Bitwarden Passkey Creation Blocked by Swiss Post

Ask the Community Password Manager
, ,
1

Here in Switzerland, the national postal service (Suisse Post) uses a digital identity platform called SwissID, which is now replacing all their 2FA methods with Passkeys - a welcome move. However, I wasn’t able to register their Passkeys on either iOS or macOS using Bitwarden, so I contacted their support team to check why it wouldn’t work with Bitwarden.

Here’s a rough translation of the response I received in German:

"Unfortunately, this passkey provider is not compatible with our service.
Try it e.g. with Google/Apple/Microsoft etc.

We will work more and more with PassKeys in the future.
This means that we will continue to select very carefully in the future, but cannot yet select all the desired providers".

I was under the impression that Passkeys were designed to be service-agnostic, so users wouldn’t be locked into Google, Apple, Microsoft, and similar platforms.

Is there any way to work around this limitation on Bitwarden’s side?

2

What OS are you using? If you are on a Linux distro, try a Windows 11 machine. Or something else.

I have sites where it allows me to create a Passkey but then when logging in, on a non-Windows OS, it won’t even let me attempt it.

Yet again, the promise of Passkeys ruined by horrible implementation on the part of many websites.

3

Well, the relying party can restrict the authenticators they allow for passkey creation/storage/usage, I guess (via the AAGUID).

The people from SwissID seem to restrict their passkeys to “FIDO2-compliant passkeys” (which is probably a bit funny (or sad), as every passkey is FIDO2 technology):

2025-07-08--23-56-35-vivaldi_9vHTF47Ez1
2025-07-08--23-56-35-vivaldi_9vHTF47Ez11026×693 60.2 KB

It does go on like that:

2025-07-08--23-56-56-vivaldi_K73v6QR3ic
2025-07-08--23-56-56-vivaldi_K73v6QR3ic1032×199 16.9 KB

But I think, here (and actually, at the end of the first screenshot also) they actually say what they mean: the passkeys (?!) should be certified (by the FIDO Alliance):

2025-07-08--23-57-09-vivaldi_3id1f1N5xM
2025-07-08--23-57-09-vivaldi_3id1f1N5xM1039×507 43.3 KB

It seems, the password managers that work together with the FIDO Alliance on different things isn’t enough. :sweat_smile:

(source of all screenshots: https://www.swissid.ch/en/faq/login-probleme.html)

Probably not, as it would involve faking a different AAGUID of Bitwarden’s “passkey authenticator”…

4

Perhaps it has something to do with password managers like Bitwarden incorrectly setting the UV flag to 1 even thought they do not actually perform user verification when the RP requests it… :eyes:

5

Yeah, probably a reason… passkeys.dev - Known Issues

6

Hi,

I tried both MacOS and iOS - neither work.

Totally agree, as a consumer it’s concerning how some services/websites implement Passkeys..

7

Thank you for the clarification.

It’s most unfortunate that services can implement it this way. It’s frankly very discouraging as a consumer.

It’s also interesting that they are pushing users, like myself, to lose 2FA - unless using one of the aforementioned services - rather than allowing users to utilize a Passkey manager of their own choice. Seems like a shaky policy at best.

8

An addition to that: using the SwissID app seems to be one of four 2FA methods there (so it seems, they are not replacing all 2FA methods with passkeys):

2025-07-09--11-36-16-vivaldi_j3qSzSp0CB
2025-07-09--11-36-16-vivaldi_j3qSzSp0CB1037×539 36.7 KB

(–> https://www.swissid.ch/en/faq/sicherheit-datenschutz.html)

Why they don’t implement passkeys (or so-called non-discoverable FIDO2 credentials / often called “security key”) also as a separate 2FA method, I don’t know…

And I also don’t understand, why they (obviously) regard login with password and e.g. SMS-2FA as more secure than using a non-FIDO2-certified passkey manager… :man_shrugging:

But as written before - the sites can implement passkeys as they want to. :man_shrugging:

9

I stand corrected - according to an email sent out recently - they are replacing their app 2FA with Passkeys. Leaving that and text messages as the remaining options.

Which, indeed, begs the question how they can view that as more secure that using Passkeys over Bitwarden..

Well, Well. I guess it’s back to SMS again.

1 Like
10

I found a solution for anyone else having to deal with similar restrictions:

  1. Make sure your iPhone is at least on iOS26.
  2. In settings - change default autofill to Apple “Passwords”.
  3. Create passkey via Apple “Passwords”.
  4. Once the passkey has been created, simply export it to Bitwarden.
  5. Delete Passkey in Apple “Passwords” and then disable iCloud Keychain.
  6. Change back default autofill to Bitwarden.
  7. Voilà! You can now store and use that Passkey in Bitwarden for the service or website that requires an Apple or Google password-generated passkey.
1 Like
11

@Axel Interesting! Thanks for sharing.

That makes such restrictions even more questionable.

And I hope it is “sustainable”.

12

The whole thing seems kind of pointless - especially with this easy bypass..

In any case, I’ve been using it on my two accounts (you need one account for each address you have registered with the post :person_facepalming:) for more than a day. Let’s see if it fails later on. I’ll update the post then.

1 Like
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.