Encryption (PRF) via Windows Hello passkey?

Wall-E · March 23, 2026, 2:21pm

The trick is that Windows Hello seems to be returning PRF assertion values regardless of whether PRF was requested during creation (at least on https://webauthn-passkeys-prf-demo.explore.corbado.com/, which seems to be the most detailed).

But at the same time, Edge and Chrome don’t report that PRF is supported, nor do they provide the PRF assertion value on passkey creation. So the website thinks PRF won’t work and reports an error, but when you go to authenticate, it actually does work! Try using the demo website above to create a Hello passkey, and then try the “Authenticate & Get PRF Value”. For me, it results in this success:

In contrast, Firefox correctly shows that PRF is supported and gets the PRF assertion value on creation.

Since the authenticator is Windows Hello, the assertion value is the same regardless of which browser is used. If it weren’t for the bug preventing any passkey creation in Firefox, I might be able to create the Bitwarden encrypted login passkey on Firefox and then use it in Chrome or Edge.

[Windows 11 25H2 build 26200.8037]

passkeydemo · March 23, 2026, 3:02pm

@Wall-E awesome observations, thanks!

passkeydemo · March 26, 2026, 2:19am

Corbado just updated their article and added community statistics at the bottom of their demo page.

Nail1684 · March 26, 2026, 2:47am

Actually, I wrote them. And that was new to them yesterday. So, they were quick then it seems.

But, at the moment – and I wrote them that as well – when I register a passkey with PRF on my desktop PC via Firefox 149, it succeeds, but authentication still fails. (didn’t test it with my laptop – where it worked once – again now)

I think at least not entirely stable right now.

passkeydemo · March 26, 2026, 2:53pm

I did a little digging on GitHub and found two commits that seem to address exactly this behavior. It looks like there were specific changes regarding this in Firefox 147 and 148:

Bug 1993280 - support WebAuthn PRF evaluation at registration on Wind… · mozilla-firefox/firefox@47aa4a2 · GitHub
Bug 2006405 - fix PRF extension handling in passkey creation on windo… · mozilla-firefox/firefox@b4f44df · GitHub

Nail1684 · March 26, 2026, 2:58pm

Hm. I just got an update to Chrome 147 (seems I got the “Early Stable”) and was nosy enough…

passkeydemo · March 26, 2026, 3:37pm

I actually just found the corresponding commit for Chrome, it is indeed planned for Chrome 147: https://chromium-review.googlesource.com/c/chromium/src/+/7569106

It seems that Windows introduced the necessary support for this with WEBAUTHN_API_VERSION_8 as mentioned here and here.

@Nail1684 are you now able to create a PRF-enabled passkey for your BW account using Chrome 147?

Nail1684 · March 26, 2026, 5:55pm

@passkeydemo Thanks for providing some more sources / evidence for all this…

Of course I tried this. But also using Chrome 147 doesn’t seem to enable a PRF-login-passkey – at least not with my “desktop” Windows Hello (which still shows that authentication error on the Corbado demo site).

My laptop doesn’t seem to suffer from that “authentication error” – but it didn’t receive Chrome 147 yet…

passkeydemo · March 26, 2026, 8:52pm

Corbado just added the commit for WEBAUTHN_API_VERSION_8 to their article: Update API Version to WEBAUTHN_API_VERSION_8 · microsoft/webauthn@706d98d · GitHub

corbado · March 26, 2026, 9:11pm

Hey, thanks to everyone who looped us in at Corbado and to this great community teamwork .

As @passkeydemo pointed out, we updated our blog article twice today, March 26, 2026, to include the community findings, including the hint about upcoming Chrome changes and added the Windows Commit. We also extended our PRF Analyzer and demo, as some of you have seen: https://webauthn-passkeys-prf-demo.explore.corbado.com, with community metrics to help keep it up to date. Thanks for your input and for helping bring the article up to speed. This closes one important gap.

passkeydemo · March 30, 2026, 1:07pm

I just installed Chrome Beta 147 and the PRF testing pages are now working perfectly. However, when I tried to create a new passkey for my Bitwarden account, it still says that encryption is not supported. I’m really not sure why this is happening.

Nail1684 · March 30, 2026, 1:10pm

There is a new GitHub issue about this:

github.com/bitwarden/clients

[PM-34358] Unable to create/store a PRF-capable login-passkey with encryption on Windows Hello

opened 02:32AM - 30 Mar 26 UTC

pamperer562580892423

bug web

### Steps To Reproduce **(important: see "Additional Context" also for the nece…ssary conditions to reproduce this!)** 1. Log in to your web vault. 2. Go to Settings --> Security --> Master password --> Log in with passkey 3. Try to add a new login-passkey and store it in Windows Hello 4. Follow that procedure until the passkey is successfully created and stored. ### Expected Result On the latest Windows 11 and Chrome version (see the "Additional Context" section for important details!), it should be possible to create and store a PRF-capable login-passkey with Windows Hello. So, I should get asked to create that login-passkey "with encryption" - and in the end, it should be shown in the web vault as "Used for encryption". ### Actual Result In the creation-process, I don't get asked for "with encryption?". In the end, the web vault says "Encryption not supported" for the just created login-passkey. ### Screenshots or Videos (I think it's not necessary...) ### Additional Context **Windows Hello - on Windows 11 25H2 (Build 26200.7840+) - is now PRF-capable!** See this blog article section from Corbado: https://www.corbado.com/blog/passkeys-prf-webauthn#511-windows-webauthn-prf-support#511-windows-webauthn-prf-support It was also discussed here on the Community Forums: https://community.bitwarden.com/t/encryption-prf-via-windows-hello-passkey/94236 **Important: it's only possible to test this with at least Chrome 147** (which is only available as "Early Stable" at the moment) - and in theory with the latest Firefox! (PS: Or maybe also with other Beta/Nightly/Canary/Developer versions of e.g. Chrome...?!) But Firefox has another problem at the moment, which is, that it's not possible at all to create "log in with passkey"-passkeys for the BW account - that issue is tracked here: https://github.com/bitwarden/clients/issues/19702 Of course, for one thing, Windows Hello-PRF is very new... and I have no idea, if this is not only (if at all?) an issue with Bitwarden / the web vault - or if it's an issue of still-missing functions in Chrome (i.e. the browsers), or even an issue of Windows Hello itself. I wanted to report in nonetheless, so that it can be tracked and investigated. I have no idea if this passkey authentication bug in connection with Windows Hello might also have a connection to this "creation/storage issue" here with Windows Hello: https://github.com/bitwarden/clients/issues/16075 ### Operating System Windows ### Operating System Version 11 Home 25H2 (Build 26200.8039) ### Web Browser Chrome ### Browser Version 147.0.7727.24 (Official Build) (64-bit) (--> By chance, I got the Early Stable!) ### Build Version Web Vault 2026.3.0 (BW EU cloud server region) ### Issue Tracking Info - [x] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

br403 · April 14, 2026, 2:16pm

Hello, I tested it with Edge 147 stable. The Corbado Testsite works fine now, PRF is available during authentication, but Bitwarden Passkey Login still fails.