I want to use the biometric authentication without having to log in to the desktop app first.
It seems unnecessary to me that the desktop app has to cache the Vault locally and also be logged in so that it can perform the browsers biometric authentication. From this point of view, two logins are necessary.
It may be possible to install only a agent that can be triggered by the browser extension, to handles the biometric authentication.
At the current moment its really about access levels and APIs to Hello/Touch ID - the desktop app is the most reliable way to connect to those APIs vs. browser-based integration. Though, there is a point in having the desktop be the âcentral stationâ for convenience - but that is more of this feature.
Weâll see how the browsers progress with support for Biometrics, though!
Maybe my request was misunderstood. I think I understand the reason why an app is needed so that the browser can access the biometric API through it. Thatâs ok, the problem is why does the app need to be sign-in to bitwarden first and also include the full vault? The agent Iâm describing would still be a Win32 app that accepts the authentication request from the browser and communicates with the Windows API, but it doesnât require any additional bitwarden login and no vault.
It would be great if users could unlock their vault through the Bitwarden browser extension without having to open the Bitwarden desktop app (or even without having the desktop app installed at all).
Is this something that is even technically possible? I think so but Iâm not sure.
Nevertheless, if itâs possible, this should be implemented, as it can only benefit users (if it is not at the expense of security compared to the previous implementation where the desktop app is needed)!
Is this now possible with passkeys? Save a passkey to access bitwarden, and use it to login to the extension? That should use the operating systemâs authentication.
I see some messages stating itâs not possible for security reasons.
I regularly use different websites that offer biometrc authentification without any desktop agent.
When logging to these website, a popup comes calling âWindows helloâ. As far as I know, it looks like a key is registered on website or computer side.
Whatever the technical details, I can assure it involves only the web browser, and not any desktop companion app.
Logging onto my bank account is as follows:
After giving my user name, the web page says: ConnectingâŚ
A popup opens on top:
The window title is âWindows Securityâ
Text is: Sign in with your passkey to â####.comâ as â#####â.
This resquest comes from the app âchrome.exeâ by âGoogle LLCâ.
I can scan my fingerprint or choose different authentication method as for opening my windows user account (face, pin, etcâŚ)
Once identity verified, popup closes and webpage unlocks, account is logged
The window popup is clearly a call to âWindows Helloâ service made from the browser.
The biometrics themselves are not being âsentâ to the website. The biometrics are being used by the windows chrome executable to authenticate you to chrome to decrypt your chrome-vault containing a passkey that is then used to login to the website.
This is very similar to how bitwarden does it, but with the difference that Chrome does not allow extensions to access windows hello, so the Bitwarden extension has to ask the bitwarden executable to it on its behalf.
Thank you DenBesten for the very detailed feedback about the technology behind.
You are right, I can confirm that any website that offered this authentication informed me that a secret key was to be saved into the browser. This probably refers to the key saved into the chrome vault you are talking about.
If I understand well, what prevents bitwarden to act as those websites if the fact that Chrome does not allow extensions to access windows hello.
I donât know if the Bitwarden extension could communicate with an authentication web page that does the call to windows helloâŚ?
I donât know what are the technical possibilities or limits. But from the user point of view it could be really much more user friendly to authenticate without any additional software (if feasibleâŚ).
If I understand the thread correctly, the vault needs to be downloaded to a device before a biometric authentication is possible. Said differently, there is no capability for a browser (any browser) to cache an encrypted file (a.k.a vault) and even if it could the access to that file/vault is specific, proprietary and provided by a Bitwarden API.
Therefore, the app provides the proprietary logic, the data (vault), the encryption and the api to unlock and authorize access to that data. The api provided by the app is full fidelity (BIO, password, TOTP, Passkey)
In iOS, which is the experience I am looking for in Windows, all those components exist therefore itâs a really nice User Experience.
2 questions/clarifications:
Will this ever work with just a browser on windows. Meaning, is anyone working on this ? (Bitwarden, MSFT, Industry ?)
The app is available as a download from Bitwarden or the Windows App Store. Which one do I use ? What is recommended ? Will updates come through Windows update ?
This is not correct. The limitation (as I understand it) is that a browser extension is not permitted to retrieve keys from the Windows secure enclave (e.g., TPM). Therefore, the cryptographic key used to decrypt & encrypt your vault data is retrieved by the desktop app, and transmitted to the browser extension via IPC.
This is not accurate either. When logging in to any browser extension or the Web Vault, the browser downloads and caches an encrypted copy of the vault data.
All encryption/decryption algorithms used by Bitwarden are public, so anybody with access to your encrypted vault cache and a knowledge of your master password can decrypt the cache and access the vault data.
Are you with the Bitwarden product team ? That would lead lead to one of my last questions:
If it is known what is required, is anybody working on this ? Is it just a Bitwarden design or implementation issue ? Are there roadmaps that show what MSFT/Bitwarden recognize as an enhancement worth prioritizing in Developer partnerships ? Given this thread Iâm not the only one looking for a smooth UX between Mobile and Windows. Go easy on me as I understand none of this.
My testing, reading and recollection is that both of the above are true. Since a browser extension can not directly access Windows APIs the desktop app intervenes on its behalf, which requires a secure communications channel, authenticated by being logged into the same vault (locked is OK).
Here is what I learned:
Biometric features are part of the built-in security in your device and/or operating system. Bitwarden Desktop leverages native APIs to perform this validation
Browser extensions do not have access to the native APIs and instead must live within the sandbox provided by the browser.
Extensions can exchange messages with native applications using an API which the extension uses to outsource biometrics to the desktop app.
For a while, Browser biometrics required the desktop app to be unlocked. This was to mitigate a vulnerability that apparently an insecure communications channel between extension and desktop.
It was never clearly stated, but my belief is that in step 4, they began encrypting the channel with the vault encryption key, which is only available when the vault is unlocked and then relaxed the âvault unlockedâ requirement by substituting a âsession keyâ that is tied to the vault, yet survives vault locking.
Neither @grb nor I are Bitwarden employees. Employees can be identified by their Avatar being overlaid with a Bitwarden shield. @grb comes close with a blue ribbon, but that is simply a well-deserved reward for being a great community participant who was rewarded with a few extra moderation capabilities.
- but that is more of