The passkey system on this forum appears to be malfunctioning. I successfully created a passkey in Bitwarden, but when I attempted to change my account password, the site prompted for the passkey and Bitwarden said there was no corresponding key in the vault.
After removing the passkey from my account, the site continues to demand a passkey Bitwarden can’t locate, which prevents me from changing my password. I was able to update my email address before setting up the passkey, but the passkey feature itself obviously isn’t functioning correctly.
Do I really have to delete this account and start over with a new one? If I can’t change the password at all, this account feels unusable. I understand now why more people avoid two-factor authentication altogether. When the second-factor system breaks, it becomes very easy to get locked out of your own account.
Click on the icon in the top-right corner and select the last (person) icon in the right hand column. This opens your account properties. From there, select “preferences” then “security” On this page, your passkeys are listed. Click on the gear icon to rename or delete a passkey.
Or, click this personalized shortcut:
Also, while messing with credentials, To reduce risk of lockout, I tend to keep one browser logged in and test that things work using either a different browser brand or an incognito window before closing the first window.
Per your suggestion, I tested this in incognito mode. As I suspected, the account system has locked me out. If I lose this current session, I won’t be able to log back in because the passkey system is broken. When I first saved the passkey and attempted to change my password, Bitwarden opened and said there was no passkey. I don’t know what to do at this point. Is there any way for me to delete this account?
I believe that @dwbit will be back Monday. He has more powers than me to fix community issues. If it is just a lockout, he might be able to unlock, but do try to keep the session open. Mine stays open for easily a week if I just don’t logout.
He also has the ability to delete accounts if it comes to that.
@BW_Michael Can you remember ever first creating a 2FA-passkey (“2FA security key”) – and then overwriting that in your Bitwarden vault with a login-passkey for the forum?
That would be a theory, how an invalidated passkey can be in your vault.
(sidenote: and in my view that would be a strong reason to allow (at least?!)two passkeys per login item – and being able to label stored passkeys, e.g. as “for 2FA” and “for login”)
PS: I agree with @DenBesten – a forum admin / BW employee might be able to help with your account.
@BW_Michael Ah… and when it indeed was a “2FA security key” in your case: do you have the 2FA backup codes somewhere? Or still TOTP activated? – In general, for every 2FA, it is a good idea to use (/store) the backup methods to avoid a logout…
The passkey was created yesterday. Once I saw that Bitwarden wasn’t acknowledging that a passkey existed on the account, I decided to remove it. At this point, there is no passkey associated with the account, so it shouldn’t be prompting me for one.
I realized something was wrong when I tried to reset my password after changing my email address, thinking it would be safer to update both. It’s possible my mistake was attempting to change the password after enabling the passkey instead of before. But that should be irrelevant now, because the passkey has been removed. Since there is no longer a passkey on the account, I shouldn’t be asked to provide one.
I also don’t want to get you logged out now – but if you can: when you enter “Manage Two-Factor Authentication” (visible in your last screenshot)… what do you see there? (maybe also post a screenshot)
When I clicked the “Manage Two-Factor Authentication” button, I could see that the security key was on the account, but Bitwarden still didn’t recognize it for some reason. I’m not sure why. Now that two-factor is fully disabled, should I try signing into my account using an incognito window?
If you didn’t set up that “security key” yesterday, but a “passkey” (in the previous page) then I would indeed guess that you overwrote your “security key” with the “passkey” yesterday in your Bitwarden vault entry. – That would explain why it didn’t work (the forum expected the “security key”, but your BW vault only had the “passkey” then).
I guess, that means you could successfully deactivate the “security key”? – If there is indeed no 2FA enabled now, I think you could try that… (but don’t hold me accountable )
Is there actually a distinction between a security key and a passkey? I assumed Bitwarden treats them as essentially the same, just with different names.
