Passkey User Verification Independent of Vault Unlock Method

Feature Requests Password Manager
,
62

Thank you so much for allowing us users to play a part in the design.

I believe the portion of the spec under debate is:

The Relying Party requires user verification for the operation and will fail the overall ceremony if the response does not have the UV flag set.

My take on this that:

  1. The RP has the responsibility to declare the ceremony failed. To do this, the authenticator needs to report its findings to the RP, rather than declare failure itself.
  2. Since the RP declares failure, they hold the burden of notifying the user.
  3. The spec anticipates/permits ā€œuv=falseā€ as a response to ā€œrequiredā€, given that the spec describes the response the RP should take.

The client MUST return an error if user verification cannot be performed.

ā€œReturn an errorā€ is the notable bit. My view is that responding ā€œUV=falseā€ is precisely how an authenticator would report the error. In other words, this sentence of the spec obliges the authenticator to be truthful when setting/clearing the UV flag.

Even though I have ā€œstated my caseā€, I do understand that it is Bitwarden, not me, that will be the defendant during certification. Therefore, Bitwardenā€™s interpretation is much more important than mine.

That said, there is a fundamental ambiguity in the spec that results in this conversation even occurring. I would greatly appreciate you requesting they dis-ambiguate the (draft) spec, perhaps by changing it to ā€œā€¦ MUST clear the UV flag if ā€¦ā€

Incidentally, Ā§1.3.3 #8 also covers this, but with no more clarity.

63

FYI, it is the WebAuthn client (e.g., the browser) that must return an error, not the authenticator (i.e., Bitwarden). Not ā€œsettingā€ the ā€œUV flagā€ means that the authenticator returns a response in which the value of the flags field has its Bit #2 set to 0); when this happens, the client must return an error if the RP has specified that UV is required.

64

I would like to throw my 2 cents in here.

I think it would be cool if the ā€œlog in with deviceā€ flow could be re-purposed for Passkey UV.

I know Chrome has a QR code + Bluetooth thing that allows you to verify for your PC using your phoneā€™s passkeys, but if Bitwarden also had a setting to where it required you to open your Bitwarden on your smartphone and do biometrics for passkeys that would be super cool.

From the browser perspective it would just be local passkey. The QR code BLE verification can be flaky sometimes, so having an alternative via Bitwarden would be awesomeā€¦ and help people without biometrics on their PC.

65

really no updates on this? pushing passkeys forward but not having such needed security feature?

66

@Roki Welcome to the forum!

Iā€™m not sure for other platforms - but for Windows 11 there seems to be coming a different implementation:

(as the FIDO Alliance and some ā€œpassword managersā€ like Bitwarden, 1Password and othersā€¦ and OS vendors like Microsoftā€¦ seem to collaborate here, I guess, something similar could be in the works for Apple and Linux?!?)

67

2 posts were merged into an existing topic: Options to allow Passkeys to authorize actions and account/security changes protected by Master Password