I have a follow-up question related to the already closed thread Bitwarden Passkey Creation Blocked by Swiss Post : I’m trying to create a passkey for SwissID and store it in my self-hosted Bitwarden instance. Since I don’t have an Apple device (only Windows, Linux, and Android), the mentioned workaround doesn’t work for me.
So if I understand it correctly, there are two problems:
SwissID enforces the password manager to be certified by the FIDO alliance.
Bitwarden is not certified by the FIDO alliance.
While I want to ask the guys from SwissID about why they require #1, I’d also like to understand the reasons behind #2 - is this certification costly?
According to the FAQ, SwissID supports passkeys stored in WIndows Hello, or in Google Password Manager accessed via a Chrome browser or an Android device with Android SafetyNet Attestation. Have you tried creating a passkey using one of these methods?
I didn’t read the whole conversation – but according to Tim Cappalli (Okta, formerly Microsoft) from May, it seems “There is no current certification for passkey providers.”
(and my own impression was, that mainly (or only?) security keys are FIDO certified at the moment)
PS: When “Windows Hello” is certified, it might count as a “platform provider”. (and Tim Cappalli probably meant third-party passkey providers where there is no current certification process…)
Vendor-neutral certification is not the only possibility. Microsoft Entra ID maintains their own list of eligible AAGUIDs from which one can chose. Swiss Post’s supplier could conceivably be doing the same.
Export of passkeys is a relatively recent extension of the FIDO2 standards, which has been implemented by Apple, but evidently not by other ecosystems. Thus, unless you have access to an Apple device, the only recourse may be to try to have patience and wait until passkey export is supported by Microsoft.
I finally received the following answer - please let me know what you think:
You are correct, passkeys are generally based on the FIDO2 standard. However, “FIDO2-compliant” does not automatically mean that every FIDO2-enabled password manager is supported by every service provider.
SwissID currently only supports the following authenticator types:
Windows Hello (Platform Authenticator)
Apple iCloud Keychain (iOS/macOS)
Google Password Manager (Android)
FIDO2 hardware keys (e.g., YubiKey)
Third-party password managers such as Bitwarden are not currently supported, even if they are technically FIDO2-enabled.
The reason for this lies in specific WebAuthn configuration and security parameters (e.g., attestation handling and authenticator types), which we currently only approve for use with the above-mentioned platform authenticators.
This behavior is therefore not a bug in your browser or Bitwarden, but a deliberate restriction on our part.
We understand the desire for broader support and are passing on the relevant feedback internally. However, we cannot guarantee support for Bitwarden at this time.
What I still don’t understand is the technical part: how does this partial support work on the side of SwissID? Do they have some sort of code like that?
if (currentAuthenticator NOT IN (WindowsHello, Apple, YubiKey) {
throw new NotSupportedException();
}
Or is there any built-in mechanism within WebAuthn which allows parties like SwissID to do this filtering?
This would mean that Bitwarden would always identify itself based on an AAGUID as the same passkey provider. Then SwissID could allowlist Bitwarden based on this AAGUID, correct?
