Can an unprivileged user (in principle) extract a passkey from Bitwarden?

Hi all,

as the local Bitwarden wrangler responsible for some 20 user accounts and ensuring their access to our company’s shared accounts to our supplier websites, I was wondering whether it was possible for me, given a website supports passkey login, to add a passkey to a login item, let users use it, but completely prohibit them to access and store it.
I know that there is no button to ‘download passkey’ or such; what I’m asking is whether the Webauthn protocol allows for a login action between three parties (kinda like kerberos I guess?) where Bitwarden receives and processes an authentication challenge on behalf of the user and provides a session token, or whether Bitwarden simply sends the passkey to the user and their browser does the actual work (where in principle the passkey could be captured).

Best,
Andreas

Yes, it is trivial for a user to extract a passkey using bitwarden cli:

bw get item d39b499a-26ad-499f-bb7f-b21200721cac | jq '.login.fido2Credentials'

[
  {
    "credentialId": "45f3b78e-db6f-4dc9-8a56-76fbb6275c70",
    "keyType": "public-key",
    "keyAlgorithm": "ECDSA",
    "keyCurve": "P-256",
    "keyValue": "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg2URcvdLtGtK-abRshlkTqDeCeunj0NhWECcFGsMZYCKhRANCAAQaSYj8Ju8BonXuPWigdZkMtMF00N1bARh75O_9T8MSUB1Sf3I_Q2mdjpa6GkccDzTzu54y9w-rFCmd6ZAYLDlg",
    "rpId": "webauthn.io",
    "userHandle": "dWZTT1VaakduV0Z0cUJBOVFScDVmUjRnODRnNWpiX0N1NDNZZEplQWRocw",
    "userName": "example_username-nondisco",
    "counter": "0",
    "rpName": "webauthn.io",
    "userDisplayName": "example_username-nondisco",
    "discoverable": "false",
    "creationDate": "2024-10-23T06:55:28.287Z"
  }
]

Thanks for clearing that up! (Bummer though…)