As long as it is the official definition by the FIDO alliance etc. (non-discoverable = not a passkey), I tend to stick to it - until it may change…
Firstyear’s blog-a-log does concede that the definition has migrated to “a passkey is a resident [a.k.a. discoverable] key”:
Firstyear’s argument is not that the definition is wrong, but that it “could be expanded to be all possible authenticators”. One problem with this posture is that NIST defines authenticators to include passwords. More significant, though is that the argument seems largely mooted by Google Titan now supporting 250 resident passkeys, largely exceeding his capacity concerns.
No, I meant the public one, but I expressed myself very poorly.
I meant, that with a discoverable credential, the key pair associated with that credential is (generated and) stored in a slot in the authenticator (both public and private keys).
But with a non-discoverable one, the generated key pair is derived from the fido master key and not stored in the authenticator but in the relying party server (only the public part, as what’s called a credential id).
The authenticator does not keep track at all of any non-discoverable key pairs derived from it’s master key, that’s what I meant by saying that the public key is stored by the RP server.
In any case, the private key should always be kept inside the autenticator (be it the fido master key, or any created discoverable key pair).
2 Likes
Yes, wrong wasn’t the perfect term.
Token2 is also solving that with a high capacity of 250. I’m sad that Yubico is so late on this, because I wanted a Yubico but the capacity was too limited
But more or less 500 accounts, so it will still need expansion that wouldn’t be needed with non-resident ones.
But to be honest, I prefer the resident ones as they allow us to login without even providing a username 
Agreed, and I also prefer syncable (as Bitwarden implements) due to better scalability (add to one; appears on all), recovery (can backup/restore in mere minutes), and much-larger capacity limits.
1 Like
Hello,
I have a problem using passkeys with the eBay mobile app and the website for the very same reason: Bitwarden doesn’t allow storing multiple passkeys in one vault item.
Here’s my situation: I have only one eBay account in one country; I’m using Bitwarden on iOS and also as the Chrome plugin on macOS. When I create a passkey in the eBay app on iOS, it can’t be used in the browser’s plugin on ebay.de. The Bitwarden plugin shows “No passkey found for this application” error, whereas I see the passkey is synced. The opposite is also true: whenever I create a passkey on ebay.de, it can’t be used in the iOS eBay app despite everything being synced.
Next. When a passkey was created on the website and then I try to add a new one in the iOS app, Bitwarden prompts to rewrite the passkey for the same login item. If I agree to rewrite, I no longer can login with passkey via browser as it was replaced in vault with a new one. Meanwhile, an eBay account stored two passkeys: one for the app, one for the browser. Basically, multiple passkeys are used by different entry points, but Bitwarden doesn’t support this.
I don’t think it’s sane to suggest users create a separate vault item to store separate passkeys for the same eBay account. This is exactly the case why Bitwarden should allow to store multiple passkeys per login item.
Out of my experience, many services (Google, Microsoft, GitHub) allow using multiple passkeys, so this is a common use case that Bitwarden doesn’t support and, for some reason, refuses to acknowledge. Bitwarden’s competitor, ProtonPass, supports storing multiple passkeys per login item. Thus, I believe Bitwarden shall address this issue urgently, as it currently prevents users from using passkeys in scenarios like mine and creates unnecessary issues.
1 Like
@Zakton Just a short response:
In my experience, eBay and passkeys are an unsolved problem - and eBay may have up to this day a bad implementation of passkeys…: Passkey popup doesn't show - domain not on excluded domains list
I just tried to login with my passkey (in Bitwarden) on eBay (Brave, Windows 11) - still doesn’t work for me. (basically same situation as in my old thread: the passkey-popup doesn’t pop up - the domain is not listed as an exluded domain - eBay and Brave don’t offer any passkey-usage… and there I didn’t follow it anymore but just wait for a change from eBay’s implementation 
)
Just to be sure: So you
- create a passkey with the eBay app on iOS and that get’s successfully stored in your Bitwarden vault (so you see it in your vault in all BW apps)? And can’t use that passkey from your vault on the website/browser on your Mac?
