How can I delete a passkey from a login item?

Let’s say I have a passkey for a web service stored on my vault.

If, for whatever reason, I unregister it from that web service, that passkey sitting on my vault becomes useless.

How can I delete it from the item where it is stored?

Because if I, for example, unregistered it accidentally and want to register another one, I can’t:

Thanks.

8 Likes

Hi, I think that’s odd, because here Storing Passkeys | Bitwarden Help Center (in “Create a new passkey”) it says, that existing passkeys can be overwritten. So that doesn’t work? (I didn’t test it yet)

But I just searched for an opportunity to delete a passkey. Interesting! Neither in the browser extension nor the (Windows) desktop app nor the web vault I saw a “delete” button. But I think, there are at least two possible workarounds to get rid of a passkey: 1. you could delete the entry and copy everything else in a new entry or 2. you could duplicate an entry and delete the old entry after that (as is written in the same help page, I understand, that in duplication processes a passkey is not duplicated).

I couldn’t find that + sign to overwrite an existing passkey anywhere.

On the other hand, that + sign shown in the image in the help center (wich is not present, see my screenshot), I would undestand it as an option to create a new item to store the passkey into.

If that’s the icon to overwrite an item’s passkey, it’s very poorly chosen, from an UX standpoint, IMHO.

A + sign usually means adding something, not replacing it.

That’s what I ended up doing, cloning the entry and deleting the original one.

But that’s not very practical, from a usability perspective.

From what I’ve seen, if you try to create a new passkey when one already exists, it either shows a message that a passkey already exists or it lets you replace the old one. I can’t understand in what cases each behavior appears.

I’m running into the need to delete a passkey as well. Microsoft is erroring and not saving the passkey after Bitwarden thinks the passkey is registered. When I login, Bitwarden thinks I can use it to login.

Encountered the same thing on https://login.gov/, but I have the ability to replace the key on https://passkeys.io. Not sure what the difference is between these two websites but the passkey that it thinks it has already generated for the government’s login website is completely useless without manually copying and deleting the whole entry.

Attempting to add Passkey for the government’s login website after failed attempt:

wether it is possible to overwrite an existing key with a new one or not, being able to delete a passkey seems very prudent. I’m also curious as to why this is not possible.

It’s similar to saying you can’t delete an OTP, only overwrite. It makes no sense

4 Likes

Same problem here, if a passkey is already registered i can view the existing item, but there is no way to overwrite it.

in my opinion it should be possible to overwrite and delete a Passkey entry.

cheers
Rolf

Any updates on this issue?

Hi - BitWarden folks - it’s great to see that you have added support for passkeys, but not being able to delete them is a big problem - especially since Microsoft’s setup for passkey’s is failing and leaving a passkey in bitwarden that Microsoft account does not know about. there is the workaround of duplicating the BitWarden entry (which does not duplicate the passkey and then deleting the old entry, but this is a bit clunky and prone to mistakes.
Can we please have the feature to delete passkeys?
Thanks
Keith

1 Like

I’d appreciate it if someone from Bitwarden’s team gave us an update on this issue. Is this something that will be fixed or is it just designed this way for some reason?

i am having the same issue with google logins. Actually saved the passkey in bitwarden as a 2FA key for my google account. But now i want to use it as an actual passkey for passwordless login and it won’t let me either delete old one or rewrite.

@Gaurav it should be possible to overwrite an existing passkey with a new one. Is there an error message you’re seeing when you try to do this?

@nothanco Bitwarden is considering changes here, but we want to be cautious. Accidentally deleting a passkey could lock you out of an account, and unlike sending an item to the trash where you have the option to recover it, just editing the passkey field by removing it is currently a hard delete.

As always, we appreciate the community feedback! If you have specific use-cases where deleting a passkey is important, we want to hear about them in this topic.

2 Likes

i checked again , it doesn’t allow me to overwrite. No error , it only shows me option to “view item” when i try to register a new passkey with that login item. no option to save again.

@Micah_Edelblut It seems that you are affiliated with Bitwarden, and if so, I would suggest that you have the Bitwarden logo added to end of your forum name and to your avatar (maybe @sj-bitwarden or @bw-admin can help with this).

 

Although your concerns about getting locked out of an account are understandable, there are a lot of use-cases in which a passkey is not the only way to access an account. For example, some accounts may allow you to continue using your username/password for authentication, while the passkey is an alternative authentication option. Probably a more common use-case (at least for myself) is to use syncable passkeys stored in Bitwarden as an alternative/complement to hardware security keys (whether for 2FA or for passwordless login). For example, in my case, when I use hardware keys for 2FA, I usually have multiple keys registered, and I often add a Bitwarden-stored passkey to those. There is no risk of losing access to the account if I lose my Bitwarden-stored key (because I have backup keys registered, as well as 2FA recovery/reset codes).

I’m not sure how to make the case that deleting these non-essential passkeys is “important”, but I think it is important to empower users to change their mind about using Bitwarden-stored passkeys, and therefore be able to delete passkeys that they no longer wish to use. Another use-case would organizing vault contents by consolidating redundant items etc.

Currently, the only way to delete a passkey is to clone the existing vault item, and then delete the original vault item. However, this is not always an acceptable work-around, because cloning an item strips not only the passkeys, but also the file attachments, the password history, and all metadata (creation/modification timestamps, etc.).

For this reason, if I wish to add a passkey as a 2FA method for one of my existing accounts, I currently have to create a second vault item just to hold the passkey (so that I don’t have to delete the existing vault item in case I want to delete the passkey in the future). This creates unnecessary clutter in the vault, and makes it more difficult to keep your credentials organized and up-to-date.

 

Would you mind briefly explaining the technicalities behind this constraint? I’ve heard from a user who tried it that passkeys are included in JSON exports and can be imported back into Bitwarden; to me, this does not seem much different from the actions that would be need to delete/undelete a passkey. Regardless, having more information about the technical constraints would help us suggest possible solutions.

3 Likes

@grb thanks for describing some of your use-cases!

There is no technical constraint here, I’m just describing how editing an item functions currently. We could implement, for example, a “passkey history” so that even if you deleted that field, you could restore it.

I had no idea it was possible, but I just tried it and it worked. I don’t expect it to work with other password managers, although I’m not sure. I wonder if it will have to be reworked after FIDO comes up with a standard way to do it.

Ah, ok, I misunderstood what you had said, then. If there are no technical hurdles to implementing passkey deletion, then I don’t see any reason why this functionality should not be implemented in the near future. Safeguards would be useful for users who don’t back up their vault contents, but adequate safeguards could include any one (or more) of the following:

  1. Fine print below the passkey field that warns users about potential repercussions of deleting passkeys (similar to the warning below the “Autofill on page load” option).

  2. An “Are you sure?” warning that pops up when deleting a passkey, requiring confirmation.

  3. An option in the Settings, requiring users to opt in to the passkey deletion functionality.

  4. A passkey history for each login item.

However, the concern about getting locked out of an account by losing a stored passkey also applies to overwriting existing passkeys, something that Bitwarden currently allows. In the case of overwriting a passkey, the only safeguard is a pop-up warning & click-through confirmation (i.e., Option #2 in my list above):

image

 

Thus, I’m not sure why a similar pop-up warning/confirmation would not be considered a sufficient safeguard for passkey deletion. Passkey histories would be nice, but that is something that could be added later.

Great discussion here! I appreciate having a response from Bitwarden (@Micah_Edelblut) explaining where they are and the concerns or challenges faced with deleting passkeys. This builds rapport better than silence or avoiding the topic. I also appreciate the thoughts and suggestions made by @grb to address those concerns.

1 Like