Bitwarden and Passkey

I am very confused about Bitwardens Vault Passkey Management. Almost everywhere i use TOTP 2FA. For Bitwarden i started to use Passkey as 2FA. Now i recognized Bitwarden also has Passkey (Beta). Shouldn’t it be possible to disable the legacy login system if i use something like the Passkey Login? Lets say i disable 2FA wouldn’t this cancel out Passkey Login (Beta) regards to security? Then i also recognized when i safe the 2FA Passkey for my Mobile Phone where Bitwarden is the Password Manager and afterwards enable Passkey Login (Beta) with the same credentials this overwrites the Passkey for 2FA (Instead adding an additional one). At this point of time i disabled Passkey Login (Beta) and removed in 2FA everything else then Passkey as already mentioned (Passkey Login is redundant if i understood this correctly).

@LaCocoRoco Welcome to the forum!

There is a Feature Request for that: Ditch the master password in favor of passkeys

If you mean here, you stored the BW-login-passkey and BW-2FA-“passkey” in your Bitwarden vault itself, then 1. beware of the “circular dependency” (having to log in to Bitwarden, to be able to login to Bitwarden, is problematic…) and 2. as in Bitwarden, one login item can only store one passkey, a general (!) workaround in Bitwarden would be, to create a second login item for the other “passkey”-type. (I’m not sure, if that “workaround” could be done with e.g. the platform-passkey provider on your phone as well)

Yeah, kind of. And at the moment, it is still only possible to login with the login-passkey to the web vault. But in the future, I think it will be possible to do more with the login-passkeys (e.g. logging in to other BW apps - and possibly also to unlock BW apps?!).

(–> “staff notice” to this feature request: Sign into Bitwarden with a passkey / "Login with passkeys")

Also see this post from @Micah_Edelblut from Bitwarden.

PS: And yeah, as long as there is a master password for the Bitwarden account, 2FA should remain enabled… because even if you have a login-passkey, the master password login would still be possible and should be secured with 2FA.

1 Like

Thank you @Nail1684 for answering every question! You also mentioned “circular dependency” and you are correct. For 2FA Passkey i stored three different devices: Windows Hello, Android Mobile (The problematic circular dependency) and an Yubico Security Key. Until now i also stored the recovery key (On paper) which i will probably remove (Replaced with the Yubico Security Key as emergency recovery solution). Again thanks and have a nice day!

1 Like

@LaCocoRoco Glad, I could help!

Hm, I’m not so sure about that… As the login-passkeys don’t replace the master password for now, I guess you still have an emergency sheet with the master password etc. on it. I wouldn’t “delete” the 2FA recovery code for the foreseeable future from the emergency sheet(s)… better safe than sorry… and the emergency sheets must be in a secure location anyway.

1 Like