Good morning, I received my fingerprint reader, everything works, but if I set “login with passkey” in the Password section in the website it says “encryption not compatible”, is this a security issue? I preferred not to activate this option for now, but now I have the problem that when I start the extension on Chrome, it asks me for the password even though I have enabled the “unlock with biometrics” and “require biometrics on startup” options, once unlocked with the password then activate biometrics, I would like to log in directly with the fingerprint. The desktop app, however, works as I would like and logs me in directly with biometrics. Is there something I’m missing or is this behavior normal?
@gixo It’s a bit hard to understand what you were doing, as you seem to use the word “unlock” both for (indeed) unlocking and and logging in, which are not the same thing. (–> Understand Log In vs. Unlock | Bitwarden)
So, you stored that login-passkey in Windows Hello?! – Yeah, that is not PRF-capable and there you can’t store the login-passkey “with encryption” via Windows Hello.
It’s not a security issue. It just means, that passkey can’t decrypt your vault and therefore you have to still enter the master password. (a login-passkey “with encryption” makes it possible to login without the need of entering the master password)
Could you please describe exactly what you did here after starting the extension? Did you
- log in with your login-passkey?
- or unlock with your master password?
And if you logged in, that would mean you logged out before. I’m really not sure, but it might be that you have to set up biometrics again on the extension after you logged out. – And in general, it is more convenient to set the vault timeout action to “lock” and not “log out”. (but I don’t remember everything that was discussed before in this thread – if it is your intention to always log out, then continue with that practice)
I don’t know exactly what you meant to say by “once unlocked with the password” (in that whole sentence), so please explain. [PS: ah, I think you just meant entering the master password…?! I was a bit confused as you wrote before “it asks me for the password” and I wasn’t sure if you meant a second request for a password or whatever.]
For the second part of that quote here: as far as I understand your set up, and as explained before, you can’t use your Windows Hello login-passkey to log you in only with your fingerprint, as it is “without encryption” and therefore your master password is still needed for the login.
If you meant “unlock” on the other hand: it is possible to unlock the browser extension only with biometrics. But for that, the desktop app must be running in the background first, and your browser extension must be locked (i.e. you mustn’t be logged out). When that is set up correctly – and under these circumstances – then you can unlock the extension just with biometrics. (–> Unlock With Biometrics | Bitwarden)
That sounds good, as it’s also a requirement for the biometric unlock of the extension to work. (as described before)
(I tried to explain it now roughly. If you need more specific instruction based on that, please ask again.)
Addition: Login-with-device would be another option I previously forgot. But that is not based on any passkey and doesn’t work with the local biometrics of your Windows computer, but needs another BW client, that grants the login.
Hi, thanks. I apologize for the way I wrote my message; I’m using a translator.
Let me explain.
- I went to the Bitwarden website, set a passkey, and saved it in Windows Hello.
- I’m getting an issue with encryption not being supported.
- To log in, I use biometrics on the desktop app, and it works. I can also log in with biometrics on the Chrome browser extension with a passkey set, but without it, it asks for my password.
I should point out that both the extension and the desktop app are set to “lock after 3 minutes,” and I use biometrics to unlock them.
My questions are:
- If the passkey doesn’t support encryption, is that a security issue?
- What can I use to make it supported and allow me to log in securely using biometrics?
- What I would like to do is log in without having to type in my password.
- THANK YOU
Ah, no problem. And that explains it to a certain extent.
To your questions: I think I responded to most of that in my previous post already.
To answer that, it would now be important to make clear if you either mean biometric login or biometric unlock.
Again: login or unlock ?
I’m interested in login
Okay… as I tried to explain in this previous post, and as I understand it, to only use biometrics for login is not possible in your current setup. (as Windows Hello only can store login-passkeys without encryption → and that means you have to still enter the master password)
Most common solution: you would need a hardware security key (like a YubiKey) with biometrics support (fingerprint), where you could store a login-passkey with encryption. That would make it possible to login only with a fingerprint on that security key. (Or if you had a mobile phone which could store a BW login-passkey with encryption, then you could use the CDA (Cross-Device Authentication) / passkey-QR code login route in connection with your phone…)
PS: If you would also be okay with “unlock” only with biometrics: this would be possible with your current setup.
PPS: Ah, yes, @Neuron5569 is right: you could make use of the biometrics of another device (so to speak) for login with the login-with-device feature. That would be an option. – Previously I only thought about the local biometrics of your Windows computer.
Windows Hello’s passkey doesn’t have a PRF capability, a necessary condition to log in with a passkey “with encryption.” You can use Windows Hello as a convenient “passkey” 2FA, though.