- and you can create a passkey on the eBay-website/via browser on MacOS and that get’s successfully stored in your Bitwarden vault (so you again see that passkey in your vault in all BW apps)? And that passkey from your vault doesn’t work with the eBay iOS-app?
If either passkey (really stored in your BW vault) doesn’t work “on the other side” (iOS-app vs browser/website), then eBay doesn’t create the same passkey in both ways (whatever that means then 
). Are you sure, they both call it a “passkey (for login)” - or is one them a FIDO2-2FA credential (meaning not for full login but just as a second step)? And are you really sure, both “passkeys” get stored in your Bitwarden vault? Or maybe the passkey from the iOS-app - I can imagine - get’s stored in iCloud KeyChain without you recognizing it?
If it truly were the same passkey(s) - at least in theory - then it should work on both ends, browser/website and the iOS-app…
Not really a common use case, since the common use case for services allowing multiple passkeys is mainly for storing them in different places. Storing multiple passkeys for the same service and for the same user in the same place… doesn’t make much sense, as it would be more or less an “identical copy” with the same function and stored in the same location.
But that doesn’t mean I’m not open to any use of being able to store multiple passkeys in one vault item. It’s just not for that example.
Though that doesn’t help you either - I’m pretty sure it’s eBay’s “bad implementation” here… but on the other hand - I guess we will see a lot of other bad implementations on the passkey-way…
Yes, correct.
That’s also my view on the problem.
Here I can only assume they are “passkeys for login”, as in an eBay account they are all stored in one place called “Passkeys”, whereas 2FA is a separate place that has only TOTP-app, email, and SMS options, no 2FA-keys. For instance, in my GitHub account I clearly see Passkeys for login and 2FA-keys and they belong to two different places in settings. Thus, my assumption is eBay isn’t using 2FA-keys.
Yes, they are stored in Bitwarden, I triple-checked this. Also, Bitwarden prompts to overwrite them when I create a new one.
Exactly! But what everyone is missing here is the fact that all modern services are running in sandboxes on user devices. The iOS app “sees” only an iOS sandbox, and a website “sees” only the Brave’s sandbox. Neither app nor website have a clue what’s behind the sandbox. They don’t see Bitwarden.
Thus, both the iOS app and website sanely assume they are running on completely different devices that highly likely won’t sync passkeys as they can’t assert the opposite. If they would assume that behind those sandboxes there is the same password manager syncing passkeys, then users that don’t sync their stuff won’t be able to login using the same passkey on another device, and they anyway need to create a new one. So in this scenario, the eBay app doesn’t act incorrect as it stores one passkey on the iOS device and one in the Brave browser “device” and doesn’t assume anything else.
Thus, Bitwarden must act out of this knowledge: apps and websites don’t see it as the same passkey-storing device, so on each device it should act as a “standalone passkey device” because of these sandboxes. This automatically implies it should allow storing multiple passkeys per vault item.
We are basically in a typical IT-world situation where two applications independently act correct, but when they put together, it appears they have their own subset of “correct”, and that won’t allow them to work correct jointly. As a result, end users are struggling a lot.
@Nail1684
I confirm - now is total mess - for one site, for one URI I forced to use multiple bitwarden entries. And I have only 2 devices, what if I want to use it on the third device??? It should not overwrite previous entries, if I don’t want to do it, plz fix this - this is very annoying!!! Each time I just pressing this login button with passkey and see nothing. Than go to setting, setup, overwrite, then next day taking phone again and repeat this and that again again again. All bank apps, all shop apps - everything on my side doesn’t work correctly, I want to use it everyday from both phone and mac, now this is just create annoying chaos. It is not about ebay 90% of services which I use (I use a lot) doesn’t work on different devices.