is downloaded and unlocked on the untrusted computer.
So that you can access your bank password on an untrusted computer.
And login to your bank account on said untrusted computer.
Unless I misunderstand , the scenario raises many red flags for me.
As for the At Home scenario, how would scanning a QR code with your phone be more convenient than the existing âLogin with Deviceâ? If nothing else, login with device does not require removing my phone from the charging stand.
Starting from the third step, it is not about downloading Bitwarden data. Instead, it is a Bluetooth connection between the phone and the computer; the phone will prompt to use Bitwarden/a USB security key.
There is a misunderstandingâhere, Bluetooth can be viewed as a USB cable, and the phone as a physical security key, which might help with understanding. FIDO Alliance members have previously had similar hardware products that use Bluetooth.
As for the situation at home, it is simply an alternative because Microsoftâs built-in menus for this feature are complex; it would be better if there were âone-clickâ direct access. Furthermore, this feature can provide a consistent, fast, and secure experience across various operating systems; at least Linux is suitable for adding this.
Integrating this into the Bitwarden browser extension would provide a better experience, allowing Windows 11 and Linux to have âone-clickâ direct access. This would be a massive step forward. Although Windows already has this feature, the experience is mediocre; I currently need to navigate through three additional menus.
Furthermore, I want to emphasize that the reason I am submitting this feature request is that if the Bitwarden mobile app can natively parse âfido:â via this QR code, then devices without GMS, custom ROMs, or those running Android versions below 14 could all enjoy a Passkey experience. The FIDO 2.2 documentation suggests that this is a possibility.
You are using a public/untrusted computer that has the Bitwarden extension installed on it.
The BW extension on this untrusted computer displays a QR code that you scan with your trusted phone.
The QR code is used to establish and authenticate a Bluetooth connection over which the two Bitwardens can securely communicate. After which, your vault is downloaded and unlocked on the untrusted computer
The untrusted computer proxies a passkey authentication ceremony between the website and your trusted phone. . So that you can access your bank password on an untrusted computer.
And login to your bank account on said untrusted computer.
Still have a very basic problem believing that public computers would have the Bitwarden extension preinstalled, that I can trust the extensionâs pedigree, and that I can trust the public computer to be free of malware (e.g. a session hijacker or an AITM). In this scenario, I would only use the library computer to access public resources and would do my banking via my phoneâs web browser.
For login with device, it is 4 clicks, and one smile-for-the-camera.
At the login page, my email address is prefilled in, so I just click âcontinueâ.
My phone gets a notification stating âlogin requestedâŚconfirm login attempt forâ. I click on it, which opens bitwarden, which I unlock with FaceID.
Bitwarden displays a bit of confirmation information, to which I click âConfirm Loginâ
Back on the computer, I am logged in (well, I would have been had I checked the "donât prompt for MFA for 30 days)..
I donât see how opening/unlocking Bitwarden (or my camera app) to scan a QR code would simplify this.
Thatâs not my experience. On Windows 11, when I use âLogin with passkeyâ for the browser extension, itâs only two clicks from the extension window â click on âLogin with passkeyâ â click on âAndroid/iOS deviceâ on the Windows Hello/Security window. Then, I already get the QR codeâŚ
So at best, you could remove one click with your suggestion. (if you could click âQR codeâ in the extension window directly)
I tried to find this, but wasnât successful. Could you give us the exact section(s) that supposedly suggest that?
According to the FIDO 2.2 Hybrid transports (11.5) specification, this can actually be nested within the application.
As for the purpose of my functional requirement submission, I hope that Bitwarden fully implements this feature to break the âecosystem isolationâ of operating systems.
Thank you for your reply. Regarding your statement, at least in the case of bank accounts, we should not log into them in public environments.
As for the new feature of the BW plugin for logging into accounts in public places, we might need to consider it on a case-by-case basis. Important accounts require caution, but we might need it for occasionally handling simple tasks.
After the feature is implemented, to give an example of my own: I have a virtual machine with Bluetooth functionality running Ubuntu 22.04, which I usually access via remote desktop. If I need to log into an account, previously I might have had to go to the machine to touch the Yubikey or pick up an NFC smart card. If the BW plugin implements this feature, after scanning the QR code with my Android phone, I can choose Bitwarden, Yubikey, or an NFC smart cardâany of these methodsâto perform the passkey authentication.
My first language is not English, so this might be a mistranslation or sound strange to you.
This is a consideration for users who possess the Bitwarden password manager, NFC smart cards, and USB security keys.
If I could directly click/select the QR code, scan it with my phone, and then choose Bitwarden or choose a security key.
If FIDO2 authentication is initiated under normal circumstances, one would select âphysical security keyâ and then choose based on USB/NFC security keys or Apple/Android phones.
Normally, there is one extra step here; if the Bitwarden browser extension implements this directly, I can choose between the Bitwarden mobile app or a physical security key depending on the situation.
