Please let the extension be silent when the vault is locked. Very interresting to have bitwarden as passkey provider, but please, think of existing yubikey users.
@nick-1154 Welcome to the forum!
What version of the browser extension do you have? Even an an older extension version, you should be able to simply click the Use browser link at the bottom of the pop-up, and then it reverts to the normal 2FA workflow.
If you have version 2023.10.2, then the pop-up is automatically suppressed if your browser extension is unlocked or if you add bitwarden.com to the “Excluded Domains” list in the browser extension settings.*
*Edit: After additional testing, it appears that the “Excluded Domains” method only works when the vault is unlocked. Update: Nevermind, it does work, but it is poorly documented: for the “Excluded Domains” list to work, it is necessary to specify the full host name (including the subdomain), not just the base domain.
I updated to 2023.10.2 and this behavior doesn’t seem to be working as I understand it. I’m still getting the Bitwarden popup saying there are no keys to use and I need to click “Use Browser” to use a hardware key for sites without passkeys.
I also agree with the suggestion to not use Bitwarden passkeys when the vault is locked, or have that as an option.
Maybe have a disable passkey prompt setting with the following options:
Globally
When Locked
Per Site
Never disable
I’m not sure how you’d handle settings like this when multiple accounts become a thing. I suppose maybe you’d have to disable When Locked (or globally) on all accounts to disable the prompts properly?
To suppress the pop-up, you need to either have your vault unlocked before you get to the FIDO2 prompt, or add the domain to the “Excluded Domains” list in the browser extension settings.*
*Edit: After additional testing, it appears that the “Excluded Domains” method only works when the vault is unlocked. Update: Nevermind, it does work, but it is poorly documented: for the “Excluded Domains” list to work, it is necessary to specify the full host name (including the subdomain), not just the base domain.
Thanks. I couldn’t remember where that behavior occurred, or under what conditions. But when I tried to reproduce it I couldn’t.
It might have been that my vault was locked and I thought it would switch back to the browser automatically when Bitwarden unlocked and didn’t find keys.
1 Like
I just want to add my voice that I use passkey extensively and it’s usually YubiKey, otherwise the OS.
While I understand that if bitwarden is unlocked, it will not hijack the native browser prompt, but because that is the implementation, it is highly disruptive to my workflow and throws me off. I think an option for complete disablement of this particular feature would be expected, especially for users like me who would never use it. I’d prefer it not be by excluding websites as that just isn’t intuitive.
1 Like
I mean, the irony of all of this is, that password managers will be obsolete, once passkeys can be used everywhere. It makes no sense to store passkeys in a password manager. That is like storing emails in a fax. So I kinda see why bitwarden is desperate to join the band waggon, but I think the fight is lost. Breaking the product in this way (by hijacking every passkey procedure) makes me really want to delete the chrome extension. Bitwarden should just remove all passkey support and tell people to buy a Yubikey / Trezor or use FaceID / Fingerprint etc. instead. Password managers were fun while they lasted but they were always a tool to work around a broken system which is hopefully a thing of the past very soon.
@levino Welcome to the forum!
If you upgrade your browser extensions to version 2023.10.2, you should no longer have this problem.
I really don’t agree with you, for at least two reasons:
-
The possibility of saving passkeys “everywhere” (on my desktop and laptop e.g. with Windows, on my Android device, in iCloud keychain, in Google password manager…) is nice on the one hand but can create a whole new “chaos” on the other hand. (e.g. I think you have to get track of where you save what, because when you loose one device and/or access to it, you better be prepared to know what passkeys were in there you are now missing… - I really look forward to the one central place for my passkeys (besides my Yubikeys), of course with a strong master password and 2FA).
-
I really don’t want to become dependent on one ecosystem like Google or Apple, for security reasons and for being “independent” if I choose to change my “ecosystem” in the future. I really like the idea of storing my passkeys in a password manager and being able to use them (hopefully in the future) everywhere.
