What is the current best practice to make sure that Bitwarden is the passkey provider (ie central shared storage and key delivery when prompted) in most major browsers and OS (Firefox, Edge and more importantly Chrome with their just announced cross devices cross platform support) ?
I am having a hard time with Bitwarden (through installed extension) and or the browser handling passkey requests and end up having various keys in various vaults, which is getting messy.
Is there any up to date guide as how this should be handled, ideally MacOS, iOS, Windows for major browsers ?
I guess on MacOS and Windows (and Linux?) it is still only possible to use passkeys with the browser extensions.
For iOS (and Android) you can find here Using passkeys with Bitwarden | Bitwarden Help Center in the tabs more info. As you can also read there, a basic requirement for iOS is version 17, and for Android version 14, though for the latter I can personally add, that the vendor of the phone must also enable the function for âthird-party passkey providersâ that it can function.
Apart from all that, as there are no tags in Bitwarden, still, I add â(Passkeyâ) to the title/name of my vault items with passkeys, to have more or less an overviewâŚ
@AlexT Have you disabled the native password managers in your browsers (e.g., Google Password Manager)?
Normally, any passkey requests from the website should be intercepted first by the Bitwarden browser extension, and if the browser extension passkey prompt is dismissed, you will get a second prompt, this time from the operating system (e.g., Windows Security).
As noted by @Nail1684, you need to ensure that the option âAsk to save and use passkeysâ has been enabled in Bitwarden, and that the domains of interest are not on the exclusion list.
Can you provide some specific examples of where a passkey is not being saved in Bitwarden (provided that you have configured your system as described above)?
Right! I almost wrote it myself, but then I thought, thatâs already recommended for using a dedicated password manager and not âpasskey specificâ - but nonetheless, it should be mentioned! Thereâs a recent blog article about this: Disable your browser-based password manager | Bitwarden
I would add to that, that there can also be a âthirdâ prompt, and that is by the browser. E.g. Chromium-based browsers offer a small button âUse passkeyâ or similar. (I donât remember, when they introduced that popup)
Thatâs how it looks for me for this forum (the box âoverâ the inline-autofill⌠text in German; PS: thatâs on Brave/Windows - I donât know if the âdesignâ can vary):
One, that would be interesting, yes. Two, that reminds me of: I guess there are still (or always? ) some sites, that donât implement passkeys well enough that it works with a third-party passkey manager (or Bitwarden for that matter). My personal best example would be eBay, though itâs a few days since I last checked whether it works now (see here: Passkey popup doesn't show - domain not on excluded domains list) - or PayPal a time ago, when they only allowed the passkeys to be created on iOS or Android devices (I think they changed this restrictions now?!).
So there can always be âbad implementationsâ and/or ârestrictionsâ for passkeys, depending on the specific site/account/service. (BTW, another example for ârestrictionsâ would be, that you canât store the âlogin-with-passkeyâ-passkey for Bitwarden (Log In With Passkeys | Bitwarden) via the Bitwarden browser extension in the Bitwarden vault⌠apart from the circular dependency it would create and whether it makes sense or not - it is also a ârestrictionâ)
At last I would like to add, that using passkeys via the inline-auto-fill is possible with the Bitwarden browser extension - see here: New! Inline autofill for cards, identities, and passkeys | Bitwarden (though I guess, the inline-auto-fill is a bit debatable for many people)
I have (obviously) fully disabled the browser level password manager (btw would be nice if BW could do that at install time or at the very least want that it is not turned off).
To report back on that: As I wrote, this prompt appeared some time ago - and until now, I never looked into it⌠Now I went through all (visible) settings about the in-built password manager, auto-fill etc. on Brave. Everything is disabled. Without any other extensive research: currently, I have no idea what setting enables or disables this prompt.
