I have enabled PassKeys for Bitwarden login but this is now failing when I enter the Windows Login PIN. This used to work. I am on Windows 10 and on the Web App. I deleted my Passkey entry and tried creating a new one, but the problem still seems to persist. Was there a change implemented that causes this to now fail?
Would appreciate any thoughts on this. Not sure if this is a bug or just my user error. Not sure how to report bugs either, if this is a bug.
Thanks
Update: I have tried Passkeys for Login on 2 other Windows 11 computers and it works just fine. It is only the Windows 10 computer that it is failing on.
@KiwiAnts Your question seems to be about the Bitwarden Pasword Manager product, and not about the passwordless.dev developer toolkit, so I have moved your post into the appropriate section of the forum. I also modified the title of your post to be more specific (old title was: “PassKey for Bitwarden is failing. Is anyone else having this issue?”).
It may help if you specify your browser and browser version.
Bugs can be reported by opening a “New Issue” on the GitHub repo.
As far as I know, PRF-required passkey login with encryption for Bitwarden has never worked on Windows 10. It might have worked if you set it up as passkey login without encryption. Here’s from Bitwarden’s documentation:
Additionally, Windows 10 is known to have issues with PRF-capable passkeys.
edited: Never mind. I re-read your post. You are asking why a non-PRF passkey stored on Windows Hello no longer works on Windows 10.
Yep, as far as I remember, it did work. Unfortunately, I now have no Windows 10 system to test this again…
Hm. The Windows 10 Login PIN doesn’t work? Maybe sounds a bit silly now, but are you sure the passkey was stored in Windows Hello (and not somewhere else)?
As it works for you on Windows 11 I think you probably did everything right, but maybe check anyway, if you find both passkey parts in the correct place:
Windows → Settings → Accounts → Passkeys (or something like that)
Bitwarden’s web vault → Settings → Security → Login with passkey
Hi @grb - thanks so much for moving my post. Was not sure what category Passkeys fell into, Passwordless or the main product. Did not realise the Passwordless was a developer toolkit category, so good to know. Still figuring out how to navigate the forum …
The reason I did not specify my browser was that I tried it on multiple (Edge, Chrome, Firefox) and the end result was the same, hence this issue seems more related to Windows 10 than to a specific browser. But I am on the latest versions of the each browser, at the time of posting e.g. Edge - 138.0.3351.77, Chrome - 139.0.7258.67, if that is of interest.
Thank you for linking the GitHub repo. I found a link to another one as I thought that would be the general way to report a bug, but it did not have Issues enabled. So thought I was either in the wrong repo or there was a different way to report a bug. Turns out it was the former …
Thanks again for the guidance and help. I will keep plugging away at the issue to see if I can get it resolved. Not sure I want to open a bug yet though until I can ascertain that it is an actual bug and not just me doing something wrong… time will tell.
and then in regards to Windows, what you are describing I believe is only available in Windows 11 and not Windows 10. However, I am able to show you this:
Meaning that I do have a Windows Hello PIN set. I am not aware of being able to view your Passkey setting anywhere in Settings in Windows 10, unless you are? I believe you have to go into your NGC folder to see that one has been set, which I am confident that it does exist. Just did not want to take personal ownership of the folder in case it does not like that, so could not view that personally. Hope that helps.
Let me know if you have any more ideas I can follow through on? Thanks again.
@KiwiAnts Could you please try to set up that login-passkey for Bitwarden again with your Windows 10 – and document (here) the steps you get offered by Windows Hello and the steps you choose then?
Screenshot of every dialog popup windows from Windows Hello would be great. (shouldn’t be too many?!)
To be honest, I now have a hunch, it might have never worked for Windows 10 for me – and I might have confused it earlier with (only) being able to store “login-with-passkeys”-passkeys without encryptionon my YubiKeys 5 via Windows 10 (!)…
PS: So, for the moment, I would like to ask you: Are you really sure, it worked before for you on Windows 10:
Hi @Nail1684 sorry for the delayed response. Work prevails this week …. Anyway, in answer to your question, maybe, maybe not …. My thinking is that I would not have left it in place if it had not originally worked and I am pretty sure I tested it after I put it in place, but it was a few months ago, so to be honest, I do not remember and it is possible I just imagined it ….
Anyway, here is my reproduced path for you to review:
One other thing I do know, is that for Windows 10, the “Encryption not supported” is standard since WebAuthn is not fully supported in Windows 10, I believe, and while Passkeys are supported you still need to enter your Master Password to get into Bitwarden. So this is not an issue. My understanding is that Windows 10 Passkeys should work in Bitwarden and you should just need to enter your Master Password once you enter your biometric login requirement. So this is where I am confused and stuck, right now ….
