Bitwarden passkeys shown as "device-bound credential of unknown discoverability"

Ask the Community Password Manager
,
1

Hello,

When I add a Bitwarden passkey in https://webauthn.io/, in the description it’s shown as device-bound credential of unknown discoverability. I also added a Passkey in Google Password Manager on Android and it’s shown as synced passkey. I looked at webauthn.io source code and it seems that the description is based on some credential parameters: https://github.com/duo-labs/webauthn.io/blob/master/_app/homepage/views/index.py#L35-L48

I wonder why Bitwarden sets them differently than Google Password Manager

2

I just did a couple of tests:

If you register a passkey with default values, it is stored in the vault as discoverable.

If you register a passkey with the discoverable credential option set to discouraged, then it is stored in the vault as non-discoverable.

This seems right to me.

Although in both cases, when you check them on their website, they are shown as having unknown discoverability.

And, that those passkeys stored in bitwarden are shown as device-bound, that does not seem right to me.

3

I looked into the code and https://github.com/duo-labs/webauthn.io/blob/master/_app/homepage/views/index.py#L37 is https://github.com/duo-labs/py_webauthn/blob/master/webauthn/helpers/structs.py#L640 and that’s actually Web Authentication: An API for accessing Public Key Credentials - Level that is not set by Bitwarden

4

Resident keys/discoverable credentials should have that set:

"clientExtensionResults": {
  "credProps": {
    "rk": true
  }
},