I would like to store my passkeys on Bitwarden. When creating a new passkey, e.g. on Github, at the point of creation a Keychain window pops up asking me to save it there, but not to Bitwarden.
When in Github if I go into settings > password and auth > add passkey, I see this popup after clicking: “Add a passkey”
Then, when I click on ‘Add passkey’ two things happen:
A blank browser tab titled ‘bitwarden’ opens to a url of the form (values edited): moz-extension://e2ab0<long string>dfdc4/popup/index.html?uilocation=popout&singleActionPopout=vault_Fido2Popout_bb150aae-1a8c-4d4a-a38f-1e8a5ea0d52a#/fido2?sessionId=<123abc>&fallbackSupported=true&senderTabId=92&senderUrl=https:%2F%2Fgithub.com%2Fsessions%2Ftrusted-device%3Freturn_to%3D%252Fsettings%252Fsecurity
A keychain popup shows asking me continue with touch id, advising it will be saved in keychain:
Why did Bitwarden open a blank tab to moz-extension://e2ab0<long string>dfdc4/popup/index.html...?
How can I save my passkey in Bitwarden?
Why do you have this stupid rule that I cannot post screen shots since I’m a new user? This post, which I spent time taking screns off is now diminished because I cannot communicate the issue as clearly as otherwise.
The restriction on image posting by new users is an automated function of the forum software (Discourse) in order to prevent spam on the forum. You can try to send me the screenshots as a direct message (I don’t know if this is allowed for new users or not, but it may be worth a try); if I do get your screenshots, I can insert them into your post for you.
Also, which version of the browser extension do you have installed?
Did you check in the Bitwarden extension: Settings → Notifications → “Ask to save and use passkeys”?
Did you check whether the regarding domains are on the “excluded domains” list (they shouldn’t be)? Settings → Notifications → Excluded domains → delete the corresponding domains in that list (if they are in that list)
Did you check in the Bitwarden extension: Settings → Notifications → “Ask to save and use passkeys”? This box IS selected.
Did you check whether the regarding domains are on the “excluded domains” list (they shouldn’t be)? Settings → Notifications → Excluded domains → delete the corresponding domains in that list (if they are in that list) There are no domains in that list
Did you disable your “browser password manager” / Safari (Disable a Browser’s Built-in Password Manager | Bitwarden Help Center) and/or “Apple’s iCloud KeyChain”? (that can interfere with the Bitwarden app) Firefox. I tried disabling keychain but all that did was prompt me to turn keychain on when clicking to add a passkey. Note that Bitwarden did or tried to do something when openning that blank tab as described above
Maybe a tip for the screenshots: if the restriction is still there, combining all screenshots into one large image file could work. Added below
Lastly: do you have all Bitwarden apps up-to-date? (around 2024.12.x versions) Version 2024.11.2
@dougfir Glad to see it worked with the screenshots. Unfortunately, I think I can’t help you. I’m not familiar with MacOS.
… Do you have some kind of custom configuration of Firefox (or MacOS?), that could explain the blank browser tab??
The blank browser tab still sounds strange. It could be a bug. (?!) - I personally probably would try to deinstall and reinstall Bitwarden and Firefox, to see if something went wrong there. (probably with deleting the local data of the Bitwarden extension before reinstalling - https://bitwarden.com/help/data-storage/#on-your-local-machine )
To the case of disabling KeyChain (because when it in interferes, I still would try to disable it?!) - I found:
Go to System Preferences > iCloud.
Uncheck the box next to “Keychain”.
But this is all speculation and decide for yourself if you feel adventurous enough to poke around with that, with no guarantee that it changes anything.
Hopefully, someone who know Mac’s better, can help you.
I tried reinstalling Bitwarden. I was able to save a passkey to Bitwarden but at no point did it ask for my fingerprint. Instead:
Deleted existing passkeys, turned off keychain
Clicked ‘add passkey’ in Github > Bitwarden pop-up shows asking me to confirm and save passkey
After confirming I’m taken back to github and asked to name my passkey
Save
Now I have an item in my bitwarden passkeys, and I’m even able to login with it. But I’m confused because I was never asked to provide a finger print via my device. Is that expected? Have I misunderstood how passkeys work?
A “passkey” is just a method for an authenticator (e.g., Bitwarden or the Apple Keychain) to communicate with a website to securely authenticate the user (e.g., for purposes of logging in). Passkey authenticators are supposed to verify the users identity (by asking for a PIN or fingerprint, etc.) at the start of the authentication process; when you use an authenticator like Apple’s Keychain, Windows Hello, or a Yubikey, then you will be required to provide a PIN or other identifying information (such as a fingerprint) before the passkey login process can proceed. When Bitwarden’s browser extension is the passkey authenticator, Bitwarden does not require any type of user verification before the passkey login process can occur. Technically, this is in violation of the standards for passkey authentication, and Bitwarden will presumably implement user verification for passkeys at some point (in fact they tried it some time ago, but the implementation was not well-designed, and the feature was removed in a subsequent update). In the meantime, the security of passkeys stored in your Bitwarden vault is dependent on your ability to safeguard your vault (by restricting any access to your devices, and by taking all available precautions to safeguard against malware).
If you are familiar with Bitwarden’s option (for Premium users) to store TOTP keys and generate TOTP codes using the password manager, then you should be aware that storing a passkey in Bitwarden has similar risks to storing TOTP key in Bitwarden (together with the username and password). In both cases, someone with access to your unlocked vault will be able to log in to any account for which you have stored a passkey or TOTP key.
Related to my previous post which is now closed and I cannot add a comment. I wanted to share a finding in case any other Firefox user comes across issues using passkeys that I encountered.
The issue described on that linked post was that whenever I tried to add a passkey with Bitwarden, using Github as an example, the bitwarden pop-out box would fail by attempting to open in a new tab. It was suggested I try reinstalling the add on which worked for me in the first instance but the issue started up again, after I had marked as resolved.
I iterated over my add-ons switching each off and trying again and was able to isolate the cause of my issue, ‘Sticky Containers’ which I use in conjunction with the popular Sideberry add-on.
Temporarily disabling the Sticky Containers extension allowed me to save and use a passkey. It makes sense, the extension keeps newly openned tabs in the same container as openned in, which I guess interferres with pop-ups. I had event tried to completely disable pop-up blocking yet the issue remained.
In case anyone using Firefox is having a hard time creating or using passkeys, or issues where the bitwarden pop-out window fails, temporarily disabling Sticky Containers worked for me.
Thank you for sharing what you found. I’ve moved your follow-up post to the original thread, marked your most recent comment as the solution, and re-opened the thread for further comment (will be auto-closed 30 days after the last response).
