When I add a Bitwarden passkey in https://webauthn.io/, in the description it’s shown as
device-bound credential of unknown discoverability. I also added a Passkey in Google Password Manager on Android and it’s shown as
synced passkey. I looked at webauthn.io source code and it seems that the description is based on some credential parameters: https://github.com/duo-labs/webauthn.io/blob/master/_app/homepage/views/index.py#L35-L48
I wonder why Bitwarden sets them differently than Google Password Manager
I just did a couple of tests:
If you register a passkey with default values, it is stored in the vault as discoverable.
If you register a passkey with the discoverable credential option set to discouraged, then it is stored in the vault as non-discoverable.
This seems right to me.
Although in both cases, when you check them on their website, they are shown as having unknown discoverability.
And, that those passkeys stored in bitwarden are shown as device-bound, that does not seem right to me.
Resident keys/discoverable credentials should have that set: