Login with Passkey, "Use for vault encryption"

Yep! That should be all that’s needed.

Alright! Did remove and readd the yubikey. Here are the steps taken and the results:

1.- Removed the passkey from my bitwarden personal account.

2.- Removed the corresponding resident key from the yubikey.

3.- I was still able to login with passkey on my bitwarden work account (and the vault was correctly decrypted).

4.- Added again the passkey on my personal account.

5.- Then I was able to login with it on my personal account (and the vault was decrypted OK).

6.- But now, when i login with passkey to my work account the vault is locked (does not decrypt).

Very interesting! The next debugging step would be to delete both of the passkeys, then add a passkey unrelated to Bitwarden as your first passkey, and lastly re-register your two Bitwarden login passkeys (with encryption).

I can’t test that.

I have other resident credentials on that yubikey: two google accounts, work and personal; both work correctly for login.

But I do not know of another site that uses PRF.

This is helpful info! We’ll try to replicate with these steps.

Edit: success, I can replicate the issue. Thanks for your help @kpiris

@kpiris, How do you remove a resident key from Yubikey?

You need to install Yubikey Manager, then use an elevated command prompt to run ykman fido credentials delete (see documentation).

Besides what @grb points out, you can do it also from google chrome; just search for security keys in the chrome settings page (on a chromebook that’s the only way that I know of for a yubikey bio).

Why are some passkeys not compatible for use with encryption?

Thank you both! I was able to use the ykman fido credentials delete [credential id] @grb mentioned! Google Chrome (on Windows 10) didn’t seem to have that option for me. Maybe it’s a Chromebook setting?

Sadly I’m still not getting it to setup encryption with my YubiKeys.

I am also unable to set up yubikey 5 NFC with encryption. Firmware 5.1.2
Same error as in the screenshot in the first post.

Are you on Windows?

PS some will tell you that firmware 5.2 is needed but I can assure you firmware 5.1.2 will support encryption when everything is working in harmony.

My experience, I have now used 3 devices

  • Yubikey 5A NFC - firmware 5.1.2
  • Yubikey 5C NFC - firmware 5.4.3
  • Nitrokey 3A NFC

They all work fine (including encryption) on my Mac and Google Chrome. Both passkey creation and login.
None of them support encryption on Windows.

To me it is something about Windows that is preventing encryption from working, I am using the same USB key on both platforms.
More than likely related to support of hmac-secret/PRF.

I can confirm 2x Yubikey 5 NFC with FW 5.4.3 working perfectly (with encryption) on Windows 11.
I set up the first key with latest Brave stable browser, the 2nd with latest Chrome stable.
As intended I can login to the BW web vault with both keys on both Browsers w/o requiring a Master Password.

yes, windows.
I have no Mac’s to try it

What about Yubikey 5 USB on Android ?
I can successfully use my Yubikey for passwordless login to the Web vault on Windows.
However on Android during login after I enter my Yubikey PIN I end up with a locked vault and have to enter my master PW for decryption. Tested with latest Brave and Chrome on Android 12 and 13. Do the Android browsers not yet support the “enhanced” Webauthn protocol whereas the Windows browser do ?
Any ideas ? Thanks

This does sound like perhaps an issue with Windows, although we aren’t able to replicate the behavior (Windows 11 + Edge is working for me with the exact same Yubikey model).

The feature is still in beta, and we expect that support for encryption will get better with time as more platforms implement the PRF extension.

It’s not so much that passkeys aren’t compatible, it’s that the browser you are using to set up the passkey (and login with the passkey), as well as the authenticator in which you store the passkey, need to have implemented to relatively new PRF extension to the WebAuthn spec in order to support encryption.

@Micah_Edelblut Not sure if this is a bug, or just incomplete functionality:

I was able to register a passkey (with encryption) on a YubiKey Security Key, and successfully use it to log in to the Web Vault on a Chrome browser in Windows 11 (version 22H2).

The problem is that when I lock the vault, the unlock screen provides no option to use the passkey for unlocking:



Is this expected behavior, or should I be seeing an option to unlock with the passkey? It seems kind of pointless to have passwordless login if you still need to know the password for purposes of unlocking.

This is expected for now, but we have it on our roadmap to add unlocking with passkeys!

1 Like