It seems to me that this is not really a re-authentication for the purpose of authorizing the protected action (vault exports, viewing master password protected items, etc.), but simply a side-effect of the current requirement to use the master password for all such authorizations — thus, the server is contacted only for the purpose of being able to validate the user-entered master password (in cases such as login with device or login with passkey, in which the client does not have access to master password hash).
So, if the authorization of protected actions is done using another way, then there would be no need to re-authenticate with the server, right?
And this is true of all protected actions, including, say rotating the account encryption key, or changing the KDF settings?
Asked on today’s “Go Passwordless with Bitwarden” webinar:
Some things rely on the master password or email verification codes (like adding a new login passkey etc.). Verifying everthing with login-passkeys would reduce the dependence on the master password. Any plans?
Dan, I believe the user in the webinar was asking about performing verification for sensitive actions such as changing your account email address or setting up 2FA. This is the type of user verification I was referring to wanting to support with login passkey, not user verification of passkey authentication ceremonies.
It may have been less confusing if I had used the term “confirming” instead of “verifiying” in my question… unfortunately, most of the time, you only realize something like that after the event…
