I’ll be the first to admit that I don’t understand passkeys that well. Here’s what I done. I log into my vault using the Chrome browser, I go to the security section and turn on passkeys and it asks where I want to create the passkey and I select my Pixel phone and it says it created it. Later when I want to log on thru Chrome again I select “Log on with passkey” and tell it that it’s on my Pixel phone. I go thru the steps on the Pixel phone but then on the Chrome browser it still wants the master password. Is that normal? I thought I could log on without using the password? What did I do wrong?
Hi Neal, welcome back to the community forum!
When you set up your passkey, did you check the box to use for encryption? You can check by seeing if the passkey shows “used for encryption” in your settings.
It says “Encryption not supported”
To decrypt your vault data and see the contents of your vault, the Bitwarden app (e.g., Web Vault) will need either your master password, or a key that has been generated by your passkey authenticator using the PRF/hmac-secret
extension. Unfortunately, support for PRF is spotty, and for this method of decrypting your vault to work, you need PRF-compatibility to be present in your operating system, browser, Bitwarden app (web vault), and in the passkey authenticator (in your case, your Pixel phone).
The Chrome browser is PRF-compatible, as are the Windows 11 operating system and the Bitwarden Web Vault. Thus, the most likely weak link is your Pixel phone, which likely does not have support for the PRF/hmac-secret
extension.
It is due to the paucity of available PRF-compatible systems that the “Login with Passkey” feature remains in beta.
I use Windows 11( always up to date), Windows Hello and Edge. When I created a passkey it says Encryption Not Supported.
The behaviour is that it accepts the passkey but immediately asks for the password to unlock the vault. This makes it useless and not functional. Did I do something wrong ? Edge is a chromium browser
According to this whitepaper, Windows Hello does not support PRF: