I just now tested something on a whim and I found something very interesting.
On this website, I have a passkey, and this passkey is on my iCloud Keychain. When I have just a Passkey, I’m able to login through the passwordless Login With Passkey flow, but not through username/password/2fa flow.
When I setup a Security Key on my iCloud Keychain (without deleting the passkey), there’s still only one entry, but now both login flows work. I can login now through both the passwordless and 2fa flows.
What makes it work on this site but not work with a Bitwarden vault?
Sorry for the delay… But thanks for asking again. I now tested it (but it may be not representative for all Android devices - as written before, I suspect my phone doesn’t have a “secure enclave” and therefore stores passkeys only in my Google account!)
So, for the Bitwarden web vault, I could create a 2FA-“passkey” with my phone. Okay, it’s a “non-discoverable” credential, and I really don’t see it anywhere (I suspect, it’s “stored on” or rather associated with my phone/device itself).
Then, I could also create a “login-with-passkeys”-passkey with my phone. As just written above, this, as a real passkey, I can only store in my Google account (Google password manager handles this on Android phones - but I don’t get offered any possibility to store it on my device directly - restriction of my phone, I guess).
And now, I can login using both types of credentials. So they don’t get overwritten.
I think I just answered this. – Would be interesting to know, though, how it would be handled by an Android device, where you can store the “login-with-passkeys”-passkey on the phone (device) itself.
With “I setup a Security Key” you mean, you set up a “Security Key” on their site and stored that on your iCloud KeyChain as well? (I ask, because “Security Key” usually also can mean a hardware security key, like a YubiKey)
Yeah. If you go into your account settings > security > 2fa, then setup a “Security Key”, iOS allows you save it to the Keychain instead of a hardware key.
Yep, the “login-with-passkeys”-passkey was with encryption. Actually interesting, that you can store passkeys using PRF in the Google account, while you can’t store the same in the Bitwarden vault. (Feature Request: Support for Storing PRF-Capable Passkeys in Bitwarden Vault)
Hmm… I’m gonna go test one more thing with iOS. I’m gonna see if creating a Login Passkey without Encryption enabled, and a 2fa Passkey, will allow both to work on the vault.
Nope… still the same issue. If I create the Login Passkey first and then the 2fa Passkey second, then trying to Login with Passkey results in Bitwarden showing an error “Invalid passkey. Please try again.” If I create the 2fa Passkey first and then the Login Passkey second, then trying to login through password+2fa results in iOS acting like it doesn’t have a passkey saved.
Same issue as before, and encryption is disabled.
Bitwarden Vault has something funky going on with how it’s set up. Other sites work with such a setup with iOS, including Bitwarden Community, but not Bitwarden Vault.