To answer your question, yes, I did overwrite the key once during the troubleshooting process because I was trying to figure out why the passkey wasn’t showing up when I enabled it. I didn’t know that the passkey and security key are different things. If I have this correctly, a passkey is a virtual 2FA method stored in the Bitwarden vault with the corresponding account, while a security key is a physical item such as a YubiKey or something similar. Is that correct?
That whole topic is kind of a mess… One reason: many definitions – and many use the definition that should be used in a certain case too loose…
I’m no expert here - but just a short idea:
Security key:
can be a physical security key (like a YubiKey)
is also used as a name for “non-discoverable credentials” (which also existed in FIDO(1) I think – as U2F – probably not called “non-discoverable” at that time… the older name was “non-residential”…)
Passkey:
is in the stricter definition a “(FIDO2) discoverable credential”
some – including Bitwarden – also call “(FIDO2) non-discoverable credentials” passkeys
And I can remember some threads where we also discussed this here on the forum – I think e.g. @kpiris posted some screenshots/text from vault exports, where one could see that as Bitwarden stores “passkeys”, discoverable and non-discoverable credentials get stored very similarly, just varying in variables for “discoverable” on/off…
I think I already covered some of this in my previous post…
And I would add:
The forum – as many services – makes a distinction between
“security key” → that’s the name the forum chooses for their 2FA “non-discoverable credential” (my guess) [PS: I think the name “security key” for that credential was historically introduced, as those credentials could in the beginning only be used with “physical security keys”… but now, also “virtual authenticators” like Bitwarden can store them – when the respective service doesn’t restrict it]
“passkey” → that’s the name the forum uses for a fully functional FIDO2 discoverable credential a.k.a. “passkey”
You can store both in the BW vault as a “passkey”… They are not the same credential. They are not interchangeable for the forum.
I’m about ready to have an aneurysm here. You’re telling me the password manager can handle both, but most services only support one of them. That’s a serious issue, because it means more average users are going to lock themselves out of their accounts by mixing the two up.
I’m not sure what you’re asking. I was busy troubleshooting and trying to read through the responses, so I didn’t have a chance to reply to every post. I only saw your post later.
I stored the forum’s “security key” in a separate login item, labeled with “2FA-Passkey”.
And note again (or rather to be explicit): With that first login item there, I can only fully login with that passkey – but I can’t use that as 2FA (“security key”) for the forum. And with that second login item, I can only use the stored “passkey” as 2FA for the forum (“security key”) – and not for a full passkey login.
(And that’s why I already wrote previously, I would welcome the ability to at least store two “passkeys” in one BW login item – maybe even predefined/labeled as “2FA-passkey” and “login-passkey”, to 1. be able to store both kinds of credentials in one item, 2. to distinguish them better and 3. to reduce the risk of overwriting them with the other kind of credential [non-discoverable v. discoverable])
Oh, no problem. I just thought, that if your previously created “security key” in the forum was still stored in your BW login item – not overwritten with the forum’s passkey – when you experienced your issue here first… then my theory (that it was overwritten in your BW vault with a forum’s passkey) can’t explain why you experienced your issues here in the first place.
It’s frustrating that there’s no simple, clear distinction here. A passkey used for login and one used for two-factor authentication should basically behave the same. This feels like something an engineer built without actually consulting everyday users. Password managers should treat security keys and passkeys identically so the user can’t mess it up—like USB-C, where it works no matter which way you plug it in. Whether you pick “security key” or “passkey,” it should just work.
Unfortunately, it’s not as simple as that. To come back to the example of the forum: the forum uses two different credentials – and Bitwarden can’t store it as the same credential…
Yeah… that whole thing is messy… I guess to simplify that is one reason to just call everything a “passkey” now… as Bitwarden does it… but for a longer time now, I think that makes it only simpler on the surface, but indeed adds more confusion to it.
BTW: With all 2FA for the forum now also disabled – were you able to login again in the incognito window (if you tried it)?
PS: I changed the title of the thread to something less scary… hope that is okay with you. (before, it was Passkey Broken)
)
