Cannot use the forum and cannot alter my security settings

I joined this forum to find out why BitWarden is failing to save passkeys. A forum member (@Nail1684) responded promptly and helpfully. We started a thread to run several tests.

One of the tests involved trying to add a passkey for access to this forum. I joined this forum with GitHub credentials and can log in with them. But I am not allowed to alter my security settings with my GitHub credentials. It claims I my PW is incorrect. When I try to do a password reset to fix this, it throws an error and will not not send a reset. So I cannot do that test.

When I tried to respond to @Nail1684 about this and several other tests, I was informed that the thread had exceeded a weirdly artbitrary limit of 18 posts/replies. The message suggested I edit a prior reply if I wanted to continue the thread. But my replies are not editable AFAICT. I assume that the forum admin has turned this option off.

So I cannot report on what seems to be a problematic bug. I’m posting here because I can’t see any other relevant topic to post to. Suggestions are welcome.

Hey,

thanks for your message here. As I’m only a “mod”, I only can ping @bw-admin to ask for looking into this and what may have gone wrong with your account now (and to “reset” that, if possible).

Because, when you wanted to reply in the thread we discussed your issue (Best practice to use Bitwarden as passkey provider), I can’t see a reason why you shouldn’t be able to post there again. (to quote you: “I was informed that the thread had exceeded a weirdly artbitrary limit of 18 posts/replies”)

(there are some restrictions in general, but I would think they shouldn’t apply here, as you didn’t post the third time in a row, and there was also some delay between our posts :thinking:)

[Edit to the text I just “crossed out”: don’t listen to me - listen to @DenBesten’s and @grb’s correct replies here down below!]

Whether the restrictions, when you login with GitHub to the forum, are “a bug or a feature”, I don’t know. Maybe @bw-admin can also say more to that.

Apologies from my side - I didn’t think of not logging in here the traditional way :sweat_smile: (password…) and I didn’t consider, if it would work to create passkeys, if one uses “social login” to the forum…

One person is only allowed to have one forum account, but I would say, though a bit hesitant and only for testing purposes, temporarily creating another forum account (with a password) and deleting it afterwards might be okay (it is for using Bitwarden…). – Or you think of and choose another site, where you can further test to create a passkey…

I hope I tackled everything I could for now.

@cmbarton, I see that your “Trust Level” is “new user” and that you have 5 posts on the (other) topic you started.

New users are by default limited to editing their own posts after 24 hours and are limited to 10 replies. My guess is that at least the later one was halved by the Bitwarden admins in an effort to address malicious behavior.

The solution is to spend a half hour or so while logged in wandering around the forum, reading other topics, so you are promoted to “basic user”. You will receive an badge over your avatar in the top-right corner of the screen when this happens and many of the restrictions will be lifted.

NOTE: like @Nail1684, I am not a bitwarden employee; just a regular user that has been blessed with certain extra privileges on the community.

2 Likes

I suppose this is sort of off topic for this post. But since it seems to be the only way to communicate with you until I am able to escape the weird algorithm limiting my replies, I’ll do so here so that you or others can follow up. Perhaps you could start another thread I could respond to.

Anyway here are the results of a few tests you suggested

I tried to safe a passkey today for a financial site that failed before and IT WORKED. I got the save passkey window! So that’s good news.

So full of optimism, I returned to the NSF site that now requires a passkey and tried again. Same problem and popup window I described above (‘you don’t have a passkey saved for this app…’). I deleted the passkey for this site that had been stored in the Apple passwords.app back in November 2024, closed the site, quite Safari, and tried again–making sure that 1) I had the relevant NSF URLs listed for my BitWarden entry and 2) none of these URLs were in the excluded domain list. Still doesn’t work.

Then I tried Firefox. I added and activated the BitWarden extension for Firefox and tried GitHub again. Same problem and popup windows as I get on Safari.

So here is what I can say from this.

  1. Some websites properly activate the ‘save passkey’ notification window and some do not. (2 out of the 3 I tested don’t work. I am unable to test the BitWarden forums)
  2. Ones that do not work with Safari also don’t work with FireFox. So it is not a Safari-specific problem.

Since I cannot test passkeys without a different kind of login from GitHub, I’d be happy change my login to another method. But of course I can’t do that with my GitHub login. As you hesitantly suggest, I could try to create an alternative persona, but worry that it might get me banned from the forums by whatever algorithms are running it. So I’m not sure what to do about this.

