Passkey and allowing for retaining its strong MFA
There is a concern I have been having about how Bitwarden have chosen to implement passkey support in browser extensions and apps.
I strongly believe that to be able to fulfill Fido Alliance certification standard for authenticators it is essential to have user verification when using a passkey.
Today the implementation and security flow goes as follows:
- User unlocks their vault by using their master password or passkey + optional MFA
- The user navigates to a website or app and login with passkeys.
- The user is shown the available passkeys for that site or app associated to that vault.
- The user selects the passkey they want to use and is logged in to the website or app.
To adhere to the principal notion of the key aspect of Fido Security Credentials to bring in strong phishing resistant MFA by design credentials that can also adhere to the Relianing Party’s trust of ownership of device and proof of identity at the time of use.
This means the user must authenticate at the time of use of the passkey.
How are the Bitwarden community thinking in regards to this and is there any other view points and considerations that may not have been thought of from my understanding of passkey security.
This is in my opinion not following the 2Factor authentication flow that passkeys should provide by being something you have and something you know or something that you are.
I propose allowing a Bitwarden user to have enhanced passkey security on by default and that it can be disabled by the user.
By enhanced passkey security I propose an authentication flow as follows:
- The user unlocks there Bitwarden vault using master password or passkey + optionally 2FA/MFA
- The user navigates to the website or application and login with passkey.
- The user is shown the available passkeys for that site or app associated/stored in the vault.
- If only one passkey for the site is available Bitwarden should automatically select the credential and move to the next step, more than one passkey will require user interaction.
- Bitwarden verifies that they are who they say they are in front of the device and are allowing the action to login to proceed. The way that happens is through the platform authentication mechanism built into operating systems to prompt the user for their biometrics, Pin, Password, Pattern or any way that the user authenticates to the platform.
- If the verification of the user by the platform is successful Bitwarden can continue the process with the client / browser otherwise it is stopped.
- The user is logged in to the website or app.
This preserves the 2FA/MFA by design factor of passkeys also inn password managers. I think inherently since a non technical person can misconfigure there Bitwarden vault to stay open to long. It is very important with the verification of user presence and authorization of action when the passkey is being used not just allowing to click the credential and it automatically continues with the request to login.
Passkeys if they are going to be more secure than passwords need to be adhered to in implementation to make sure we get a stronger authentication at use while keeping the login flow easy, fast and consistent across platforms.
I therefore suggest and encourage Bitwarden to rethink there passkey security measures and to implement user verification of possession/presence at time of use.