Passkey User Verification - Maximum Retries

Background:
Bitwarden currently requires User Verification each time a passkey is used, and does this by utilizing the configured vault unlock method (see PR 8746). This change will however be rolled back in favour of a not yet released “User Verification system” (see FR Passkey User Verification Independent of Vault Unlock Method).

Since we don’t know what the new User Verification system will look like, and how it will work, this feature request might potentially be unnecessary, but I figured I’d raise it just in case. This request will sort of build on the aforementioned FR, but will deal with a specific aspect not included/touch upon in said FR.

Proposal:
In order to increase the viability of Bitwarden as a vault for passkeys, Bitwarden could offer a setting where the user could specify a set number of verification retries before either locking the vault, or logging off the user. Similar to the current “Vault timeout” setting. This would increase the security since X number of failed authentications would force the user to reauthenticate with master password, and any configured 2FA. This would mimic the functionality of for example a YubiKey where 8 failed PIN entries will result in a locked hardware token. It’s also similar to how Bitwarden allows the user to require master password after 5 failed PIN entries.

@WhoIsThis Welcome to the forum!

Also relevant is the GitHub thread linked below:

Thank you!

Thanks for that link, I had not seen that bug report.

Given the information @Andreas_Coroiu provided in the reports comment section, CTAP2 compatibility will eventually be implemented both on the mobile side, and the web clients. That would most likely mean that my requested solution, or something similar, will be implemented as part of the CTAP2 compatibility.

1 Like

could you make whatever you chose to be optional? and / or make the current unlock optional ?

I believe this will most likely depend on how you read the WebAUthn standard.

It’s possible that such an implementation, where you’d be able to control the frequency of the User Verification based on your preferences could be possible. But there’s also a case where that’s not possible because it would make Bitwardens passkey implementation non FIDO2 compliant.

There’s a discussion about this specific thing in this thread.