1 Like
A note to all the Yubikey owners: they can only be registered with 25 sites. As Passkeys are deployed more widely you won’t be able to use your Yubikey for everything. Yubikeys can’t be copied or backed up so they aren’t a great option for low value Passkeys. Enrolling multiple Yubikeys on every site for backup is tiresome.
A multi-ecosystem Passkey manager like Bitwarden protected by a hardware token will be very useful option going forward.
1 Like
I totally agree with your post.
However, this:
only applies to sites that create a resident key when you register on them. Not all of them do that.
The main advantage I see in storing my passkeys in a password manager (besides the convenience) is having them all secure in one place (as with my passwords) and the independence of the passkeys provider platform (google, apple, windows hello, etc).
@halstead Yes, maybe the Yubikeys will (in the future and for me) mainly serve the function to login to Bitwarden via a passkey on it. And Bitwarden will be my main “passkey manager”. BTW: I think I read somewhere that Yubico already plans to support more than 25 passkeys, but only for future models.
And in general another thought: I think in a way it’s the other way round than @levino wrote… With passwords you didn’t have to have a “(password) manager” if you didn’t want to or didn’t know it better. But with passkeys you more or less always have some form of one or more “passkey manager(s)” - your phone, Google, Windows Hello, iCloud keychain or a “password manager” like Bitwarden. It’s only the question, which form of passkey management you choose (and whether split in different places or one central place; in one or more ecosystems or completely platform-independent), but not if.
As a paranoid and long time crypto person, I heavily oppose the idea of having a private key in RAM on a hot device (which is the case with Bitwarden and of course any “syncable” passkey). If my device is compromised (trojan horse, bad usb), I provide access to all my services. Imo this defeats the whole purpose of passkeys in the first place: It suffices for an attacker to have access to 1 device to take over the account. Then passwords plus google authenticator / sms TANs is safer. This is also why I think the support of one time tokens in Bitwarden is a grave mistake. I think the attack is mitigated for Android and Mac / iOS passkeys by biometrics checks, but for my taste even these are no real protection (It should not be possible to unlock all my accounts with my corpse.).
In order to use hardware-based, non-syncable passkeys, it would be nice if one could register a bunch of passkeys without having the passkeys / yubikey at hand though (by uploading a textfile or something). Then one could keep one yubikey in a physical vault somewhere). But that is possibly a bit off topic. BTW Trezor Model T and Trezor Safe 3 also support “passkey” functionality and it works quite conveniently.
What I would really would like to see as a bitwarden feature is “unlock vault with passkey” though. Even better would be, if I could solely use passkeys / security cards to decrypt the vault and remove the password which imo is just a weakness in my setup. (I am not sure that decryption with passkeys really is a thing, but I have a pgp key on my Yubikey which can definitely do the job…).
@kpiris Do you have an up to date info about the non-resident key usage? I really hope that most providers at least give the option to use a non-resident key in the future and having a list of the ones which support them would be great. I personally think the idea of “resident keys” is a historic mistake. At least it should be possible to reuse resident keys for as many services as one likes.
1 Like
Ok, but why on earth the passkey prompt pops up when there no passkey set for said website… make no sense. Still no update for a disable option?
@radwics Welcome to the forum!
What version of the browser extension do you have installed? If you upgrade to version 2023.10.2, then Bitwarden will not prompt you if there is no passkey stored in Bitwarden for the site.
1 Like
Is you browser extension locked or unlocked when you see these pop-ups?
If the browser extension is locked, then Bitwarden doesn’t know whether you have a passkey stored for the site or not, because this information is encrypted while the vault remains locked. If you need to suppress the Bitwarden passkey pop-up for a site where you wish to log in while the browser extension is locked, then go to Settings > Excluded domains and add the full host name (including base domain and subdomain) to the list.
1 Like
Was thinking about it, but is it possible to disable passkeys when the db is locked?
1 Like