it seems that the PRF extension is finally supported on recent Windows builds. I’m currently on Windows version 26200.7840, and PRF using Windows Hello is working for me on the following testing sites:
On all of these, PRF works successfully with Windows Hello, which suggests that the underlying WebAuthn/PRF implementation in Windows is now functional.
However, when I register a new passkey with Bitwarden, it still reports that encryption is not supported.
This sounds like great news. It will mean Windows users will be able to create passkeys that can be used for encryption in Bitwarden.
I already have a passkey for Bitwarden in Windows but cannot use it for encryption. Once Windows Hello supports PRF, will I be able to mark it for encryption or will I need to delete the passkey and create a new one?
@passkeydemo Hm. I just tested this again with the web vault today, after the Windows updates (now on Win 11 25H2, Build 26200.8037)… and it still doesn’t work with encryption.
Do we have any sources regarding Windows Hello being able to store PRF-passkeys?
I’m not sure if your positive test here really says something about Windows Hello. They write there: “If your browser, authenticator, or device do not support the PRF Extension or the underlying HMAC Secret Extension, this demonstration will simulate a successful PRF response for you.”
Windows Hello would be authenticator here, so it seems it’s expected to get a successful PRF response, even when Windows Hello doesn’t support PRF. Or do I understand that wrong?
Here, they also write something similar: “Newer authenticators return PRF values, even if credentials have not been created with PRF enabled”
I didn’t find any explanation here…
But all in all – the first two links probably always simulate a successful PRF-creation, and with the third link… I’m sceptical if it might be different – or just the same as the first two links…
PS: About a week ago, I also skimmed through the release notes of recent Win 11 updates… I didn’t see any mention of PRF…
Something has definitely changed with the Windows update I mentioned, because previously the website made it very clear to me that it was just a simulation and displayed the following output:
I think this is somehow related to that: “The PRF value is not available at registration, only during authentication. Therefore, we must do another WebAuthn interaction.”
It failed with the message: “Registration successful but PRF is not supported by this authenticator”
I haven’t found anything about Windows Hello now supporting PRF but maybe in the near future? I am using PRF enabled security keys to login to Bitwarden and that is working beautifully but if Windows Hello supported the PRF it would open the door to those without hardware security keys. .
Hmmm… This is all very speculative now… But anyway – I seriously doubt that Firefox unlocks a feature, that not even MS Edge “unlocks” at this point… (and in general: the Chromium-browsers are ahead in regards to passkeys)
It took me a while now, to figure that out. And I think it doesn’t work with Firefox.
At first, as I tested it with Firefox, it seemed to work. But then I logged out on confer.to. When I tried to sign in again, it just works with a magic link per email. And I wondered, what was going on… But then I realized, that magic link worked without using the passkey.
Then I closed Firefox and tried to sign in again to confer.to. And when I get asked to “unlock” the “encryption”, it fails with the passkey from Windows Hello.
So, actually, Firefox seems to “fake” a function, that is not supported (in connection to Windows Hello at least) – and this seems more like a bug to me now. (PS: and in the first session, that session is just “cached”)
If you literally mean any kind of passkey (and not just for confer.to), then that is a separate issue (and shouldn’t be the case on Windows 11). If you want to look into it, please open a separate thread for that.
I’m just guessing here, but regarding Edge: Since MS Edge is based on Chromium, it uses the exact same underlying WebAuthn implementation as Chrome. So it kind of makes sense that they both behave the same way and fail right now.
It could simply be that Firefox uses different Windows API calls to communicate with Windows Hello than Chromium does. This difference in API calls might be the reason why Firefox is able to successfully trigger the PRF extension, while Chrome and Edge currently cannot.
I’m actually seeing a different behavior on my end. If I don’t close Firefox, it also logs me in via the magic link without asking for the passkey again. However, if I completely close and reopen Firefox, it does prompt me for the Windows Hello passkey to unlock the encryption – and for me, it successfully completes the unlock:
Sorry for the confusion! I didn’t mean creating passkeys in general on other websites. I specifically meant creating a passkey for my Bitwarden account itself. By “any kind”, I just meant the properties of the passkey (device-bound, synced, PRF enabled or not, etc.). When I try to set one up in Bitwarden via Firefox, I enter the email verification code and it instantly throws an error before the Windows UI even pops up. But you are probably right, that might be a completely separate bug.
I am testing this on the exact same Firefox version.
If anyone knows any other real-life websites that already support PRF, please let me know and I’d be happy to test them as well!
Did you really log out on confer.to on Firefox, then closed Firefox, and then tried to log in again?
I just tested it again, and I get this error prompt when I try to “unlock” confer:
(same versions of Win 11 and Firefox as before)
Yeah, maybe – but maybe not… that sounds even stranger now to me than before, because:
you can’t create any login-passkey (either without encryption/PRF or with encryption/PRF) for your BW account when you use Firefox?
but at the same time you seem to be able to create a PRF-passkey via Firefox in Windows Hello (while Windows Hello, for all we know, is not able to do that)?!
On my Win 11 laptop – with Windows Hello “fingerprint” – I now was able to “unlock” confer.to.
And I can confirm, that I also can’t create a BW login-passkey in the web vault when I use Firefox. (–> that should be reported as a bug, I guess… I’ll search if there already is a corresponding bug report…)
Yes. I also tried logging in from a new private window to make sure no session data was cached:
Maybe there is something wrong with your current passkey. Did you test to create a new passkey on confer.to?
Yes. It looks like this:
Are you able to create passkeys (without encryption/PRF) for your BW account using Firefox?
At least so far, I haven’t found any website that actually supports PRF where my test fails. The only exception is Bitwarden, but in that case I don’t even get far enough in the flow to test it.
Thank you for confirming this! Please let me know if I should create a bug report. Otherwise, I’d appreciate it if you could share the link in case you’ve already created one.
I don’t see any contact details either. However, based on their blog, it seems that Moxie Marlinspike (the founder of Signal messenger) is behind it. So it might be worth trying to reach out to him directly via Instagram or X.
I was just about to try that, but unfortunately it looks like Posteo only offers paid accounts.
I just created a new thread. Please let me know if anything is missing or if I should report the bug elsewhere.
Actually, though it’s always good to have it also here on the forum, bug reports have to be filed on GitHub (“New issue”). So, if you can do that, please do it there also… otherwise let us know and then I’ll probably do it.
– I seriously doubt that Firefox unlocks a feature, that not even MS Edge “unlocks” at this point… (and in general: 