Without a PRF-capable security key/authenticator, the only passwordless login option you have is “Login with Device” on the next screen once you enter the email (on a client that you have logged in with a password once).
For unlocking, however, you can use biometrics. If you set it up to not require a password on restart on the desktop and to start the desktop first before you unlock the browser extension, you’ll be able to unlock without dealing with the login. I personally don’t do this, and when restarting the system, I end up starting the desktop, logging out, logging in with the device, and from then on, all the unlocking is via Windows Hello’s biometrics.
1 Like
If I understand correctly,
I log in to the Bitwarden desktop app and lock the app. When I restart it, it asks me to unlock with biometrics.
To log in to the Chrome browser extension, I enter my email address and, when entering my password, click “Log in with device.” I can then log in using my biometrics from the desktop app. I tried it, and it works. Is it a secure method?
Try closing Chrome; the next time you restart it with the desktop app running, it will ask to unlock via biometrics, so you won’t have to log in again.
The question is, since whenever you restart the desktop, you are not using a password to unlock, and you are not logging out and then logging back in with device, is it safe? You know that your encryption key, or a derivation thereof, is being stored using Windows Hello, so a malware that understands how Bitwarden stores such secrets and possibly could social-engineer you into providing biometrics might get the same secret. With the encrypted vault cached on the disk, this may be all the attacker needs to decrypt your vault (without the password or a 2FA method).
How about not doing that and instead providing a password every time you restart the desktop? Well, persistent malware on your system can keylog the password too. But what about using “Login with Device,” where you don’t even enter a password? Malware could possibly perform a memory dump of your decrypted vault in memory.
A malware on your system doesn’t have all or any of those capabilities. Which one do you think is easier to implement or more likely? Bitwarden has previously advised users to require a password on restart while using Windows biometrics.
Better not get malware on your device, and you won’t have to worry about these issues. You can see in other community threads that Windows biometrics, without requiring a password on restart, is commonly used, maybe especially in corporate settings.
1 Like
Why?
Most users leave their apps and browser extensions logged in at all times, and instead secure their data by locking the vault when not in use. Frequent logging in and out should only be necessary in highly unusual use-cases (or when using the Web Vault, which logs itself out automatically on each browser restart, no matter how your timeout settings are configured).
Are you sure that your Desktop app has been correctly configured to support biometric unlocking of the browser extension? The latter will not work properly without the former.
Please double-check the following set-up instructions:
Log in to the Bitwarden Desktop app, and open File > Settings. In the “SECURITY” section at the top of the Settings, ensure that you have enabled (checked) the option “Unlock with Windows Hello” (and optionally disable the option “Require master password or PIN on app restart”); also ensure that the “Timeout Action” is set to “Lock” (not “Log out”). Next, scroll down to the section titled “APP SETTINGS (ALL ACCOUNTS)” and confirm that you have enabled the option “Allow browser integration”. You should also enable (check) the 5 options immediately above “Allow browser integration”:
From here on, whenever you do any work in the Bitwarden Desktop app, it would be advisable to refrain from ever selecting “Quit Bitwarden” in the File menu (to ensure that you don’t interfere with the browser extension’s ability to use biometric unlock, which requires the Desktop app to be running).
After completing the Desktop app configuration as described above, open your browser(s), right-click the Bitwarden browser extension icon in the top right corner, and select “Manage extension”. In the window that opens, if you see an option labeled “Allow access to file URLs”, then you must enable it. If there is no such option, that’s OK.
At this point, open the Bitwarden browser extension, go to Settings > Account Security, and enable (check) the option “Unlock with biometrics” (and optionally enable “Ask for biometrics on launch”). If prompted for permission to “communicate with cooperating native applications”, click “Allow”. Next, go to your Bitwarden Desktop app, click “Approve” at the verification prompt, and complete the Windows Hello authentication when prompted. While still in the Account Security section of your browser extension settings, set the “Timeout Action” option to “Lock” (not “Log out”).
After the above set-up procedure has been completed, biometric unlocking should work. However, for best results, observe the following advice:
- Never log out of the browser extension.
- Never log out of the Desktop app.
- Never quit the Desktop app using File > Quit Bitwarden (clicking the
in the upper right corner of the window is OK, and is the correct way to close the window while leaving the app running in the background). - If you restart your computer (or log out of and log back in to your Windows account), wait for the Desktop app to (automatically) start up before opening the browser extension.
I followed your advice and recommended settings, now it works fine, thanks
1 Like
You’re welcome.
FYI, I changed the topic title to be more descriptive (old title was: “Help with backup storage”; new title: “Advice for securing vault”).
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.