I want to use the biometric authentication without having to log in to the desktop app first.
It seems unnecessary to me that the desktop app has to cache the Vault locally and also be logged in so that it can perform the browsers biometric authentication. From this point of view, two logins are necessary.
It may be possible to install only a agent that can be triggered by the browser extension, to handles the biometric authentication.
At the current moment its really about access levels and APIs to Hello/Touch ID - the desktop app is the most reliable way to connect to those APIs vs. browser-based integration. Though, there is a point in having the desktop be the âcentral stationâ for convenience - but that is more of this feature.
Weâll see how the browsers progress with support for Biometrics, though!
Maybe my request was misunderstood. I think I understand the reason why an app is needed so that the browser can access the biometric API through it. Thatâs ok, the problem is why does the app need to be sign-in to bitwarden first and also include the full vault? The agent Iâm describing would still be a Win32 app that accepts the authentication request from the browser and communicates with the Windows API, but it doesnât require any additional bitwarden login and no vault.
It would be great if users could unlock their vault through the Bitwarden browser extension without having to open the Bitwarden desktop app (or even without having the desktop app installed at all).
Is this something that is even technically possible? I think so but Iâm not sure.
Nevertheless, if itâs possible, this should be implemented, as it can only benefit users (if it is not at the expense of security compared to the previous implementation where the desktop app is needed)!
Is this now possible with passkeys? Save a passkey to access bitwarden, and use it to login to the extension? That should use the operating systemâs authentication.
I see some messages stating itâs not possible for security reasons.
I regularly use different websites that offer biometrc authentification without any desktop agent.
When logging to these website, a popup comes calling âWindows helloâ. As far as I know, it looks like a key is registered on website or computer side.
Whatever the technical details, I can assure it involves only the web browser, and not any desktop companion app.
Logging onto my bank account is as follows:
After giving my user name, the web page says: ConnectingâŚ
A popup opens on top:
The window title is âWindows Securityâ
Text is: Sign in with your passkey to â####.comâ as â#####â.
This resquest comes from the app âchrome.exeâ by âGoogle LLCâ.
I can scan my fingerprint or choose different authentication method as for opening my windows user account (face, pin, etcâŚ)
Once identity verified, popup closes and webpage unlocks, account is logged
The window popup is clearly a call to âWindows Helloâ service made from the browser.
The biometrics themselves are not being âsentâ to the website. The biometrics are being used by the windows chrome executable to authenticate you to chrome to decrypt your chrome-vault containing a passkey that is then used to login to the website.
This is very similar to how bitwarden does it, but with the difference that Chrome does not allow extensions to access windows hello, so the Bitwarden extension has to ask the bitwarden executable to it on its behalf.
Thank you DenBesten for the very detailed feedback about the technology behind.
You are right, I can confirm that any website that offered this authentication informed me that a secret key was to be saved into the browser. This probably refers to the key saved into the chrome vault you are talking about.
If I understand well, what prevents bitwarden to act as those websites if the fact that Chrome does not allow extensions to access windows hello.
I donât know if the Bitwarden extension could communicate with an authentication web page that does the call to windows helloâŚ?
I donât know what are the technical possibilities or limits. But from the user point of view it could be really much more user friendly to authenticate without any additional software (if feasibleâŚ).
This is not correct. The limitation (as I understand it) is that a browser extension is not permitted to retrieve keys from the Windows secure enclave (e.g., TPM). Therefore, the cryptographic key used to decrypt & encrypt your vault data is retrieved by the desktop app, and transmitted to the browser extension via IPC.
This is not accurate either. When logging in to any browser extension or the Web Vault, the browser downloads and caches an encrypted copy of the vault data.
All encryption/decryption algorithms used by Bitwarden are public, so anybody with access to your encrypted vault cache and a knowledge of your master password can decrypt the cache and access the vault data.
My testing, reading and recollection is that both of the above are true. Since a browser extension can not directly access Windows APIs the desktop app intervenes on its behalf, which requires a secure communications channel, authenticated by being logged into the same vault (locked is OK).
Here is what I learned:
Biometric features are part of the built-in security in your device and/or operating system. Bitwarden Desktop leverages native APIs to perform this validation
Browser extensions do not have access to the native APIs and instead must live within the sandbox provided by the browser.
Extensions can exchange messages with native applications using an API which the extension uses to outsource biometrics to the desktop app.
For a while, Browser biometrics required the desktop app to be unlocked. This was to mitigate a vulnerability that apparently an insecure communications channel between extension and desktop.
It was never clearly stated, but my belief is that in step 4, they began encrypting the channel with the vault encryption key, which is only available when the vault is unlocked and then relaxed the âvault unlockedâ requirement by substituting a âsession keyâ that is tied to the vault, yet survives vault locking.
Neither @grb nor I are Bitwarden employees. Employees can be identified by their Avatar being overlaid with a Bitwarden shield. @grb comes close with a blue ribbon, but that is simply a well-deserved reward for being a great community participant who was rewarded with a few extra moderation capabilities.
Passkeys where invented for web authentication. They support biometry and are available natively in the browser sandbox.
So, technically, it should be possible to use passkeys for biometric unlock of the browser extension without the need for a separate desktop app. At least when you are using Win11 and store the passkey to unlock bitwarden outside of bitwarden (like in Windowsâ built in passkey store).
Check out âHeyloginâ password manager to see a proof of this concept. Their browser extension is basically a modified version of their web app, which makes it possible to unlock the browser extension using passkey biometry. They donât even have a desktop app. Their mobile app is only needed for initial setup of the browser extension. Afterwards you can choose to unlock the browser extension with only passkey biometry (among others).
Login-with-Passkey already works with the web vault if the web browser supports an optional passkey feature called PRF. Rumor has it that this same functionality is coming to the other vaults (desktop, browser, mobile), but it has not yet hit the roadmap.
That said, Login-with-Passkey is not this FR. The proposal here is a lightweight desktop app that performs just the authentication function. Supporting login with passkeys is the subject of another feature request.
- but that is more of