Login with Passkey, "Use for vault encryption"

Has anyone got the “Use for vault encryption” option to work with the 2024.1.0 web vault?
If so can you share which browser and OS you used.

PS I tried 2 yubikey 5’s which are PRF enabled.


It worked without a problem for me, including “use for vault encryption”, with my two YubiKeys 5C NFC. Windows 11 and Brave as browser (!). So a long-lasting question finally resolved for me: at this point in time, not only Chrome Canary seems to be providing PRF… :grinning:

PS: But the process is not easy for someone, who just “use his/her computer”… I think, at first, you have to circumvent the Bitwarden browser extension (“use Browser”), and then you have to decline Windows’ offer of creating the Passkey in Windows, but choose “hardware-key”… then it worked fine. :+1: (and I also tested it afterwards: I can log in into the Bitwarden web vault with both Yubikeys, just using my Yubikey-PIN)

Works for me using Yubikey 5C NFC, Windows 11 with Edge, and macOS with Chrome.

I did see that error when setting up on Windows, but I think that’s because I was moving too quickly through the various windows prompts to set the key up.

Working fine here. I’m using Yubikey 5C NFC, latest Chrome (Stable) on Windows 11.

Very cool feature!

I have got passkey with encryption working on Chrome/MacOS but I have no luck with Windows 10 or 11, I tried a few browsers but it appears to be just me.

The article below suggests that PRF (and therefore, the ability to register passkeys with encryption) is only available in Google Canary:

I get the same, tried Chrome and Edge with Windows 11. The option to use for vault encryption doesn’t show, so presumably these browsers are not (yet) PRF capable. I note @grb points out that it may only work with Google Canary for now.

That said, I persisted and created a passkey which was stored in Bitwarden Chrome extension. However, I don’t see any advantage in this as I’m still being asked to enter my Master Password even after unlocking with the passkey.

I am having the same issue with Yubikeys that have firmware 5.1.2. I read somewhere that they needed to support HMAC-secret, which according to Yubico’s website came out in 5.2. I don’t have any newer ones, so I can not test that as of now. Yubikey Manager is what I used to check my FW version.

You are referring to a blog post from last June. Webauthn PRF support was added to Chrome in version 116 which went stable after the article was published.

I was able to enable vault encryption with an old Security Key with firmware version 5.0.2. According to this, hmac-secret extension was indeed introduced in firmware version 5.2 so I’m a bit confused how the encryption key is derived without support for hmac-secret extension. Perhaps someone from Bitwarden could explain this.

Edit: OK, I tested running ‘ykman --diagnose’ command with the Security Key v. 5.0.2 inserted and it listed hmac-secret under extensions. So, the Yubico blog post seems to be misleading.


I was able to set it up with a Yubikey BIO (on ChromeOS):

However, when I login with it, I have to enter my master password because the web tells me that my vault is locked:


What could be the reason for that? (because I don’t see the point in logging in with a passkey if I have to enter my master password anyway).


This is interesting. Keys that say “used for encryption” should be able to unlock your vault on compatible browsers without the need for the master password. With that said, I don’t believe we tested ChromeOS specifically, it may behave differently from Chrome on macOS or Windows.

Thank you for clarifying. I did notice the blog date, but that blog article is the source for “PRF-capable browsers” that is linked from the official Bitwarden documentation on the passkey login feature (which was just published now). Perhaps an Editor’s update should be added to the blog article, or the help documentation should link a more definitive source of information on PRF-capable browsers.

Not just you @DoctorB . I too am not having any luck enabling encryption. Windows 10, Brave, Yubi 5C (Firmware 5.4.3).

I’ve added that key (under WebAuthn 2FA) to two Bitwarden accounts (work and personal). I’m not sure if that’s what is causing the issue.

Well I enrolled a 2nd key and they both work correctly on my M1 Mac using Google Chrome.
However, neither will work on Windows and it obviously isn’t the keys. I tried Chrome on Win 11 and I tried many browsers on Windows 10.

@sclark Good point about 2FA because I have also used these keys for WebAuthn 2FA. I should probably remove them and try again (maybe at the weekend).

I can say that when encryption does work then the implementation is very nice and super convenient.

1 Like

The logging in with passkey to a locked vault also happened to me on Google Chrome on GNU/Linux (with that resident credential stored on my Yubikey BIO which was created from ChromeOS).

I will try to login on my work’s laptop (the only windows 10 that I have available to me right now).

I am happy to do any test you want me to.


EDIT: I just read @sclark and @DoctorB commetnts after posting mine; and that Yubikey BIO of mine, I have it also as second step myself.

Should it be removed from second step? I really dont want to, because I want it to be used as a second factor on the other clients that do not support logging in with a passkey.

Should it be removed from second step?

No need to - the same key can be used for both passkey login and 2FA, if you want it to.

I just found out something that might be relevant:

I set up that Yubikey BIO as a passkey with encryption for two accounts (I have one for my personal passwords and another one that I use for work).

I can see the two FIDO resident credentials on the Yubikey.

The first one that I set up (my personal one) logs in with passkey to a locked vault.

The second one (that I set up for my work account after having set it for my personal account) decrypts the vault correctly.

That is interesting - You may want to try removing and re-adding the key from the Bitwarden account where it is not unlocking correctly.

How should i do it?

1.- remove from the bitwarden account settings
2.- delete the resident credential

and that’s it?