I’m confused.
What is the use case for logging into Bitwarden with a Passkey instead of a strong password and TOTP? Doesn’t that just increase the risk because now I need to protect my new Passkey along with my usual password and TOTP?
The advantage is that instead of remembering a master password, you now only have to remember a passkey PIN (or not even that, if your passkey allows biometric authentication).
1 Like
I think the OP might be referring to the fact that apart from the new passkey, you still have your existing master password and 2FA associated with your account.
I’ve had the same thoughts myself, though not specifically about logging into BW. For any website that you add a passkey authentication method, and for which you already have an account, can’t a bad actor bypass the passkey by choosing to log in “using another method”? So in a way, the passkey is not adding any extra security. Perhaps I’m missing something?
Sure, a bad actor could currently do that. But if you only use passkeys to log in, you ensure that you are not accidentally login in to a phishing site, for example. So, if you would otherwise use your master password and TOTP, you wouldn’t have similar protection.
2 Likes
The passkey is not adding extra security; it is adding convenience.
After passwordless passkey login has become available on the majority of Bitwarden client apps/browsers/operating systems, I believe that Bitwarden will offer the option to delete your master password, but that’s a ways off in the future.
1 Like
Does it somehow add extra security if I need to access Bitwarden on a public computer or network?
I could be wrong, but I don’t think it would offer any significant extra security in such a scenario. If the public computer has malware, then it can copy your vault contents (and probably also your session token) no matter what method you use to log in. Using a passkey, you would avoid the risk of exposing your master password to shoulder surfers when in public, but you would expose your passkey PIN to the same shoulder surfers (unless you are unlocking your passkey with biometrics).
Agreed. It was poor choice of words on my part. I really meant to say stronger security. Based on my research, I believe that passkeys are inherently more secure than password/MFA. However, the point I was trying to make is that unless you can remove any preexisting passwords, and the site allows login “using another method”, the passkey loses that advantage of stronger security and as you point out, becomes just a convenience. Please correct me if I’m wrong.
Firsts of all, I’m going to assume that by “MFA”, we are considering only a FIDO2/WebAuthn key, otherwise we’re comparing apples and oranges.
In what sense? In the former case, you need the hardware that the passkey is stored on (let’s assume a Yubikey, for sake of argument), and the PIN/password for this hardware. In the latter case, you need the account password, and the hardware that the FIDO2/WebAuthn key is stored on (if we are logging in to Bitwarden using a Yubikey as 2FA, we do not also need to input a PIN/password for the Yubikey). So in both cases, we have a secret that can be stolen by phishing or shoulder-surfing, and a hardware key that would also have to be physically stolen.
Thus, since the hardware theft requirement is identical in both cases, the relative security of the two methods depends on the strength of your master password and FIDO2 PIN. If your PIN has high entropy and your master password has low entropy, then the passkey login method will be the more secure one, but vice versa, if your PIN has low entropy and your master password has high entropy, then the passkey login method will be the less secure one
the site allows login “using another method”, the passkey loses that advantage
If you’re committed to using passkey login only, then you can just set your master password to a random string with over 256 bits of entropy (e.g., 42 alphanumeric mixed-case characters) and forget about it. If you never use the master password after you have changed it, then it cannot be leaked by phishing, shoulder surfing, or any other method. And it will be more resistant to a brute force attack than the actual symmetric encryption key that is needed to decrypt your vault contents.
1 Like
Thank you so much for your comprehensive reply, which, as always is very clear and informative. I agree with your argument in the case when MFA is provided by a FIDO2/WebAuthn hardware key.
Even though I have a background in IT, I’m fairly new to the whole field of security, authentication, etc. so I could well be comparing apples and oranges.
My thinking is perhaps a little simplistic given the complexities involved. However, I have read/heard on many occasions and from multiple sources that passkeys are the way of the future, potentially eliminating the need for passwords altogether. This is seen as desirable due to the many potential security weaknesses that are associated with the use/misuse of passwords. The MFA I was thinking of was more in terms of SMS, email or authenticator app codes, i.e. not so much hardware keys.
So from that perspective, in an ideal world, I understand that when registering onto a website for the first time, best practice would be to opt to use a passkey if possible, i.e. a passwordless login. In this scenario, there are no passwords or 2FA codes to be hacked, phished, etc. That said, as an aside, I’m not sure what “log in using another method” would look like.
In the case of a website for which someone already has an existing account using password (and maybe 2FA), I feel that adding a passwordless/passkey login is more of a convenience since it’s not really adding another level of protection. In the event that your password has been hacked, a bad actor can “log in using another method”.
I apologise if I’m not making myself clear but I’m still trying to figure all this out for myself!
1 Like
I dare to disagree on that. 
Okay, master password + MFA would be the fallback and in this way, an additional passkey doesn’t add extra security. But a thing I also constantly forget: when you use the passkey, in that moment the risk of phishing is reduced, even if I still have a master password + MFA “in the background”. And as long as you don’t use the master password + MFA that info is less likely to be leaked or phished. So I would say, an additional passkey does add a bit of extra security - when you use it.
(just for being clear/transparent: here in this thread I think mainly of a hardware bound passkey with encryption, e.g. on a YubiKey, for the Bitwarden login - I don’t know if the same as I wrote above would be true for all kinds of passkeys…)
PS: On the other hand, you possibly create a new security risk with the hardware-bound passkey, when you don’t protect it well enough with(out) a good PIN or biometrics… So maybe it is not a clear zero or one… 
1 Like
So I dipped my toe into the Passkeys world just recently. I like the idea of reducing the risk of compromise during site authentication.
I would consider using a Passkey on my phone to log into my Bitwarden vault. The risk there is, I’m then relying on my phone and if it’s out, then it also takes out my backup method of 2FA with a hardware key that relies on an app on the phone.
Brings up another question can Passcodes on a phone be backed up?
I realize I still need to learn a lot more about this new technology.