Passkey feature in Bitwarden not working with Bank of America?

Hello,

I am a long time user of KeePassXC and moving towards to Bitwarden. I am familiar with passkeys as I use it with KeePassXC. I also have several YubiKeys series 5 that I use to open the KeepassXC database. In the process of registering new passkeys with Bitwarden I have noticed that on Bank of America it’s telling me that it doesn’t support it.

This is the error I get:

Your security key registration was not successful

  • Make sure your key is FIDO-1 or FIDO-2 certified and is a physical/removable key (passkeys are not supported at this time).
  • Tap the button on your key when you see the prompt to avoid timing out.
  • Verify your key is functioning correctly by using it on other security-enabled websites
  • Use one of these supported browsers: Chrome, Safari, Edge, or Firefox

I’ve tried this with Firefox, Brave, Chrome and Chromium in Linux. Is there a setting I should be looking at? Bitwarden passkey works fine on other websites I’ve tried including my own self hosted Nextcloud.

I am using Version: 2025.1.0.

@NoahD Welcome to the forum!

The answer is in the error message:

Bank of America evidently only supports hardware keys.

I guess Bitwarden can’t emulate FIDO-2 keys?

No offence, but since Bitwarden supports passkeys - and passkeys are “FIDO2-keys” - I’m not sure what you mean here?

According to https://www.bankofamerica.com/security-center/online-mobile-banking-privacy/usb-security-key/ I would say, they only allow the creation of a so-called “non-discoverable credential” and that only “hardware-bound”, so to say. If I remember correctly from some discussions here, Bitwarden should be able to store those (@kpiris could know this), but BoA seem to restrict it to certain conditions - and that might be something, Bitwarden neither “match” nor is able to “emulate”.

If by “emulate”, you are suggesting that Bitwarden attempt to spoof the AAGUID of a hardware key authenticator, this is not possible due to the practice of validating AAGUIDs using attestation statements and signed certificates.

No emulation about it. A passkey is a FIDO authenticator. However, not all FIDO -2 authenticators are passkeys, just as not all animals are dogs.

The fact that they support FIDO-1 indicates they are using an older FIDO standard, U2F (Universal Second Factor), which is an “uncle” to Passkeys. The distinguishing characteristics that makes a FIDO credential a passkey are:

  • Passkeys do not require entering a username/password. (in geek terms, “discoverable” or “resident”).
  • Passkeys can be synced and backed up, although the website is still free to require that its passkey be locked to a specific piece of hardware (“device-bound”, e.g. a yubikey).

Because BoA requires that its credential be device-bound, and Bitwarden only implements syncable credentials, You are out of luck “at this time” (as BoA says).

I use Yubi’s all the time with B of A for my authentication. Using FF extension if that makes any difference. Unless I don’t understand what you are looking to do.

OP wants to use a passkey stored in Bitwarden as the 2FA for their BoA account. BoA does not allow this.

Yep. I’ve successfully created all new passkeys with Bitwarden except for Bank of America. I’m ok with it as I am using YubiCo keys for that. Eventually Bofa will add passkey support.