Discussion about U2F vs FIDO2 passkeys for Bitwarden Two-Step Login

Correct, you can get a bitwarden item in json format from an export or from bitwarden cli (what I posted is exactly the output of the following cli command:

bw get item 2c961731-c731-4bea-9968-b20f0145a20f | jq

jq only makes the output a little prettier.

Discoverable and non-discoverable credentials inside the vault look exactly the same with just that diference (the value of that discoverable attribute).

This is a discoverable one:

{
  "passwordHistory": null,
  "revisionDate": "2024-10-21T12:29:28.300Z",
  "creationDate": "2024-10-21T12:29:27.973Z",
  "deletedDate": null,
  "object": "item",
  "id": "15468098-4f8a-4ebf-b299-b21000cdd8ec",
  "organizationId": null,
  "folderId": null,
  "type": 1,
  "reprompt": 0,
  "name": "webauthn.io (discoverable)",
  "notes": null,
  "favorite": false,
  "login": {
    "fido2Credentials": [
      {
        "credentialId": "bb7844f6-15b4-4c6e-a391-e4c09c277513",
        "keyType": "public-key",
        "keyAlgorithm": "ECDSA",
        "keyCurve": "P-256",
        "keyValue": "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQggIKdTKRh3rBjNAOCnFzYylw3vVb0qBn7eua7Kg0WTEyhRANCAAQHiYYej53bpuA6svRfoLY343rd357SvWq1hC5QZcrxTquUb3bs5aBY9arlNoSi2zBKaOiF3HEQgXSFnFJFhJkw",
        "rpId": "webauthn.io",
        "userHandle": "eXgxSlkwQXNUaEhxc3poa3dHell2TExKdng0RFgtUUVnRGd1LWtBSGpOaw",
        "userName": "example_username",
        "counter": "0",
        "rpName": "webauthn.io",
        "userDisplayName": "example_username",
        "discoverable": "true",
        "creationDate": "2024-10-21T12:29:28.250Z"
      }
    ],
    "uris": [
      {
        "match": null,
        "uri": "https://webauthn.io/"
      }
    ],
    "username": "example_username",
    "password": null,
    "totp": null,
    "passwordRevisionDate": null
  },
  "collectionIds": []
}

Non-discoverable credentials, I guess, make more sense on hardware keys (where the storage available for the cryptographic keys and the data associated with them is very limited).

With a password vault that limitation does not exist.

But, as they are in the FIDO specifications, password managers have to support them.

1 Like