(PS: I also searched in brave :// flags for âpasskeyâ and âpromptâ and nothing hints to that passkey prompt)
Iâve looked at BitWarden info, Reddit info, and other places. AFAICT, storing passkeys in BitWarden for the Mac just does not work. I use Safari (default Mac browser). I have the browser extension installed. I have passkeys turned on. I have Mac Passwords turned auto-entry turned off. Iâve now tried this at GitHub, a financial site, and a research funding site. It simply does not work. It does bring up a BitWarden passkey window, but it never finds the associated entry in BitWarden for the site (even though I DO have BitWarden entries for all the ones Iâve tried so far). It always asks to create a new entry. Iâve tried that and when I try the passkey again, it again asks to create a new entryâfor which there is no passkey. Iâve tried this with the IOS version and it does not work either. Finally, Iâve seen screenshots of a passkey field for BitWarden and I do not have that in any of my Vault entries. This is very very frustrating. It seems to have some kind of bug and no one seems to know what is wrong.
What version of the Bitwarden browser extension do you have installed?
I guess, that means you have turned on: Settings â Notifications â Ask to save and use passkeys ? (kind of rethorical question or âdouble checkâ, as you already wrote you get passkey prompt)
Your GitHub login item in Bitwarden has https://github.com (also) stored as an URI?
And then, you donât have https://github.com on your Excluded domains? (Settings â Notifications â Excluded domains)
If you have not created a passkey-âpairâ between a site (like GitHub) and a corresponding login item in your Bitwarden vault (like the GitHub-login item), then you donât see that passkey field in the GitHub entry.
Or put the other way round: you first have to create the passkey-pair, then you see the passkey field in your corresponding Bitwarden login item and can login with the passkey.
PS: As far as I know, there is no general problem with MacOS, Safari and passkeys.
It wasnât and then was. I cleared this out from my excluded domains and saved (BitWarden Safari extension)
Here is what happens. Iâll try to add screenshots if permitted. [Looks like Iâm not permitted to add more than one screenshot.]
In GitHub security and password settings click Add passkey. This goes to the add passkey screen.
Click âuse passkeyâ. The GitHub window goes into a âwaitingâ mode, and a popup appears (looks like a BitWarden popup) that says âlog in with a passkey?â âNo passkeys found for this applicationâ Options are to âcloseâ or âuse device hardware keyâ
Clicking âcloseâ or hardware key âjust onceâ closes the popup and opens another Apple popup prompting me to reactivate the Passwords app for autofill in order to save the passkey there.
Clicking hardware key âalways for this siteâ also added GitHub to the BitWarden excluded domains.
I never get any option to save a passkey in BitWarden no matter what I do.
Once for the financial site, clicking âjust this onceâ also brought up a QR code. I tried scanning that with my phone. It did bring up BitWarden to tell me that the URL was not recognized and asked me if I wanted to add it. I did, but still did not get a passkey.
It seems, your first step goes into the right direction (and more to that in a minute) â but what happens between your first and second point exactly??
Iâll try to show how it should work to create a passkey for GitHub and store it in Bitwarden:
Log in to GitHub, go to Settings and eventually to âAdd passkeyâ, as you can see here:
When you click here âAdd passkeyâ (before you click, you can unlock the Bitwarden browser extension) , then the Bitwarden âSave passkey promptâ should open:
When you have already a âGitHubâ login entry with the GitHub URL in your Bitwarden vault stored, then you should be offered to save the passkey in that login item. Otherwise you can search the vault for a matching entry and choose it.
(In my case, I already have a GitHub-passkey stored, thats why it says âA passkey already exists for this application.â)
When you donât see that Bitwarden-âsave passkey promptâ, but followed my instructions, we have to look further why that could beâŚ
PS: If you were able to store the GitHub-passkey that way, then afterwards you would finally be able to login with that passkey to GitHub.
PPS:
Yeah, thatâs a bit annoying as a ânew userâ⌠one inofficial tip: you could make a collage (one larger image) from several separate oneâsâŚ
⌠now, some short additions to my previous postâŚ
Especially when my instructions donât work for you, an answer here may be necessary. â Iâm not completely sure for MacOS as I donât use it myself, but the general ability to use passkeys would at least need MacOS 13 or 14 I think. (PS: Though, Iâm not sure again, how much it is dependent on the OS when mainly Bitwarden and the browser interact for passkey usageâŚ)
That sounds good and as I meant it , but to be perfectly clear as I could have expressed it more clear before: the desired (passkey-)domain mustnât be on the âExcluded domainsâ list of your browser extension.