1 Like

Thanks for the reply @DenBesten. I’ll look for a half hour or so I can spend change my status. It is not clear what this limit on replies is supposed to encourage or prevent. I realize that this is out of your control. I just want to note that a thread like the one I was locked out of that might lead to either a better understanding of obscure BitWarden behavior or fix of a BitWarden bug would encourage a new user like me to search the forum more often when i run into a problem or have a question. Being cut off in a thread with a helpful member by an obscure and non-transparent algorithm discourages this. Something the admins might want to reconsider. But again, thanks for your response and help.

1 Like

Spam. The reason is spam. That is also the reason why new users cannot edit their comments (editing a prior comment is a common evasion method against spam control).

Forum admins (who are Bitwarden employees) do have the ability to manually adjust your trust level so that you are no longer constrained by “new user” limitations. Unfortunately, they don’t work on weekends, and unluckily for you, the main forum admin here (@dwbit) has some scheduled PTO currently. Unless the acting admin (@eck) is able to manually raise your forum trust level, you have no choice but to take @DenBesten’s advice and organically increase your trust level by reading threads on the forum.

Frankly, I’m surprised that you have not already been promoted to “basic user” with 35 min of accumulated read time (to date), but perhaps reading comments in your own threads doesn’t count.

1 Like

@cmbarton Sorry for some confusion I may have caused about the forum, and thanks to @DenBesten and @grb to “clean it up”. (I think in the future, I’ll look more often into the Discourse documentation…)

I just did so, just in case: MacOS and passkey usage with Bitwarden - continuation

That sounds encouraging! And should confirm, that it is possible!

I would add in general: unfortunately it is the case, that the implementation of passkeys on certain sites is far from perfect. So dependent on what sites you try it - there are cases in which it may not be your system if it doesn’t work, but more the “quirks” of the site.

(BTW, that’s also a reason I suggested the forum account, because it usually works well with passkeys…)

Interesting.

And it makes me think again, that it may be something with the system and/or configuration…

Just a thought, not a recommendation: you could delete your current forum account and start a new one without the “GitHub login”, if you want to avoid every confusion. Of course that would also have the side effect, that the reading and interaction time in the forum would be set to zero again… (BTW, if you can delete the forum account easily… there was/is a bug with the forum software, for some people not seeing the “delete account” button)

Another possibility would be to look for other accounts, you might be able to experiment with passkeys: https://passkeyindex.io and https://passkeys.directory provide lists of sites with passkey support. (“MFA” = a passkey as 2FA/MFA) – Though, as written above, it’s kind of a lottery, if the passkey implementation is good or bad. :man_shrugging:

(personally, I certainly wouldn’t recommend eBay for testing passkeys…)

I can also see that… As @grb already wrote, “spam” is the main reason. Spam happens always here and there, but a few weeks ago, the forum “suffered” a massive spam attack, and the current settings were also a reaction to that incident, as far as I understand it.

Not to derail the thread with “inside baseball”, but spam is always an ongoing problem in any public forum, and there is always an arms race between spam-bots and admins/mods, as spammers deploy new strategies to overcome existing spam defenses, and forum admins then modify forum configurations to ameliorate the situation. Yes, there were some adjustments made in response to the most recent spam wave that you saw, but for example, the restrictions on editing comments is something that I had requested since October of last year (and it was finally implemented in December).

I hear you about the spam arms race. I head a project with a heavily used science gateway that also uses Discourse for its forums. We are in a constant battle of the bots. The no editing of posts after 24 hours seems reasonable. I mentioned that because when I was locked out of replies, the message said to edit my replies–which of course was not possible.

The limit on replies seems odd. But you do what you have to try and fight spam. The welcome might mention this, however. I actually had looked around the forum quite a bit but only logged in when I was ready to post something.

Finally, do you have any suggestion about what to do about being locked out of my security settings because I chose to join using GitHub as an authenticator rather than set up a login/PW with this site? If a different method of authentication is needed for full access, it might be mentioned when one does this. Nevertheless, I’m happy to change it but I don’t have access to do so.

1 Like

Here is some good news. I managed to solve the last issue.

As I noted, when I went to add a passkey, I was taken to a window that asked me enter a password (which is fine). But it did not accept my password. And when I clicked the link to reset my password, it generated a login error.

BUT. while further exploring my profile settings, I found another place to ask for a PW reset. This one worked. And after I did the reset, the add a passkey worked too!. So solved a seemingly insolvable issue and did another test on passkeys.

2 Likes

Glad to hear that you solved your forum passkey issue. And…

CONGRATULATIONS ON YOUR PROMOTION FROM “NEW USER” TO “BASIC USER”!!! :tada: :partying_face: :confetti_ball:

2 Likes