Currently Bitwarden has an option to ask to add login. Please add an option as to whether to prompt for passkeys during creation of a passkey or use of an existing passkey. I use Bitwarden for work and another password manager for personal use, so want an option to disable Bitwarden’s prompt. Bitwarden’s prompt appears first and I can’t see a way to control this. If the browser allowed user control of the other of preference, I wouldn’t need this option.
A global rule and also a rule per site would be nice
“Never ask” & “Never ask for this site”
I second this. I would love to use Bitwarden for this in multiple scenarios, but for one a user can have existing infrastructure for these, and second, Bitwarden isn’t compatible with all relevant services (e.g. ecas.europa.eu) or corporate ecosystems.
An option to not use it for a specific site or globally is quite important here as after the latest update it takes over from the browser, suddenly adding an extra, easily confusing, step to discard the popup and go with the browser each time the user tries to log in.
Thanks!
I absolutely agree with the replies so far on this page.
I use physical security keys and I am unable to use them because the Bitwarden pop-up takes over the in-browser authentication. I may decide to use Bitwarden for passkey storage but currently, many of my services are not supported and I currently need to continue using my existing systems.
Hope this can be fixed soon!
The extension upgrading itself to interfere with navigator.credentials is surprising and unwanted.
I have it disabled by default in Chrome:
Per a Reddit comment from @kspearrin, a fix is “coming soon”.
Bitwardens’s Passkey implementation is incomplete and what is there has significant problems, it should not have been pushed as an upgrade with no way to disable, basically it is unfit for production use. We are where we are, I really want to stay with Bitwarden but that will be difficult if they don’t quickly issue an update that allows me to disable all Passkey functions. Bitwarden has a large base of free or low cost users, but it depends upon commercial subscribers such as I to stay in business. This rollout indicates a lack of understanding of the needs of commercial users, who need to prepare for and control how functions are introduced to their users. It will really help if Bitwarden issues an update on how they will mitigate the immediate issues users have and a longer term plan.
Definitely +1 for this – Having new features are great, but being able to disable them are important too.
I have multiple hardware based passkey (webauthn, u2f or whatever) devices and may not use this feature anyway. Having some unused feature inject to the navigator.credentials API and break pages (for example, not able to add new security key in porkbun) or slow down my authentication procedure (wait for the prompt to load for seconds, and click the use browser link) is really undesired.
Hope this get implemented soon or I’ll have to maintain a fork with this feature removed, which would be a tough task .
Agree. thanks for starting this thread. Looking forward to a disable/fix
I agree. There are so many login flows that rely on the built in Windows Security/security key flow, including Windows Hello. It is not appropriate for Bitwarden to intercept/get inbetween these flows. Sure – make it available as an option to enable, but to enable it by default to all users? No…
Apparently their fix is just going to be an option to disable the passkey prompt for specific domains which is also uncalled for. It should be disabled by default, with the ability to enable it on a per domain basis.
I use bitwarden in a small environment, but I empathize with anyone that is using this at a corporate level – this is a mess.
Until this last week, I’ve loved Bitwarden Premium. I came over after the second LastPass breach and even though Bitwarden doesn’t have all of the bells and whistles that LastPass had, I’ve been VERY happy with the product, until now.
I agree 100%. While I like the idea of adding the feature, everything should be announced and transparent. Enabling a feature like this should be explicitly set by the account owner. It should also provide a changeable default setting and a site level settings to enable/disable the feature.
In the mean time, customers with third-party authentication tools have to deal with a highly annoying (and in some ways breaking) change.
I just had this happen to me today as well. There really should be a way to disable passkeys, at least on specific websites.
A new browser extension version, 2023.10.2, is rolling out in various web stores right now that addresses bug fixes and some UX improvements to the current passkey implementation. No doubt there is more work to do to, so please feel free to continue sharing feedback or issues that you face. Improvements include:
- Automatically fall back to the native “use browser” option when no passkeys exist in Bitwarden for a given website. The vault must be unlocked for us to know no passkeys exist.
- Fall back to the native “use browser” option when closing the Bitwarden passkey window.
- Respect excluded domains list (under Settings) before showing Bitwarden passkey options for a given website.
- Fixes to iCloud and Google passkey login. There is still a known issue with Google on some Windows device configurations.
We are still looking into adding an option to globally disable the passkey feature in a future update.
Had this happen for me today too. As a premium subscriber I am a bit disgruntled but good to hear updates are coming to remedy the situation.
Seriously? That’s still not even REMOTELY CLOSE to acceptable.
I should not need to click a button in your extension in order to use my Yubikey. There is literally no reason why I would ever want to have a passkey in Bitwarden when I have my Yubikey. A solution which only works when the vault is unlocked is a solution which only works perhaps 10% of the time.
Hi John. For use cases like yours we are also working toward adding a setting to disable the feature entirely. This will come in a different future release.
As a workaround in firefox, you can go to the previous versions page here:
https://addons.mozilla.org/en-US/firefox/addon/bitwarden-password-manager/versions/
You can click “download file” on previous version, and it will install normally as if you were installing an addon.
You may also need to disable automatic updates for bitwarden (right click bitwarden extension > manage extension > Allow automatic updates > off)
Yes, please, make the global disabling of passkey work even when the vault is locked.
Why was such an invasive change rolled out without an option to disable? Do you need a beta branch to test half baked code changes or get them out to folks that need features sooner?
I would like to report that I had to disable the Bitwarden extension in order to log into the Bitwarden web vault because I was not able to bypass the passkey prompt in order to use my fido2 USB key that registered with my vault.