I think my instructions already showed, that you have to see the âsave passkey promptâ from Bitwarden, when you want to create and store a passkey in Bitwarden, so⌠when you never saw that prompt until now, then either you did something wrong (see my instructions), or your system prevented it (the latter: either by misconfiguration or by system limitations)âŚ
PS: Just FYI, the Bitwarden Help Sites also have some info on passkey storage and usage: Storing Passkeys | Bitwarden
Youâve hit the nail on the head. I never get a save passkey popup. As I indicated before, I have the newest MacOS (15.3.1) and Safari (18.x). Iâve done everything you suggested and it just doesnât happen. I only get the messages i reported.
It doesnât work in IOS either (18.3.1). I get a popup that says âyou donât have any passwords saved for this app but you may be able to choose one from the app belowâ. BitWarden is presented as the app to choose from. When I choose BitWarden, I get a BitWarden popup that says that you have nothing saved for this app, but you can add a new entry. But I do have GitHub saved along with the URI. So even the BitWarden interface is getting it wrong.
Passkeys simply donât work for BitWarden in the Mac. So I guess this needs to be elevated to a bug report. Also, when trying to set a passkey and failing to do so, BitWarden automatically adds the URI to excluded domains, without asking if you want to do that. This seems to me to be a additional and maybe related bug.
Since you donât use a Mac, youâve not encountered this. Iâve seen people complaining about it on various forums. But there are probably not a lot of complaints yet for several related reasons.
Many people are still not familiar with Passkeys and they are not yet available for most applications.
Apple makes passkeys (and saving passwords) so easy and seamless with its Passwords app that people are using it without even knowing that they are.
BitWarden autofill is fairly cumbersome and complicated on the computer, requiring installation of a separate browser extension with unique settings options because it doesnât work with the main BitWarden app. And many people use passwords more on their phones and tablets, where autofill is integrated, so they donât yet know how to use it on the computer.
As a result, people end up using dueling apps: Apple Passwords and BitWarden. This of course leads to confusion over which one has the correct authentication for which service and app. Iâd like to use BitWarden as my default and only password keeper but it is difficult to do.
Ok⌠But still I donât really understand, what actually does happen â instead of opening the âBW save passkey promptâ as it should be the case â when you click âAdd passkeyâ (when you are logged in in GitHub and try to create a passkey)??
You didnât write that before but itâs good to know, that your system should support everything!
Good⌠and (still) strangeâŚ
I get that, but I would set that aside for the moment and focus on MacOS. (if we get that to work, maybe you can make a separate post later for clearing it up in iOS, tooâŚ)
I think we can rule that out now. I searched the forum a bit and found at least this post by @DoctorB , stating storing and using passkeys with Bitwarden, MacOS, and Safari does work. (and that post was from Nov 2023, so it does work for a long time!)
[PS: This posts mentions the Yubico demo site⌠but you can also test it with other authenticators, like Bitwarden⌠I just also tried it on Windows 11 with Vivaldi browser, worked also with Bitwarden⌠for all those, who might read it and want to try it: you have to register/sign in, then you can trigger the passkey-storage process for Bitwarden with e.g. choosing âinternal authenticatorsâ]
So here a few thoughts and ideas you could try now:
you wrote âSafari (18.x)â⌠I guess there were some bugs with Safari 18 also (a while ago, e.g. this was reported) â so first thing, please make sure, your Safari is also âup-to-dateâ
did you deactivate iCloud KeyChain / Safariâs password manager?
