I’m using Bitwarden 2023.12.1 2024.1.0 (non AppStore version) on macOS Sonoma 14.2.1. I’ve started cautiously using Passkeys recently for some sites and it’s working pretty well.
Yesterday I tried to set up Passwordless auth to my Microsoft M365 tenant using a Passkey. I did this from the standard My Sign-Ins page. I wasn’t able to complete it, instead getting an error message at the final step from Microsoft:
There’s a Passkey showing up (dimmed out) for that login in Bitwarden now, but I can’t use it.
I found this page which indicates that Passkeys aren’t (yet) supported for M365 logins. It says “Microsoft Entra ID currently supports only hardware FIDO2 keys and doesn’t support passkeys for any platform.”
Can anyone shed any light on whether this is possible, or if it’s “coming soon” or never?
This is not related - that’s just a notification about setting up the browser integration so you can use biometrics to unlock your Bitwarden browser extension.
Unfortunately, it seems that Microsoft is limiting the authenticator it allows to just hardware keys, and so even though Bitwarden is able to store a passkey, Microsoft won’t let you use it.
The issue persists. It may be worth opening a support ticket with Microsoft for further assistance. The more users reporting the problem, the higher the likelihood of resolution.
@luckman212, we have been working with Microsoft on our journey to passkeys. The behavior you are seeing is similar to what we are seeing with FIDO2 keys that do not support FIDO2 attestation.
Your admins can downgrade security defaults in Entra ID to accept passkeys with specific AAGUIDs that do not provide attestation. It is not recommended by Microsoft or any security professionals that we have consulted with.
I’m not sure what work Bitwarden developers would have to do to make Bitwarden support the attestation capability, but it is worth researching and putting in a Feature Request to the team for consideration.
