Passkeys - can you turn off the master password verification for sites?

Can you turn this off for sites where I don’t want to have to enter my master password for secondary verification (in the browser extension) when logging into sites with a passkey stored in my BW vault?

Some sites ask for this (such as this forum) but others do not.

4 Likes

@bwuser10000

First, it’s unfortunate, that passkeys were implemented without user verification (by Bitwarden - and others), so that we could get used to that…

User verification is part of the passkey specifications / FIDO2-compliance, so it was clear, that that part was missing and inevitably coming…

Though, how it is implemented with Bitwarden is already part of a discussion: Passkey User Verification Independent of Vault Unlock Method

So, to your question: no, I don’t think it is meant by the FIDO alliance and others, that users can deactivate user verification as they wish…

But it is not set, that you have to use your master password for user verification. As Bitwarden has implemented it for now, more or less your method of login/unlock determines, what is used as passkey-user verification. If you used, e.g., a non-biometric PIN and unlock your vault, you would be asked that PIN for user verification (same goes for biometric unlock etc.).

2 Likes

Well, understood. However, I’ve already unlocked anyway (to gain access to the vault). Also, you can fill passwords all day long without having to reenter you master password (as long as you don’t let the browser extension lock) so why should passkeys be any different? I can see for some, highly-sensitive or risky accounts, have it set to require a master password reentry but not on everything.

And, @ Nail1684, I did read through that thread you linked to. I understand that this isn’t a BW thing, that it’s driven by the passkey alliance (or whatever it’s called). I tend to agree with some of the sentiments in that other thread that this will discourage passkey adoption. I’ll probably still keep migrating to passkeys as sites allow for them, mainly to alleviate the risk from phishing, but this usability thing really stings. Hopefully the feedback on this is getting communicated loudly to the passkey rulemakers. I mean, for sure make a 2nd verification the default but allow users to turn it off if they’ve already authenticated, which is what happens automatically when using a password manager.

1 Like

Well, because they are. It’s part of their security architecture, that they have to follow certain rules. Different than with passwords… :man_shrugging:

Having no user verification is seen as as a known issue: Known Issues | passkeys.dev

@bwuser10000 It is up to the Relying Party (the website that you are logging in to) to specify that User Verification for passkeys should be either required, preferred, or discouraged. In a Reddit thread on the topic of the onerous master password requirement, Bitwarden employee /u/bwmicah (@Micah_Edelblut ??) seemed to pass the blame to the Relying Parties — which I feel is a bit of a cop-out, frankly. While the FIDO standards absolutely mandate that an Authenticator (like Bitwarden) perform “some form of user verification” when the Relying Party has specified that User Verification is required, there is nothing in the FIDO or CTAP specs that requires the User Verification to be in the form of a master password (or that it must match the vault unlock method).

In fact, it seems that using the master password or vault unlock PIN for User Verification can lead to noncompliance with the FIDO/CTAP specifications, as explained in Points #3 and #4 of this GitHub Issue:

 

If you have a Yubikey, I think that is a good model for how the User Verification works when compliant with the standards: each time that you need to authenticate using a passkey stored on the Yubikey, you will need to input your Yubikey PIN (if the Relying Party is requiring User Verification) — and if you enter the wrong PIN too many times (>8), then the PIN will stop working. If Bitwarden wants to be compliant with the standards, they will ultimately have to implement something analogous. However, as I’ve explained in the Feature Request thread, I don’t think they will be able to get there as long as they use the paradigm of making the User Verification method match the vault unlock method.

 


Anybody reading this who is bothered by the new User Verification requirement — if you have any votes left to give, please vote in this Feature Request thread:

1 Like

I am using the browser extension on Firefox and Windows. Recently when I tried to sign in with a Passkey that I had created a while back, BW now asks me for verification by signing in with my Master PW --even though I am already signed in the BW browser extension. Previously when I tried to sign in with a PK to the same website, a box would come up and and I would only have to just click CONFIRM and I was in.
Not sure why all of a sudden it asks me to reenter my master PW when I am already signed in on the browser extension!

@Till Please see these discussions / feature requests:

1 Like

@Till Welcome to the forum!

I moved your post into a thread on the same topic. As noted by @Nail1684, there are also other related threads.on the forum. It’s a hot topic right now! :fire:

1 Like

BitWarden passkey support seems to be regressing. Not only is it not easier to use passkeys, but now I’m required to type in my (very, very long) master password every time I want to use a passkey.

If I have to type in a long, secure master password every time, I’m either going to stop using passkeys, or switch to a shorter passcode. Please don’t go the Apple way of thinking you know about my security needs better than me, I get that sane defaults are good, but there’s no option for me to change these behaviors at all.

1 Like

@Stavros I moved your comment into a thread that was more relevant to your complaint. You may want to read through the responses in this thread, as well the related feature request thread (“Passkey User Verification Independent of Vault Unlock Method”).

FYI, Bitwarden plans to roll back this recent change and redesign the User Verification mechanism. However, when websites ask for it, User Verification in some form is going to be required in order for Bitwarden to be standards-compliant; this is a decision made by the W3 Consortium and the FIDO Alliance, not by Bitwarden.

1 Like

So, when using a passkey and BW browser extension, BW asks for master password every time. This is not very handy. This only happens on one of my PCs. Tried comparing settings between the two, but haven’t been able to find the difference.

The PCs are Windows 11, Browser is Brave.

Thanks in advance for any advice!

@bigrabbit Welcome to the forum!

I’ve moved your post into an existing thread on the same topic. Please read the comment just above yours.

Thank you but I don’t think this is the subject I’m asking about.

I’ve two different PCs that respond differently using the (Brave) browser BW extension. On the first, when I log into, for example, Google, it asks me for a passkey, and I click the screen button Confirm and it logs me in. On the second PC, when I log into Google, clicking on the screen button Confirm then asks me to put in the Master password (again). IDK what setting is different between the browser BW extensions on these two PCs??

Maybe the answer to the other posts lies with the setting differences between my two PCs?

What are the browser extension versions on the two browsers?

On the browser that does ask for the master password, do you observe any behavior that is different from what is being discussed in this thread?

Ah ha!
Laptop 1: BW 2024.5.2, BW Server 2024.6.2
Laptop 2: BW 2024.6.1, BW Server 2024.6.2

No difference here from the other users - Laptop 2 just asks for Master Password everytime Passkey is used/requested.

Yeah, and that’s why you are in the right thread now. Welcome to (the current implementation of) User Verification, introduced with 2024.6.0 (–> your Laptop 2!):

And now you know, why you should read this post again. :wink:

1 Like

OK, got it. W3 and FIDO might be right, but going to a passkey is now really hard for the 10 or so websites I log in to do work each day. I could see people just giving up on it. Hopefully someone will come up with a non-arduous process.

Thx!

In the meantime, if you start unlocking your vault with a PIN (go to Settings > Account Security and enable “Unlock with PIN”), then you’ll only need to enter the vault PIN when doing user verification of passkeys.

2 Likes

You would not be the first person to decide to give Passkeys a rest for a few months until usability issues are worked out.

If “the industry” wants passkeys to replace passwords (in the long term), they will not succeed by making passkeys less convenient than passwords.

1 Like