I have a follow-up question related to the already closed thread Bitwarden Passkey Creation Blocked by Swiss Post : I’m trying to create a passkey for SwissID and store it in my self-hosted Bitwarden instance. Since I don’t have an Apple device (only Windows, Linux, and Android), the mentioned workaround doesn’t work for me.
So if I understand it correctly, there are two problems:
SwissID enforces the password manager to be certified by the FIDO alliance.
Bitwarden is not certified by the FIDO alliance.
While I want to ask the guys from SwissID about why they require #1, I’d also like to understand the reasons behind #2 - is this certification costly?
According to the FAQ, SwissID supports passkeys stored in WIndows Hello, or in Google Password Manager accessed via a Chrome browser or an Android device with Android SafetyNet Attestation. Have you tried creating a passkey using one of these methods?
I didn’t read the whole conversation – but according to Tim Cappalli (Okta, formerly Microsoft) from May, it seems “There is no current certification for passkey providers.”
(and my own impression was, that mainly (or only?) security keys are FIDO certified at the moment)
PS: When “Windows Hello” is certified, it might count as a “platform provider”. (and Tim Cappalli probably meant third-party passkey providers where there is no current certification process…)
Vendor-neutral certification is not the only possibility. Microsoft Entra ID maintains their own list of eligible AAGUIDs from which one can chose. Swiss Post’s supplier could conceivably be doing the same.
Export of passkeys is a relatively recent extension of the FIDO2 standards, which has been implemented by Apple, but evidently not by other ecosystems. Thus, unless you have access to an Apple device, the only recourse may be to try to have patience and wait until passkey export is supported by Microsoft.
