I currently login to the browser extension and the mobile app with a long master password and a Google Authenticator code.
I have tried using a passkey, but then that passkey just stays on whichever device I set it up on. So if I setup the passkey on the desktop, I then can’t login with the mobile app. Conversely, if I setup the passkey on Android, I then can’t login on the chrome extension.
This is why I use a long password and Google Authenticator.
Typing in a long password is annoying and exposes me to keyloggers, leaving on the 2FA protecting everything. But my laptop has no fingerprint reader.
How can I make this more secure? I would like to think that I could have a passkey on my laptop and another passkey from the Android app, but I can’t see a way to do that? What is this called to help me search for help?
Platforms: MacOS Ventura on 2015 MBP and latest Android.
Hello,
The problem is Passkey login (with encryption) for Bitwarden app doesn’t work everywhere. It only works on supported platforms and supported browsers, with the web vaults only. Doesn’t work with other clients.
If you trust your Android secure enclave implementation (which BW generally does), you can set up your Android BW to unlock on Biometrics. With this, you are never logged out on Android. You can use the phone to approve login on other clients (“Login with device”) after you have logged in with the master password on each client at least once. This way, you won’t have to type the master password in anywhere. Be sure to write down the master password and 2FA recovery code, and set up a repeating reminder to re-memorize your master password.
Besides the convenience, passkey login means not getting phished. OTH, if you don’t ever add new clients (or get malware), this becomes less of a problem because you are always approving logins for a trusted client. On platforms that support FIDO2 as a 2FA, this is also definitely not a problem. Unfortunately, some BW clients on MacOS still don’t support FIDO2.
If you don’t trust Android secure enclave implementation, you can set yourself up so that you always have one client (Android, MacOS desktop) logged in, so that you can approve logins on that client. Of course, this requires you to trust BW’s “Login with Device” implementation.
If you use the Google account also as a primary email account, you may want to consider using a different 2FA authenticator with encrypted backups not directly tied to your primary Google account, or at least syncing the Google authenticator to a different Google account. Otherwise, if perchance an attacker can take over your primary Google account, they may have the email to reset your accounts’ passwords, and TOTP codes to get into all your exposed accounts.
1 Like
You should be able to set up a total of five “login-with-passkey”-passkeys in the web vault. Did you try to add one passkey with desktop computer and another passkey on your Android phone - and that didn’t work? Maybe there was a “hiccup” or something (and I hope you didn’t accidentally “overwrite” them with each other on both sides) - probably try it again, because as written above, you can add up to five separate passkeys, so your set up is sure a possible one.
(see here: Log in with Passkeys | Bitwarden Help Center )
1 Like
Disclaimer: I don’t use MacOS myself, so can’t speak for that… but I think, the current roadmap indicates, that the desktop app on MacOS will get FIDO2 support:
2 Likes
