Bitwarden Passkey (How does Bitwarden fit into the new Microsoft/Google/Apple "Passkey" initiative?)

Microsoft, Google, and Apple have announced support for the FIDO2 passwordless initiative that media are calling “Passkeys”. Because Passkeys creates a new key pair for each web site login, there is the issue of moving all these key pairs among devices. I am sure that Google will do that for Android and Chrome and Apple will do it for their iPhones and Macs, but what about between Android and Apple or Linux?

Would Bitwarden be able to support the new Passkeys cross-platform like it does with current passwords? I want to sync Android to Linux desktop and I will wait for Bitwarden to support this, if the feature will be added.

Hello @kwe

Bitwarden does currently support FIDO2 WebAuthn for MFA verification in addition to your master password for vault unlocking.

Bitwarden doesn’t support using these “passkeys” to login in leui of the master password yet, but there is a current similar feature request for this to be supported. Though like most things in adopting to FIDO2 password less login fully will take quite a bit of engineering on the backend to integrate.

1 Like

Slight nuance: many of us have been asking for non-FIDO unlock using Yubikeys. We’ve made many arguments as to why this relatively cosmetic feature would have security value.

This thread is a little bit confusing. There seems to be 3 ideas being discussed:

  1. Bitwarden support for logging into other websites/apps (e.g. Google, Reddit, …) using FIDO2 passwordless login
  2. Logging into Bitwarden using FIDO2 passwordless login
  3. Unlocking the Bitwarden vault using a physical device such as a Yubikey, without needing to be FIDO compliant

I believe @kwe is referring to #1 in this list. I completely agree with needing cross-platform support, and hope that Bitwarden will support these Passkeys, switching from being a “Password Manager” to an “Account/Passkey Manager”.

While we don’t have many details yet, I’m concerned that the Apple approach will end up locking us into their ecosystem, even though I could use my Apple devices to log into any non-Apple device. Having Bitwarden support for Passkeys will also help with the current limit of 25 resident FIDO2 keys on Yubikeys for example (albeit slightly less secure).

4 Likes

Thank you, @landlesscampfire, you are entirely correct. After seeing my thread derailed and hijacked I gave up on getting any information.
We need third-party FIDO providers precisely because Google, Microsoft, and Apple will refuse to exchange key pairs among themselves in yet another attempt to wall their gardens.
I wish Bitwarden would just go ahead and announce multi-platform support for FIDO2. They are our only hope.

2 Likes

There’s also another interesting discussion happening here:

It’s still going to take a while before we can realistically use Passkeys, considering that as of today, only Microsoft is offering a passwordless login experience (so far it still seems restricted to Windows machines). On desktop, browsers still need to be updated to support software-based FIDO2 devices, and on mobile Apple/Google would need to allow 3rd party apps to provide FIDO2 logins (don’t see this happening for at least a couple of years since they seem to be pushing for their own passkey solution at the moment).

In any case, it would be good to hear from the Bitwarden team about what their high-level plans would be going forward.

Thanks for the feedback everyone! Here is a recent post from the Bitwarden team:

rest assured that Bitwarden is firmly committed to the FIDO Alliance (going on our 3rd year as a member) and developing FIDO2/WebAuthn functionality beyond the use cases in place now. The ideas and suggestions are welcome, Bitwarden remains active in this area, and we look forward to more ahead!