Allow storing multiple passkeys on one vault item

Oh, interesting! I just did one (!) test with GitHub, because there you can create a passkey (for full login) or a “security key” (only for 2FA) - and here my report:

It seems, Bitwarden can indeed store the GitHub-2FA-“security key” labeled as a passkey (which is incorrect). And in fact, it can only be used as 2FA and not for the full login to GitHub.

Only the real passkey created in GitHub can provide full login then.

So obviously, Bitwarden can indeed store both - discoverable and non-discoverable FIDO2 credentials.

Though, again, not ideal, to call this a stored passkey then, as non-discoverable credentials are not passkeys.

And then I would suggest, that it should indeed at least be possible, to store one discoverable credential (= passkey) and one non-discoverable credential (whatever it should be called :sweat_smile: ) in one vault item. And both shouldn’t be called passkeys then, because they are not the same thing.

@RyanL @Micah_Edelblut (–> see text above also :wink: )

“Non-discoverable passkeys” is an interesting term. I’m no WebAuthn expert, but it is not a right use of the terminology. Bitwarden seems to use the terminology not as it should be, unfortunately… PS: Somehow Bitwarden decided to call all discoverable and non-discoverable FIDO2 credentials passkeys, which goes agains the right terminology…

PS: Here two sources for the terminology (and BTW I think matters to use it correctly, because otherwise it only creates more confusion):

"Passkeys are Discoverable Credentials." (Terms | passkeys.dev )

And here Yubico describes it more detailed and a bit more unclear in the first sections maybe: Discoverable vs non-discoverable credentials But then in the paragraph about “Non-discoverable credentials” they write relatively clear: “While non-discoverable credentials are not considered passkeys…”