@grb While I appreciate that Bitwarden is trying to ensure that it won’t be blocked by Microsoft or other organizations as a secure tool, I feel like this is a bogus level of security that hampers the use of an otherwise excellent tool.
Given that my computer locks after 1 minute of inactivity, and is set up to be fully compliant with SOC2 and a few ISO security certs, I’m not sure I like the implication that I’m lackadaisical/rebellious.
Why do I need a second validation layer other than access to my system and having separately proved that I can unlock Bitwarden? Anyone who is using my system is me, because nobody else can get in without a $5 wrench.
I get that its a FIDO problem, rather than a Bitwarden one, but this seems like something that will greatly slow the adoption of passkeys. I mean I actually like security and learn about it for fun, and I don’t like this. Passkeys are at a minimum as secure as any username/password, plus are easier to use.
If I didn’t need a second layer check for my username/password, why do I need one for my passkey?
This is a situation where trying to be more secure will actually hinder security because most people will just stop using passkeys.
The problem with this system is that it can’t differentiate between mobile devices and computers. Having to verify with a fingerprint is ok, but having to enter a password (or even a PIN) every time is just too much of a hassle to be worth it. Relying parties won’t care about this difference. Most of them will just require the extra verification for even more “security”.
With this, passkeys failed the exact same way security systems fail all the time. They seem to forget that if you make it too hard for the end user, the end user simply won’t bother. This will be a major hit for passkeys adoption.
I don’t know if Bitwarden can do anything about it, but I wish people who create these standards could understand the negative effects these kinds of rigid designs can have on real-world security.
@marlen Apologies for painting user motivations with too broad of a brush. Regardless, I think your concerns are best addressed to the W3 Consortium and/or FIDO Alliance.
Passkey User Verification using biometrics is/was possible in Bitwarden’s initial implementation, and I would be surprised if it is not included in the revised implementation.
I think your concerns are best addressed to the W3 Consortium and/or FIDO Alliance.
Fair enough! That said, I don’t pay for, or directly interact with, those services/organizations. I do pay for Bitwarden, and as such, I’d love it if Bitwarden could advocated for me. Bitwarden has a lot more power to change standards than I do anyway.
I agree, but that pretty much excludes desktop users, who will have to go with a PIN at best, unless they have a fingerprint sensor which I think is not that common.
Bitwarden is a Sponsor Level Member of the FIDO Alliance, so hopefully they have a seat at the table where some of these decisions are made (although it is unclear which Working Groups, Committees, or Study Groups they are members of, if any).
My personal view regarding User Verification in Bitwarden is that it is not unreasonable for an unlocked vault to behave just like a hardware key in your possession — meaning that you would be required to provide a PIN code or biometric identification each time that you do passwordless authentication using a passkey stored in Bitwarden. Anything worse than that (e.g., having to do User Verification by typing in a master password or even a vault unlock PIN — which is likely stronger than a passkey PIN) is, in my opinion, unacceptable.
At best, I could envision that the parties involved may agree to specification of a grace period for User Verification, such that a user who has recently logged into or unlocked their vault (within X seconds or minutes) would not be required to separately perform a User Verification gesture (biometric or PIN input) for any passkeys used before the expiration of the grace period.
I purchased Hello cameras for both my home and work desktops specifically so I could do passwordless login. If you prefer fingerprint, Windows Hello-compatible readers are available on Amazon for as low as $25.
A grace period would go a long way to improving the Passkey experience. When using Microsoft Authenticator (not my choice), I have to do 2 or 3 face-ids within a 30 second period. To me, this feels very amateurish and “designed by committee”.
Also helpful would be if Bitwarden were exceedingly clear if the website “required”, “preferred” or “discouraged” user verification and at least in the second two cases allow the user to continue without UV (and then truthfully setting the UV flag to false).
If I have to type in my master password or even the PIN I use to unlock Bitwarden every time I want to login to a site, I will NEVER transition to Passkeys if I can stay on passwords.
I suppose the only exception might be if a totally separate verification only PIN could be established (i.e., separate from the PIN used to unlock Bitwarden) AND this verification only PIN could be kept very short, like 2 or 3 letters in length.
Logging into my password manager is my verification. Having to verify for every login is something I’m not willing to tolerate.
So basically, from my point of view, this requirement within the domain of password managers will prevent the adoption of Passkeys. I can perhaps understand the requirement outside the use of a password manager.
It occurs to me that if Bitwarden was to set the double factor auth requirement for passkeys as the default, this would make it compliant with external protocols.
Bitwarden could then add a “convenience” feature, similar to the TOTP code storage feature, that enables using a stored password/PIN to unlock the your passkeys.
e.g.
I can already store both my master password and PIN inside of a Bitwarden vault, and given that fact; it seems like having the double factor auth requirement is easily bypassable at a end-user level, it just isn’t conveniently bypassable.