Native FIDO Hybrid Protocol (Passkey) Support & QR Code Login for Untrusted Environments

I recommend the native implementation of the FIDO CTAP 2.2 Hybrid Transport protocol directly at the mobile application layer. This will address two core pain points:

1. Legacy Android Compatibility: It allows devices running Android versions earlier than 14 or non-GMS (Google Mobile Services) devices to function as a “Roaming Authenticator” via a native protocol stack, bypassing the limitations caused by a missing system-level WebAuthn framework.
2. Secure Login on Public Terminals: Users can log in to browser extensions in untrusted environments via the FIDO Hybrid channel (“QR Code Login”). This completely bypasses keyboard input (no email or Master Password required), fundamentally preventing hardware-level keylogging attacks.

A. In-App FIDO Hybrid Protocol (Software Authenticator)

• Concept: Encapsulate the full CTAP 2.2 Hybrid flow (the evolved version of caBLE) within the Bitwarden app, enabling it to act as a standardized software-based roaming authenticator.

• Benefit: Decouples the feature from OS update cycles, providing a consistent cross-device Passkey roaming experience across all Android versions.

B. “QR Code Login” for Browser Extensions

• Concept: Leverage the FIDO Hybrid channel to securely transmit authentication credentials.

• Workflow:

• Direct Path: The extension login page directly displays a QR code based on the Hybrid specification (containing a Session ID and ephemeral public key). No initial email entry is required.

• Scan & Authenticate: The mobile app scans the code, completes the handshake via the Hybrid channel, and sends the signed authentication result directly to the extension.

• Comparison with Current Flow:
  The existing solution relies on OS mediation (Trigger FIDO2 → System Popup → Select Mobile Device → Windows Saving Path → Scan System QR Code), resulting in a convoluted path. By supporting Hybrid natively, we can achieve a streamlined, closed-loop “Scan-to-Login” experience.

fido-client-to-authenticator-protocol-v2.2-ps-20250714 11.5. Hybrid transports

@embellish9575 Welcome to the forum!

And do you have a source (or several sources) for this?

Hello, thank you for your response.
These are the materials that might be needed for now. I’m just an average user, so I don’t have much expertise in browsers or Bluetooth.

if browser extension functionality is restricted by platform or browser limitations, the focus could be on implementing the mobile app side. For instance, on Windows 10/11, it could still leverage the system’s native Hybrid support.

@embellish9575 ,welcome to the community!

Please only include only one idea per feature request. If multiple ideas are included on one FR, it becomes impossible for others to vote for just one of the ideas. Also, please focus on what you want to accomplish, rather than AI’s idea on how it could be solved.

Bitwarden already supports passkeys in Android 14 and later. Versions earlier than 14 are no longer supported by Google/Android. Feel free to open a feature request asking to support login with passkeys on unsupported Android operating systems.

There is already a feature request for “Sign in using QR code (scan it with the mobile app) -- master-password-less”. If it is close enough to what you are suggesting, please add your vote to it. If your idea differs, please be sure to mention how it differs from the existing FR when you create your own.

I am scheduling this FR for closure in a week. In the meantime, please either add your vote to existing feature requests, or create new ones that request just a single thing.

In untrusted environments, logging in to the Bitwarden browser extension itself is not a good idea…

Well, almost… it seems, Google drops support for the respective “next” Android version in February/March, so indeed, Android 13 is in it’s final days.