Does adding a passkey enforce 2FA?

I want to add a passkey so that I can authenticate at Bitwarden Web vault more easily (Bitwarden Web vault). However:

  1. I store my credentials in a 3rd-party password manager as backup (much less one with Passkey support) so I want to continue solely using a password.
  2. I know not how to save a single passkey in Bitwarden and another password manager simultaneously.

Consequently, I would like to save the passkey in Bitwarden, but do not want to accidentally render my account inaccessible.

Relevantly, the documentation states:

Passkeys can be used to log in to Bitwarden as an alternative to using your master password and email. Passkeys used to log in to Bitwarden require user verification, meaning you’ll need to use something like a biometric factor or security key to successfully establish access to your passkey.

However, this doesn’t appear to explicitly confirm this. Can anyone themselves confirm (to save me potentially adding something that might render my account impossible to access)?

@rokejulianlockhart

Does adding a passkey enforce 2FA?

What do you mean by that?
Do you mean, that adding a passkey to the Bitwarden account enforces 2FA for the Bitwarden account? Or do you mean that that passkey must (presumably) come with 2FA enforced?

What do you mean by “so I want to continue solely using a password” while simultaneously you want to use a passkey?!?

As far as I know, you more or less can’t store “a single passkey” in two different places. You would have to register two distinct passkeys, and one in the first and the other one in the second location.

(sidenote: when passkeys get exportable and importable in the future, I don’t know if that changes…)

Two things:

  1. My last info is, that you can’t store a Bitwarden-account-login-passkey in your Bitwarden vault (technically prevented by Bitwarden, I guess). But maybe something changed and it works now?
  2. If you could create the passkey, wou wouldn’t render your Bitwarden account inaccesible, as that passkey would be only an additional (or alternative) way to login to your web vault - you still can login the traditional way via master password and your current 2FA.

(emphasize is my editing)

What exactly do you mean by “this”?

And your quote from the documentation - though not completely clearly expressed, sounds to me like Bitwarden requires the “login-with-passkey”-passkey to be stored on a device (= device-bound/hardware-bound passkey). And that would also explain, why you can’t store it in the Bitwarden vault, as all passkeys, stored in the Bitwarden vault, are by definition synced passkeys. (why do I guess only device-bound passkeys are allowed by Bitwarden? because they mention biometrics and security key… though could be realized by synced passkeys as well :thinking:)

BTW there are further complications as PRF (pseudo-random function), if you want the passkey to be “with encryption”, and the Bitwarden vault doesn’t support that (yet) as well, I think… etc.

1 Like

@Nail1684, indeed, that’s all that I fear. I want to ensure that enabling a passkey doesn’t prevent me accessing the account by silently enforcing it as 2FA.

I don’t have any 2FA configured, so I assume that that response confirms that it merely becomes an alternative, rather than an additional factor?


I would like to be able to utilize my passkey as an alternative method of authentication at Bitwarden Web vault when authenticated in the browser extension.

@rokejulianlockhart

Setting up passwordless login (Login with Passkey) does not affect the two-step login configuration of your Bitwarden account in any way.

If you do have two-step login enabled for your account, then using a passkey for passwordless login will always bypass the configured 2FA (because the passkey’s User Verification gesture will serve as a second factor).

If you do not have two-step login enabled for your account, then enabling passwordless login with a passkey will not enable two-step login for your account.

You really should. If your master password is ever compromised (by inadvertently disclosing it, or as a result of should-surfing, info-stealing malware, phishing, or even a brute-force attack, etc.), then the 2FA is the only thing protecting your vault.

Sounds like you’re planning to store your Bitwarden passkey inside your Bitwarden vault. This is not possible.

1 Like

@grb, I’m aware of that. I use TOTP for all other services.

However, I can’t think of an adequately accessible way of storing my TOTP code across devices. I work in the military, so I need to always have my passwords accessible - saying “sorry corporal, I can’t log in to this computer because my TOTP code is on my phone, which I don’t have with me because I wasn’t allowed to bring it” wouldn’t cut it, whereas a password is always in my head.

I’ve heard others say that they print their password and TOTP code on sheets of paper and store in on text files on each device they own, but I can’t bring those with me everywhere. If there’s a solution for this, I’ll be damn glad, but I haven’t thought of any.

  1. Why not? Is vault.bitwarden.com deliberately excluded?

  2. It must be - the relevant window doesn’t appear at Bitwarden Web vault

    screenshot-vault.bitwarden.com-2024.09.24-14_36_27

Actually, it doesn’t work with a 3rd-party password manager either:

How do you ensure that you always have your master password available?

@grb, I remember it. If I ever suffered a head injury that prevented that, I do have it written somewhere very safe, but nothing short of brain damage could get me to forget it.

If I were some special operations lad, I suppose having 2FA would prevent me having my credentials taken from me during interrogation, but I’m not really interesting enough to be targeted. Having TOTP and/or public-private passkey 2FA on most accounts seems to be enough.

You focus on TOTP here only… Do you have anything always with you, like a key or keychain or whatever? You could “attach” a security key (like a YubiKey) to that and setup FIDO2-2FA for the Bitwarden account with that. Would make the account more secure - and even if it got stolen, you would still have and need the master password for logging in, too. (though that would require that the machines allow USB or NFC…)

1 Like

You could use a similar approach for your Bitwarden 2FA (memorize the password for accessing your 2FA, but keep a copy of this password written down on your emergency sheet — which should also have a copy of your 2FA reset code). If you’re allowed to install 2FA apps on the devices that you use, then TOTP using Ente Auth may be a good solution (disclaimer: I’ve never used Ente Auth myself, but it has been recommended by users whose opinion I trust). If you cannot install anything, then at a minimum, using email 2FA would be much better than no 2FA — however, if your email account 2FA is stored in Bitwarden, then you may need a separate, dedicated email account for receiving Bitwarden 2FA verification codes; do not set up 2FA for this dedicated email account, and commit the email account password to memory.

1 Like

@Nail1684, they never, ever do - I think if I tried secretly plugging a USB stick into most computers’ ports they’d get pretty jumpy (though they never seem to care about phone chargers, weirdly enough). Thanks, for the idea, though.

I’d also undoubtedly lose a physical key - belt loops and pocket buttons have a tendency to rip off when you’ve been in the shrubbery and lakes of the highlands for a few days - and even at base, I just don’t trust myself not to put it through the wash (which it won’t come back from, because it’s communal).

That’s not a terrible idea. I’d considered using e-mail and rejected it for exactly that reason, but I’d not considered an entirely separate e-mail account. I might well try that. Thanks, lots.

1 Like