This is a shortcoming … happened to me changing my Apple ID … I had passkey enabled into the developer website … now my splash screen into the developer website presents my old Apple ID (old email) … no way to change/delete it
I was under the impression that Passkeys aren’t currently included in vault backups - is that incorrect?
The passkeys are being backed up just like everything else.
1 Like
To me it is really annoying preventing users from deleting passkeys (even if it does not end up in the trash and cannot be restored). Any other passkey storage solution that I’m aware of gives you full control, even hardware ones (Yubikeys for example). Also most (if not all) sites that allow passkeys always recommend having at least 2 (some are even enforcing that rule), so that if you loose/wipe one you can still gain access to your account.
Yes, deletion should be protected by confirm prompts (if needed may be even add more than one prompt), but still users should be able to delete a passkey!
1 Like
@bwuser10000 Passkeys are included in vault exports using the .JSON format. And they can be imported back into a Bitwarden account.
1 Like
Thanks. I wasn’t sure if that had been released yet.
The FIDO Alliance is still working on developing standards for passkey export/import (last I heard, this was to be completed in Q1 of 2024), so until then you will not be able to port a passkey from one platform to another. But you can already use vault exports for backing up your Bitwarden passkeys.
3 Likes
This is a use case for being able to delete Passkeys.
I see there’s an option to overwrite a passkey, but not to delete it. I have one Passkey I set up to test the process but it was always my intent eventually to store it on a Yubikey instead, so I need to delete it entirely, rather than overwrite it.
Apparently, my three options are to 1) create new entry and copy each item manually, which is error-prone, 2) create new entry and use the Clipboard, which is insecure, or 3) clone the old entry which does not copy the Passkey, which is usable, but round-about.
2 Likes
Please allow the user to delete a passkey just like TOTP tokens else. It’s just stupid making the user use workarounds like cloning the entry or recreating it. Especially if you consider that Passkeys most of the time are used together with a password or as a means of 2 factor authentication, which someone may want to turn off in the future. And if some users are stupid enough to delete their Passkey despite a clear confirmation prompt, it’s their problem lol.
1 Like
Hi,
Just to add my need for the same - unless it’s my lack of experience with passkeys in general.
I tried to log into Google from an anonymous window, and accepted the suggestion to create a passkey when they offered. It was stored successfully in BW, Google was happy, I was logged in, all good. Then I closed the anonymous window and opened a new one to test this out. To my surprise, Google had no memory of me having a passkey, and offered to create one again; this time BW told me I already had one, and so Google errored. I’m not sure what went wrong - possibly it was a bad idea to create a passkey from an anonymous window? (though I don’t see why…) But in any case, to fix this I now need to delete the created key, or to do some gymnastics duplicating the record.
Cheeers
Pierric.
I’ll hop in as well with a vote to allow removing passkeys. I created my first one today after being on the fence about the whole passkeys thing in its entirety since it was announced. Naturally, the passkey didn’t work for logging in. I received some generic error from Adobe, so I deleted it from Adobe’s account page but was unable to remove it from Bitwarden. I had to delete the entire entry and re-create it, and searching brought me here.
Is being forced to delete the entire item in Bitwarden and recreate it more of a potential risk for data loss than just being able to remove a single element of an item?
1 Like
Just hit a usecase: A site I have a passkey registered on seems to have forgotten it somehow(?!?!?!?!). I cannot register a new one because of the existing one, it does not prompt to overwrite, and I cannot delete it from bitwarden, so bitwarden has effectively locked me out of securing this site.
The site is https://www.roblox.com
Maybe its a bug with the site, but its bitwarden thats making it a blocker.
2 Likes
Besides the mentioned work-around to export, edit the JSON and import, for those familiar with commandline and my future self, if you have Bash, the BitWarden CLI, and jq (directly or via wsl) you can use this one-liner that unsets all passkey for an entry by name:
id="$(bw list items | wsl jq -r '.[] | select(.login.fido2Credentials[0]) | select(.name == "Discord") | .id')"; bw get item $id | wsl jq '.login.fido2Credentials = []' | bw encode | bw edit item $id
If there is no account that has passkeys with that exact name, it will just fail on the second command with “missing id”.
2 Likes
A recent reason, for me personally, that having the option to delete passkeys would be useful is Amazon giving passkey support on desktop for some time, and now they don’t give the option at all when logging in.
2 Likes
Yes, I need to delete one as well, passkey authentication keeps failing on Discord, so I logged in using an alternate method and deleted it from my Discord account. I’ll set one up again if they ever get their act together. In the meantime I need to delete it from Bitwarden as well. Guess I’ll use the copy kludge.
1 Like
Totally understandable. I think, in the fairness to Discord, Bitwarden may actually be to blame for that passkey no longer working 
See here: Unable to sign in to Discord with Established Security Key on Edge & Arc browser · Issue #8352 · bitwarden/clients · GitHub
However, you should be able to remove the passkey in Discord and overwrite the one you have saved in Bitwarden with a new one and we expect things to work going forward.
2 Likes
Maybe, although I use Firefox, but I’ll give it another shot.
Oh, and thanks!
As to the thread topic, is there any hope that Bitwarden will implement deletion of passkeys? For now, I have taken to storing all of my passkeys in their own dedicated vault items (separate from the main vault item that stores the username, password, URI, and associated information). That way, I can delete the passkey item without affecting the associated main login item.
And FYI, I recently have come across another use-case for passkey deletion. GoDaddy’s website allows FIDO2 keys to be used as 2FA for logging in. However, it turns out that if one wants to take certain actions (e.g., disable their domain protection feature in preparation for transferring a domain to another registrar) it is necessary to first delete all forms of 2FA associated with the GoDaddy account, including passkeys.
1 Like
Yes. Expect it in the next release or two.
5 Likes