Login with Passkey, "Use for vault encryption"

Hey @kpiris
We were able to confirm with Google that this is an issue with Chrome. You can track the resolution here: 1520646 - chromium - An open-source project to help move the web forward. - Monorail

You’re telling me that both iOS and Windows-based passkeys don’t support PRF?

PRF is very new, and that I am aware of, the use-case was only theoretical until Bitwarden launched our login with passkey feature. I’m sure that Apple and Windows will eventually support PRF, but it’s not surprising to me that they don’t yet.

There is some chatter here, but not much evidence of action:


As a work around for now , we could simply press logout and then use “login with passkey” option again to login without entering master password.

I am little confused about this as some users in this forum reported that passkeys encryption worked on windows 11 , macos and linux using existing version of chrome. Only windows 10 didn’t seem to work. So i am not sure if its a problem with chrome version of windows 10 or its the problem with the windows 10 OS itself.
I hope it works on windows 10 in near future
Btw that bug tracker has been marked as solved now.

From what I’ve read you have to be using Windows Hello, on the Windows PC you want passkeys to log you in on. I tried this 2 days ago- set up a passkey on my Android (technically, I used the one automatically created by Google on my phone which it does when your phone logs into your Google account) and was able to log into Gmail using the passkey on the phone over Bluetooth to my Linux PC.

The next day I tried doing the same thing on my Windows PC and the phone received the authorization popup, but it failed with a “Cannot connect” error even though the phone was already connected to the PC. However, I do not use Windows Hello and just log in locally so that jives with what I read online.

So then I tried again on the first PC and it now too consistently reports “Could not connect” even though I’ve verified that it was definitely connected over Bluetooth.

So I created a Passkey using the Bitwarden browser extension and that seems to work fine.

Too much infighting between the phone and the browser extension. I’m a pretty tech-savvy guy but this whole passkey environment is so squirrely it makes my head ache.

BTW both PCs use Brave.

Edit: I unpaired and then repaired my phone to the Linux PC, then was able to use the passkey on the phone to authenticate to Gmail. I had to close the Bitwarden browser drop-down which initially appeared, then selected my phone from the browser’s dropdown list of authentication devices. So at least I got it to work again.

I upgraded my laptop to Win 11, and was able to setup the passkeys (Yubikeys) for encryption!

I haven’t tried using them to decrypt on Windows 10 yet, but I was unable to set the keys up for encryption on my laptop until I upgraded from Windows 10 to Windows 11.

I am trying to set up a passkey to login AND unlock Bitwarden using my Mac’s Touch ID. However, I cannot seem to be able to unlock my vault using this passkey. I think, based on what I’ve read here, that it needs to be encrypted to do so?

Can anyone suggest why I am not seeing the option to encrypt this passkey? Or an alternative way to create a biometric based passkey to login and unlock bitwarden? (Using Mac Touch ID)

This is going to involve a passkey stored in Apple’s iCloud keychain and so you will not be able to do this (as of Feb 2024). The issue is iCloud keychain will store a passkey but will not support PRF so no encryption.
A BW login passkey without encryption is almost pointless.

Do you have a Yubikey? (or similar)

1 Like

Thanks very much for the clarfication. No I do not have a Yubikey. It seems that all the language around “Passkeys work with Chromium browsers” is just refering to the ability to use a Yubikey anyway?

Basically what I am getting here, is there is no way to set up a passkey that can unlock my vault without a Yubikey? Pretty lame that apple biometrics can’t be used.

I don’t disagree, but you would have to take it up with Apple.

If you have an OS that supports it, you should be able to save a passkey on your phone and have that transmitted to the PC for authentication. I am able to do that on Ubuntu.

But the user (Teghan) requires a passkey with encryption. Does your method include encryption?
e.g. iPhone (iCloud keychain) passkeys do not.

I believe, for people using Windows 10, this is purely a Windows 10 issue preventing the use of Yubikeys for encryption, even though the option is shown as available.

Windows 10 with Brave, Chrome, Edge gives the option to use for encryption but when you actually try to enable it, it fails (Error Reading Passkey if you try to enable it during adding the key or Invalid Credential if you attempt to enable it after adding the passkey for login only).

All of the above browsers work flawlessly, for me, to add/enable/encrypt on Windows 11. However, when attempting to encrypt a vault on Windows 10 using a key added via Windows 11, it prompts for the password.

I am unable to find any information related to FIDO2/WebAuthn + PRF on Windows 10, so I am hoping someone else can provide any kind of definitive answer or workaround to enable PRF on Windows 10.

Edit: changed decryption to encryption to match the language used in the web vault.

1 Like

Yes. Passkeys stored on Android phones are stored in the google password manager which is encrypted.

Any news on that? I have Windows 10 and it looks like we still can’t use Yubikey to encrypt the vault.

1 Like

@marcu-735 Welcome to the forum!

Only Microsoft can add Yubikey decryption (PRF) support to Windows 10. You can ask for such a feature update using the Microsoft Feedback Hub app.

yes , i was also wondering about the same. But Microsoft may not ever release an update supporting this feature since windows 10 is supposed to have end of life support by 2025.So chances of this being supported feels lot less. They have already stopped adding new quality features in windows 10 (which is unironically good for most part) and only releasing out security related and minor upgrades.

1 Like

Thanks, I just did it. I guess they’ll ignore me, but at least I tried it.

If more people can do the same, it’d be great.

1 Like

Safari 18 beta adds support for the WebAuthn prf extension:
News from WWDC24: WebKit in Safari 18 beta | WebKit

I wonder if iOS 18 will make it possible to bring ‘login with Passkey’ support to Bitwarden app on iDevices.