@KiwiAnts Hm! Thanks for the detailed response! So far, it looks all correct to me. – And I think I have no good idea now… And it’s so unfortunate, that I don’t have a Windows 10 machine at hand to try to reproduce…
You could also think of filing it as a bug report on GitHub (“New issue”), as @grb suggested before. That way, it would probably get “investigated” if it could be a Bitwarden bug - or if it is on Microsoft/Windows. But first, they’ll try to reproduce it…
PS: Ah, one question though: Some posts earlier, I mentioned the path to the passkey storage / list in Windows 11… after you created the passkey that way – can you see it anywhere in Windows / Windows Hello / Windows Security ??
On Windows 11, the “location” looks like this (BTW, don’t ask me why MS translated passkeys to “Hauptschlüssel” in German… it’s like “main keys” in re-translation…):
If they are not listed anywhere in Windows 10, that would be odd… Wild speculation: maybe Windows is trying to create just a “2FA-passkey” (a.k.a. non-discoverable credential), instead of a passkey (a.k.a. discoverable credential) ?!
Side discussion: I think passkeys stored in Windows Hello (and perhaps similarly Google Password Manager on Android) can be described as “protected by TPM,” but maybe not “stored in TPM.” Hardware is limited, but there appears to be no limitation on how many passkeys can be stored in Windows, unlike YubiKey, etc. It’s unclear if the plaintext private key is ever put into the OS memory or not; if it is, one day we might hear about exploits that can grab these keys.
edited: Passkeys on Android managed by Google Password Manager are forcibly synced to a Google account, with the private keys encrypted by the PIN; the emails/usernames and the URLs probably are not. You can’t make device-bound passkeys on Android using the Google password manager.
@Nail1684 yes, I had already checked on the Passkey’s visibility in Windows 10 and they do not have that option\UI available in Windows 10. What you can do is to look in your NGC folder within the Windows 10 folder structure to see if one has been set, but of course it is encrypted, so all you would be doing is to see that it exists. I did do that and yes, it does exist.
So this was my thinking, which ironically I have already done, as per your instructions also, I did open a Support ticket with Bitwarden and they did confirm that this is supposed to work in Windows 10. The Support Engineer said he is doing some more research on this, as a result. So I am waiting to see where this discussion goes. If need be, based on the outcome of that, I will then follow @grb ‘s guidance and submit a bug “Issue” if it does indeed warrant one.
It is surprising to me though that I would be the first to find this issue, given how many Windows 10 users are out there still …..
@Neuron5569 and of course ironically, the reason I have not gone to Windows 11 is because I do not have TPM thus therein lies my problem ….. an old computer …..
Well, it may be just time to figure out a new machine ….. ugh …. just not ready to do that yet …
I am not sure why you want to use a non-encrypting passkey for login with Bitwarden, but you can try logging in with the password and use the “Passkey” 2FA. These seem to be more or less equivalent.
You can set this up in the web vault (to see if Windows hello would work in this configuration): Settings > Security > Two-step login > Passkey (Manage).
I’m not completely sure about your last sentence here. I always wondered whether phones with a HSM (hardware security module) might be able to store device-bound passkeys in there. (I’m pretty sure my own phone, now on Android 15, doesn’t have a HSM, so indeed I can’t store device-bound passkeys on my phone, but Google Password Manager “draws” them into the Google account – without making that really transparent.).
Me neither. It would be nice to get an example of someone who can use a cross-device passkey with a password manager as the authenticator other than Google Password Manager, to see if it’s possible beyond the Google app. I previously believed that you could unsync the Google Password Manager from a Google account, but it’s not (on my phone, another’s, and probably yours), which would have made it possible to have a device-bound passkey (not leaving the device), “stored” in the HSM or not, managed by Google Password Manager on Android.
Even without the HSM, because Google locks it down with needing to authenticate before using it and has a stronger sandboxing model, it seems as safe as Windows 11 without the TPM (not supported officially, but possible), and maybe even with TPM (if its “unlimited” passkey implementation isn’t so safe).
Thanks for the connection to the bug @Nail1684 . Yes, Support notified me that they had opened a bug on my behalf and gave me the link to it (that you posted above). They did verify what I had found as being an issue. So I guess at this point it is now a waiting game to see when they are able to fix it. Thanks all for your time and help with my issue. Much appreciated.
Hey @Neuron5569 - yes, I will no longer be using Passkey, obviously, since a. it does not work and b. as you pointed out, it is non-encrypting.
At this point, my using a password with 2FA is going to be my best option for now. Unfortunately I cannot use the Passkey 2FA since I do not have a hardware key. So this for now, until I get to Windows 11, this will have to do for me ….
I don’t want to open the next can of worms, but Windows 10 (Hello) could be able to provide that. (alternatively I remember wrong again and that is only possible on Windows 11 )
Anyway, in answer to your question, maybe, maybe not …. 
My thinking is that I would not have left it in place if it had not originally worked and I am pretty sure I tested it after I put it in place, but it was a few months ago, so to be honest, I do not remember and it is possible I just imagined it …. 
)