Hi,
beside my issue with Ebay (can’t create a Passkey on my Samsung Galaxy S25), I tried Discord and got another strange issue.
I can successfully set up a Passkey entry into Bitwarden, if I choose the “use my password manager to create a passkey” option. This works fine (at least it seems to), and a Passkey is added to the Discord dataset in the Bitwarden vault.
But where the trouble starts, is the daily usage.
I tried what happens, if I want to log into Discord on my PC.
I can choose “use Passkey” there, next I can choose that an iOS or Android device is the Passkey-hosting-device, then I get a QR code.
Scanning it with my default camera app on the S25 asks me, if I want to unlock the passkey and if this is a trusted device. But then the spinning wheel stats and runs into a timeout.
If you look on the screenshot, I am pretty sure this is not Bitwarden, this seems to be a Google-“Hourglass”.
I think I am forwarded to the Google Password Manager instead of Bitwarden on my S25, even though Bitwarden is the default app?
First, I would recommend to test out passkeys with services that work well with passkeys – e.g. passkeys on this forum usually work well.
I just tested it and if you have the BW browser extension on your PC in use, then you the browser extension opens a passkey popup window when you choose “passkey login” on the Discord page.
But even if you choose “Android device” in the Windows Security popups, I could successfully login with the Bitwarden mobile app by scanning the QR code. Bluetooth is active on your phone and PC (needed for the connection in the background) and you chose the systems QR code scanner of your phone (another scan app might not work for passkeys)?
… looking at your screenshot again, it might indeed be that your phone and PC can’t establish a bluetooth connection. PS: If you established one some time ago, then you might need to reset it / reconnect both devices again.
Oh, I took Firefox and there’s no BW plugin installed.
Maybe I should retry this with Brave or Chrome once.
But in general that’s not what I expected. I thought I could log into any browser this way.
Additionally, there’s no BT connection btw. phone and PC - I didn’t knew that this is needed?
Is there any general guide how to use passkeys?
… or Firefox with an installed and unlocked BW extension…
What exactly do you mean by “log into any browser”??
Puhh… good question… For Bitwarden:
here are some short instructions about creating passkeys via the browser extensions – and here is a short guide about logging in via passkeys using the browser extensions
As far as I see it, that CDA (Cross Device Authentication) is even possible (and how it works - including that bluetooth is needed) with the BW mobile apps is not listed anywhere in the Help Sites (also @dwbit) – some info to CDA could be found e.g. here on Corbado: What is CDA (Cross-Device Authentication) in WebAuthn?
I wasn’t aware that this cross-device authentication is such a pain i.t.a.
I thought this is more like the password-less Microsoft feature or maybe like making your phone to something like a fido-key.
I thought I could go to any device anywere, go to ebay / discord etc. saying “let’s use passkey for authentication” and either the device itself (fido-key like) is the key or it kind of talks to the webpage in the background (Microsoft-like).
So if the passkey is tied to a certain device, how to your unlock these services on other devices?
Or is this wrong in my mind and the passkey is tied to Bitwarden, so any browser with an bitwarden extension and an unlocked bitwarden session could log in?
Yeah, that would be the idea with passkeys stored in Bitwarden… and it usually works - if the services implement passkeys well.
Passkeys stored in Bitwarden are not tied to the device. – Quite the opposite. There are two types of passkeys (which basically are same and only differ in where they are located/stored on your side - and that brings other upsides and downsides with it):
device-bound passkeys = hardware-bound passkeys (–> e.g. a passkey stored on a hardware security key)
syncable passkeys = “software-bound” passkeys (–> e.g. a passkey stored in a password manager like Bitwarden)
Well, a “fido-key” would usually be a USB (or NFC) key - so that also requires some “connection” between the devices. I think a bluetooth connection in passkey-CDA was introduced as some kind of “proximity check”… making sure that both devices are near to each other - and not in two totally different locations in the world…
OK, so I added the Passkey once again, and now it works in Brave for example, if my Bitwarden vault is opened at least (I didn’t try what happens if it’s locked when I try to enter discord).
But I still can’t wrap my mind about the other way I tried.
Yes, BT was not established (long story, I will add as OT at the end).
So IF BT is connected, I can go to any machine / browser without Bitwarden installed, connect them via BT and use the Bitwarden passkey from my phone? Would this work?
Or does the hosting system (like the browser trying to open discord) always needs an own running BW session on it?
OT: Got a Gigabyte X870E board with BT on it.
But for any reason Windows is insisting on installing it’s own (sh1tty) driver which doesn’t work. Using the Gigabyte one works, but Windows takes any chance to say “hey, thats not the right driver, mine is better!” and rolls back.
As I do not need BT, I gave up on this…
OK discord works now as said before. What I am wondering (phone is not ready right now…) what happens on my Phone (Android with Chrome) if I go into the browser or the discord app itself?
Is it clever enough to pass this through to the bitwarden app, as the Android App got no extension installed?
) – some info to CDA could be found e.g. here on Corbado: