id.me doesn't seem to play well with Bitwarden, especially the passkey manager

Howdy! Has anyone had any success using Bitwarden at id.me, including a passkey?

I’ve been using Bitwarden for about a month. Recently I started adding passkeys for some of my frequently visited sites, and Bitwarden seems to handle them well… until today, when I added a passkey for id.me. I’m also seeing another odd behavior with that site.

It’s possible this is all id.me’s fault. The developers of that site seem to have implemented weird actions within the browser that causes it not to work in my regular browsers that are set up for security. I’m only able to use Chrome in incognito mode to login there.

First issue: each time I log into id.me using Bitwarden, after I’ve entered the name and password (using autofill from the browser extension), but before I get to the 2FA challenge, Bitwarden pops up and asks if I want to save the update (similar to what I would get if I’d changed the password). However, I didn’t make any updates, I simply logged in. In one case, I allowed the update and in the other, I clicked the “X” to dismiss the popup. In both cases, nothing seemed to happen, and I can’t see that any update was made to the item other than the “Last edited” timestam in the item history. Has anyone else experienced this?

Second issue: Bitwarden seems to create a passkey but not respond to the site’s handshake. Note that id.me only uses the passkey as a 2FA method–the regular user ID and password must be entered first. (I would be happy using an authenticator app, but id.me insists on using only their authenticator app. Complaints to their support yielded a flat “none of the others are secure so we no longer permit them,” so I’m stuck with getting a text for 2FA–as if that’s more secure than a standalone app.) When I learned that I can use a passkey as the 2FA, I immediately logged in (seeing the behavior noted for the first issue) and proceeded to set up another 2FA using a passkey. Bitwarded popped up a the expected time and asked if I wanted to save the passkey and suggested the id.me item, which I accepted.

I logged out of id.me and tried to log back in. When I got to the 2FA, the site told me that I needed to authenticate on my device to use the passkey. However, Bitwarden never popped up to ask if I wanted to use the id.me passkey (which is the behavior I get at all other sites where I’ve saved a passkey in Bitwarden). I finally had to back up and revert to SMS for 2FA.

Thinking that the passkey wasn’t saved properly in Bitwarden, I deleted it on the site and created a new one. Bitwarden popped up and asked if the passkey should replace the one it already had, so I accepted.

I signed out and tried to login again, and saw the same behavior–where I expected Bitwarden to popup and ask if I wanted to use the id.me passkey, nothing happened, and id.me sat waiting.

If anyone has been able to get Bitwarden to work properly with id.me, how do you have the site and the app/browser extension configured? …thanks!

This is a known bug; work-around is to add id.me to the “Excluded Domains” list (under Settings > Notifications).

I’m not sure exactly what is going on in your setup, but I will not that I can successfully use Yubikeys as 2FA for my id.me account. Under Sign In & Security > Security, note that they offer two distinct options: “Passkey” or “Security Key”. If you previously tried to register a passkey using the “Passkey” option, perhaps you can try it using the “Security Key” option (and see if Bitwarden intercepts that request).

Thanks. Checking that post, I see others are getting it here, too. I just did. I’ve used the alternative workaround of turning off the “Ask to add…/Ask to update…” notifications (less to undo in the future ).

From what I can find on id dot me’s site (sorry; apparently, I can only put one link in a post), it appears that “Security Key” is a USB device, similar to a Yubikey, but with a button to press when requested by the site.

Did you try using the option to add a “Security Key” while the Bitwarden browser extension was unlocked?

I admit that I did not, because the id.me documentation stated it was for a hardware key.

So, I went back and tried, and sure enough, (1) Bitwarden offered to save the passkey (asking if I wanted to overwrite the old one) and (2) after logging out, closing the browser, and logging back in, when I chose “Security key” for 2FA, Bitwarden popped up and offered the id.me passkey, and I was in.

Apologies for my skepticism–I did RTFM and it stated otherwise, which I accepted as gospel, especially since that site seems to be so hostile to third-party authenticators.

Glad that we found a solution for you. This being said, I would recommend investing in an actual hardware security key (or multiple, for backups) to use as the 2FA for id.me, since authentication via that site allows access to high-value accounts (Social Security Administration, etc.). In the event that an attacker gains access to your Bitwarden vault (e.g., a momentary lapse of security resulting in your computer getting infected by info-stealing malware), they would be able to immediately take over your id.me account and wreak all sorts of havoc (since they would have your username, password, and 2FA).

For high-value credentials, it is recommended not to keep all authentication factors (i.e., password and 2FA) stored in one location.

Understood and agreed. I used to have my 2FA through Authy, but I switched to a different authenticator a few months ago. id.me changed its policy recently and arrogantly will not allow use of any authenticator app other than its own, claiming that it’s more secure (though API docs on the site claim it’s still supported).

I really don’t want yet another single-purpose app on my phone, nor do I want 2FA to be solely through one device that can get lost, stolen or broken–which is why I’m not enthusiastic about a hardware security key.

I’ll mull on this for a bit and figure out the best way to proceed that doesn’t have excessive friction. …thanks!

You can register multiple hardware keys for redundancy (personally, I have three registered as 2FA on id.me). Then carry one key, and store the others in different locations (e.g., one off-site, one at home, etc.).

Also, when I was testing the id.me login, I noticed that there was a link for resetting your MFA (which basically has you repeat the original ID verification process using a selfie or video call, etc.). So even if you lose access to all of your security keys, you would not be locked out of your id.me account.

If you still don’t feel comfortable with hardware keys, you could create a secondary Bitwarden account, and store the id.me passkey there. This would give you the ability to keep the master password and/or the 2FA for the secondary Bitwarden account separate from the device where you use your primary Bitwarden account (to protect your digital assets in case your device is compromised); for example, you could keep the master password and 2FA recovery key for your secondary account recorded only on your (paper) emergency sheets, or store the master password for your secondary account inside your primary Bitwarden vault, and rely mainly on 2FA to protect your secondary account (and hence the id.me passkey) in case of device compromise.

The optimal solution for you may be to split the difference — i.e., register one or more hardware keys as well as a passkey stored in your secondary Bitwarden account. In that case, the passkey in your secondary Bitwarden account becomes an “emergency use” passkey that you would access only in case you lose all of your hardware keys; thus, it wouldn’t matter so much if logging in to your secondary Bitwarden account was cumbersome (e.g., requiring retrieval of a paper emergency sheet), because it would rarely be necessary.

Thank you for the additional ideas!