Allow skipping confirmation to log in with a passkey

When I log in to a site with a passkey, BitWarden asks me to select which one I want. I usually only have one, and I usually just care about logging in, and don’t really care about which credential I use.

It would be great if BitWarden could have an option (perhaps per-site/per-passkey) to automatically log me in, skipping the selection dialog. It would make logging in to sites much faster, and if this is a per-site option, I would lose no functionality that currently exists.

1 Like

Is there anyone I can tag for this to be seen? It’s really annoying to have to wait for the popup every time, only to always click the only button there.

In some cases the passkey you want to used to login might not be stored in your Bitwarden vault. It could be annoying if you have to change settings every-time you have to you other passkeys. I would agree the pop-up is slow, I think they could increase the speed…

This can be solved very simply by having a setting on the item saying “automatically use this passkey”. There’s no sense in optimizing for the 0.1% case when 99.9% of the time I want to use the one passkey that’s in my password manager.

I agree that having this as a user-configurable option (especially if configurable per item) would be nice.

Even having the ability to submit the passkey selection prompt using the Enter key would be an improvement.

FYI, as noted in this comment, Bitwarden is reluctant to implement automatic login for username/password credentials, due to security concerns. However, such concerns may not be as relevant when it comes to passkey login, since the private key would never be exposed.

Unfortunately, I have no more votes to give (and I assume the same is the case for you, since you have not voted for your own request). Maybe this proposal will gain some traction after some votes have been accumulated.

1 Like

Oh oops, I didn’t realise I had to vote. I assumed that it would auto-vote my own requests and never bothered to check, thank you.

1 Like

When site offers login with passkey there shouldn’t be more clicks required when we have only one passkey for the site.

same way autofilling works.

Currently a subwindow shows up for no reason.

@notmypassword4566 Hi!

I can see what you mean!

But, I can at least think of two reasons, why there has to be a popup window like this:

  1. The passkey protocol/specs intends to have some “user verification”. That ensures “proximity” - the presence of the user, who has to confirm the passkey usage.

  2. Also when it is the only passkey in Bitwarden for a given website - there has to remain a possibility to also access another device (physical security key, Android device via QR code/Bluetooth, …).

2 Likes

But we could reuse the Auto fill option for passkeys too to speed up everything,
user could make that decision, it comes down to convenience vs security.
And we can still have it per site bases.

@notmypassword4566 Welcome to the forum! I moved your post into an existing feature request.

As @Nail1684 hinted at, WebAuthn specs require that the authenticator verify User Presence by prompting for an “authorization gesture” during each passkey authentication “ceremony”. For a Yubikey, this means you have to touch the key each time you use a passkey stored on the key; for a platform like Bitwarden, it means you will have to interact with the app each time you use a passkey.

However, I think that one simple modification that would really help would be if we could use the Enter key to confirm the passkey selection.

1 Like

A post was merged into an existing topic: Passkeys - can you turn off the master password verification for sites?

What about detecting if user clicked on “login via passkey” button, or any cursor movement?
That’s enough presence I think.

If a malware can move cursor then it can also select the default key in the addon, so no security gained there by manual input.

There may be alternative ways, but it’s going to come down to what the FIDO alliance (or whoever the certifying body is going to be) will consider acceptable.

Yes that likely would be enough to satisfy the “test of user presence”, which results in the “UP” flag being set. UP has not proven controversial.

It is not, however, sufficient to satisfy “user verification”, which results in the “UV” flag being set. It is this latter UV flag that is causing all the recent angst.

Some could argue that “user verification” is already satisfied by being logged into the addon,
since at that point anyone could take over any site using usr/pwd.

This has already been argued, but in a different thread:

Since the current feature request is not about User Verification, any further discussion on User Verification should be posted in the thread linked above.

Not all relying parties have a “Log in with passkey” link (the passkey prompt is automatic). As simple as the suggestions seem, I think there may be issues resulting from the requirement that UP requires an authorization gesture provided to the authenticator (e.g., in response to a prompt from the authenticator) during the authentication ceremony. A “Log in with passkey” link (if present) comes from the RP (not the authenticator), and happens before the start of the authentication ceremony.

I interpreted the comment as referring to the “Confirm” button on the Bitwarden “Login with passkey” prompt (pictured below), which does seem like reliable during-the-ceremony UP, given that there is no “remember” checkbox.

image
(image credit)

I concur that anything on the RP site does not demonstrate UP to Bitwarden; therefore Bitwarden cannot base its attestations on it.

I think that @notmypassword4566 was referring to website login forms that have a passkey option, like GitHub:

image

 

In contrast, clicking the current Bitwarden Confirm pop-up (shown in your screenshot) is the authorization gesture in the current implementation, allowing Bitwarden to assert User Presence.

The topic of this feature request is a proposal to somehow eliminate or by-pass this existing User Presence pop-up (at least for sites that only have a single stored passkey).

Surely every site has a dedicated login with passkey button, otherwise it would be an unintended login. In that case we could ask for UserPresence,
but if the login button is there and it was pressed then we shouldn’t need to (given we have exactly one key for the site).