Though, by default, passkeys then get stored in your Google account then, IIRC (and not stored on the device itself)…
Absolutely good intention to prevent “circular dependency” - but the more I think about it, the less I like it, because 1) you then also can’t store passkeys of another Bitwarden account, where no “circular dependency” would happen… and 2) it is somewhat inconsistent, because there is no technical prevention of (also) storing one’s own master password and 2FA for Bitwarden, so it’s kind or arbitrary to do it with passkeys (only) because it’s technically possible to do that…
Yes, I’ve changed my thinking on this since we initially developed the login with passkey feature, and I think if/when this comes out of beta, we would probably remove the guardrails we have so far implemented.
When we developed this feature, our purpose was to demonstrate a proof of concept for how the PRF extension enabled zero-knowledge products to use the passkey specification for login and decryption.
Since then, we’ve kept an eye on feature adoption among our cloud users, passkey adoption broadly, and PRF adoption by platforms and authenticators.
I expect that eventually login with passkey will be an option across all of our clients, and in many cases the easiest way for a user to get into their vault. After all, when the stars align, it’s a passwordless, phishing resistant login method that even provides a kind of 2FA!
But for the immediate future, especially with the current state of PRF support, expanding this option to additional clients is probably not feature Bitwarden should focus on to deliver an easier login experience. As we update our public roadmap, you’ll hear more about where specifically our near-term focus is, but that’s the long view.
That’s a disappointing update, since you had indicated 6 months ago that the blocker for implementing passkey login in browser extensions (availability of “PRF extension for related origins”) had finally been removed:
From a personal perspective, getting passkey login support on the browser extension is the one thing that is keeping me from setting up my family with Bitwarden accounts.
And you did that! – But you also gave rise to some expectations…
I’m not sure how you mean that, but if you assess current “login with passkey”-usage, that may also not as high as it could be, because you can use that login-passkey only for the web vault, and that may be not the most interesting usecase for most people.
The browser extensions and mobile apps – and with the new desktop apps, those probably also – are far more interesting in that regard.
Well, that is good news, that the possibility is there.
I’m not sure I agree.
What are the blockers now with PRF, still? As I understand it, PRF will come in the next months to Firefox on MacOS, and then it should be there for most or all current OS’s and browsers. I’m sure there are some minor exceptions… or what are the major problems with PRF support, still?
I’m really not a kind of “marketing-guy”… but with “login-with-passkeys”-support for all major clients for “daily use of an end-user” (browser extension, mobile app, desktop app) that would really be an outstanding feature.
And I agree with @grb - most of my family already has YubiKeys, and I was really looking forward to show them how easy it would be, to just login to the apps just with their FIDO2-PIN. (and make their transition from KeePassXC to Bitwarden)
So, it’s indeed disappointing, to read after your October 2024 update, that it’s only further in the future now…
I believe that 1Password already has this for their web app and mobile apps, so I would think there should also be some competitiveness incentive for Bitwarden to keep developing the Login with Passkey functionality…
Bummer. My biggest reason for wanting Passkey login to Bitwarden is so that I can get my parents to use a password manager. Since I don’t trust them to manage the master password without screwing up, it’s important to find a solution that supports logging in using a “passwordless” technology (most likely Passkeys).
I’ll add my voice to the pool of people voicing their concern and disappointment over this stance from Bitwarden. It’s personally been one of my most anticipated features, and would like @grb, @Nail1684 and @lindhe indicates be of really big help in bringing less tech savvy people to use Bitwarden. I can’t imagine that we’re the only ones with this opinion. Besides, this feature perfectly aligns with Bitwardens mission statement and should therefore, IMO, be of high priority:
One sidenote to that: I often find myself still logging in to the web vault not with my passkeys - though I know it’s more “secure” to even use the login-passkeys - because there are some actions, I can’t do with the passkey then (not completely logical, I know)… for me, I still use the web vault for exports - and I can’t confirm an export with my login-passkey. (PS: If I used the export of one of the apps, that would be the same… but I wouldn’t even “expect” being able to use a login-passkey there, as they are still only usable for the web vault…)
Recently, I indeed changed my master password… - confirming that is still only possible with the current master password.
For now, I wouldn’t go as far as this feature request: Ditch the master password in favor of passkeys - but “feature parity” for login-passkeys with “master password + 2FA” (i.e. being able to fully control the vault with login-passkeys, which is not possible as of today, because without the master password, there are certain things you can’t do then… BTW, I think even adding new login-passkeys requires the master password…) is also a barrier for an even wider adoption/usage of login-passkey.
So I strongly suggest, to make it possible to (also) use login-passkeys everywhere, where the master password is needed. (confirming exports, adding new login-passkeys, master password changes etc.)
… not really, I think, as using a login-passkey (e.g. from your security key) as UV for usage of a passkey of the BW vault (not that I see that coming at the moment) wouldn’t be circular… or did I miss your point? (of course, if we would be able to use PRF for stored passkeys, then especially “full-login-passkeys with encryption” used from the BW vault might introduce some circularity here…)
using login-with-passkey as the UV for use-a-passkey would not actually be a circular problem; it just sounds like one.
Storing your login-to-vault passkey in Bitwarden is pretty much the equivalent to storing your vault password there. Not a big problem and can be useful for getting into the web-vault (for example). But to prevent circularity a login-to-vault passkey ALSO does need to be stored outside the vault (likely being your 2nd of 5 passkeys that can be registered for this purpose).
My biggest reason for wanting Passkey login to Bitwarden is so that I can get my parents to use a password manager. Since I don’t trust them to manage the master password without screwing up, it’s important to find a solution that supports logging in using a “passwordless” technology (most likely Passkeys).