I want to use the biometric authentication without having to log in to the desktop app first.
It seems unnecessary to me that the desktop app has to cache the Vault locally and also be logged in so that it can perform the browsers biometric authentication. From this point of view, two logins are necessary.
It may be possible to install only a agent that can be triggered by the browser extension, to handles the biometric authentication.
At the current moment its really about access levels and APIs to Hello/Touch ID - the desktop app is the most reliable way to connect to those APIs vs. browser-based integration. Though, there is a point in having the desktop be the âcentral stationâ for convenience - but that is more of this feature.
Weâll see how the browsers progress with support for Biometrics, though!
Maybe my request was misunderstood. I think I understand the reason why an app is needed so that the browser can access the biometric API through it. Thatâs ok, the problem is why does the app need to be sign-in to bitwarden first and also include the full vault? The agent Iâm describing would still be a Win32 app that accepts the authentication request from the browser and communicates with the Windows API, but it doesnât require any additional bitwarden login and no vault.
It would be great if users could unlock their vault through the Bitwarden browser extension without having to open the Bitwarden desktop app (or even without having the desktop app installed at all).
Is this something that is even technically possible? I think so but Iâm not sure.
Nevertheless, if itâs possible, this should be implemented, as it can only benefit users (if it is not at the expense of security compared to the previous implementation where the desktop app is needed)!
Is this now possible with passkeys? Save a passkey to access bitwarden, and use it to login to the extension? That should use the operating systemâs authentication.
I see some messages stating itâs not possible for security reasons.
I regularly use different websites that offer biometrc authentification without any desktop agent.
When logging to these website, a popup comes calling âWindows helloâ. As far as I know, it looks like a key is registered on website or computer side.
Whatever the technical details, I can assure it involves only the web browser, and not any desktop companion app.
Logging onto my bank account is as follows:
After giving my user name, the web page says: ConnectingâŚ
A popup opens on top:
The window title is âWindows Securityâ
Text is: Sign in with your passkey to â####.comâ as â#####â.
This resquest comes from the app âchrome.exeâ by âGoogle LLCâ.
I can scan my fingerprint or choose different authentication method as for opening my windows user account (face, pin, etcâŚ)
Once identity verified, popup closes and webpage unlocks, account is logged
The window popup is clearly a call to âWindows Helloâ service made from the browser.
The biometrics themselves are not being âsentâ to the website. The biometrics are being used by the windows chrome executable to authenticate you to chrome to decrypt your chrome-vault containing a passkey that is then used to login to the website.
This is very similar to how bitwarden does it, but with the difference that Chrome does not allow extensions to access windows hello, so the Bitwarden extension has to ask the bitwarden executable to it on its behalf.
Thank you DenBesten for the very detailed feedback about the technology behind.
You are right, I can confirm that any website that offered this authentication informed me that a secret key was to be saved into the browser. This probably refers to the key saved into the chrome vault you are talking about.
If I understand well, what prevents bitwarden to act as those websites if the fact that Chrome does not allow extensions to access windows hello.
I donât know if the Bitwarden extension could communicate with an authentication web page that does the call to windows helloâŚ?
I donât know what are the technical possibilities or limits. But from the user point of view it could be really much more user friendly to authenticate without any additional software (if feasibleâŚ).
- but that is more of