it/MacOS could intercept/block Bitwardenâs âsave passkeyâ pop-up
here and here you can find infos for deactivating it and/or Safariâs browser password manager â something I found once: 1. Go to System Preferences > iCloud. 2. Uncheck the box next to âKeychainâ
do you have some kind of pop up blocker installed or configured in Safari? (â> probably not, otherwise you wouldnât see the other pop up, but maybe check nonetheless if something could block the popup)
could you have other extensions/addons installed on Safari blocking the popup? (â> here, it was another Firefox extension in the end, blocking âpasskey usageâ on MacOS)
you could also try another website, creating a passkey, if only just for comparison (maybe thereâs some bug for you with GitHub at the moment?!)
you could try it with this forum! â if youâre logged in here, go this route: click your âprofile symbolâ (upper right corner) â âProfileâ button at the bottom â Preferences â Security â + Add passkey â Confirm with your forum-password â then you should get the famous Bitwarden âsave passkey promptâ we hope forâŚ)
if only for testing purposes: you could try it (temporarily!) with another browser⌠Chrome (or another Chromium-based one like Brave) or Fifefox should also work (like in one of the links I already posted, Firefox works with passkeys on MacOS⌠BTW, this post here also âconfirmsâ, Chrome and Firefox do work with passkeys on MacOS)
â if it works with another browser, we might circle it down to âhas something to do with Safariâ⌠(but if it doesnât work with another browser, it must be something else)
⌠but maybe before you do that, I personally would also consider, to deinstall, delete the local storage and reinstall the BW extension⌠it also / always could be an âapp hiccupâ
but before youâd do that, make sure you have e.g. still another Bitwarden app logged in and/or all your login credentials for Bitwarden âwithin reachâ (we wonât get you locked out )
PS: Here a screenshot, where you can find the + Add passkey button in this forum (as verbally described above):
Thanks I will try all of these things. Iâve already done all of the settings you mention but will double check with your links. The only pop up window I get is the one image I pasted in earlier. I never have seen the save a passkey pop up.
I donât have any popup blockers or other problematic extensions. I only have a few. Iâll try another web site to see if it is just GitHub, but I have run into the same problem with at least a couple other sites. Iâll also try Firefox.
@DoctorB was writing in 2023. So it may be a problem with the new Sequoia MacOS 15 or with the new Safari 18 (I have the most current versions of both). Iâll do more testing to see if we can find out exactly where the problem is before filing a report.
That is really strange, as you should see the âLog in with passkey?â pop up only when you try to login with a passkey⌠and not when you try to create / add oneâŚ
BTW, I also think that shouldnât happen either⌠normally, only when you choose âAlways for this siteâ (and therefore âdismissingâ this popup permanently), the domain should get added to the âExcluded domainsâ (= âsuppressingâ / disabling the popup)âŚ
So youâre logging in to github with a previously saved passkey.
I just logged into github with a passkey using Safari on a Macbook Air M1. https://github.com/login
used the âsign in with a passkey buttonâ
Everything seemed to operate as it should.
Initial thought is BW autofil is finding your github entries?
This is my browser bar showing the bitwarden extension with the number 2, I have 2 github accounts in my vault.
Do you have the same? maybe a 1 depending on how many github entries you have in your vault.
One more success. I deleted the passkey for GitHub in the Apple passwords.app. Then I deleted it in GitHub. This allowed me to add a new passkey, which did finally bring up the BW save a passkey window.
So for GitHub, at least, in spite of what the web site implies, you canât add a passkey for BW if you already have a passkey for another app.
This leaves the NSF site, which I tried again today. I have only 1 login entry for it, my ID and PW are correct. I have 2 URLs (depends on how one logs in), but all are in the same BW vault entry. I still donât get the add a passkey window. I did have a passkey set in passwords.app but I deleted it.
) some sites, that donât implement passkeys well enough that it works with a third-party passkey manager (or Bitwarden for that matter). My personal best example would be eBay, though itâs a few days since I last checked whether it works now (see here: 
â Iâm not completely sure for MacOS as I donât use it myself, 
, but to be perfectly clear as I could have expressed it more clear before: the desired (passkey-)domain mustnât be on the âExcluded domainsâ list of your browser extension.
