The only one I have seen fully work including vault unlock/decryption is creating the Passkey on Safari Technology Preview. Even then after creating the passkey on Safari Technology Preview, that key cannot decrypt the vault on chrome/edge/firefox/safari, only decrypt/unlock on Safari Technology Preview itself.
2 Likes
I have set up a Yubikey 5 to unlock and decrypt my vault without entering my master password or any identifiers except a FIDO pin code. It works very well using Chrome browser on MacOS. However, using Chrome browser on IOS 18.1 the Yubikey will unlock but not decrypt my vault.
iOS/Safari 18 WebKit now supposedly provides PRF support .
I am on iOS 18.1.1 but when I attempt to use NFC to read my Yubikey and enter my Yubikey PIN, I still get redirected to a Bitwarden enter my master password, so I still have no Passkey way of logging in to BitWarden from my Phone. I have been wanting this feature for quite some time.
Is the ball now in Bitwarden’s court to alter the mobile browser based login to support this workflow?
Big caveat for Yubikey. Each time a pin is attempted, the yubikey increments its internal counter. If too many failures, 8, the entire device locks itself and is no longer useful until your clear it, which means all of the keys on it are gone.
They can’t brute force a yubikey. They have 8 attempts. But this is per device. If a person has spare keys with the same pin, each device is another 8 attempts.
Some other security keys may not do this. This is why I use yubikey. They’re designed with the intent of being secure even if a nation-state got a hold of them with unlimited access.
Did you bother reading the link that was posted right after the text that you quoted in your comment?
It is not impossible to brute-force a Yubikey. If your PIN is a randomly generated 4-digit numeric code, then the probability of success of a brute-force attack is close to 1:1000. If your PIN is not random, then the probability of success can be significantly higher (closer to 1:5).
I hate to break it to you, but even Yubikeys have vulnerabilities: