Can you turn this off for sites where I don’t want to have to enter my master password for secondary verification (in the browser extension) when logging into sites with a passkey stored in my BW vault?
Some sites ask for this (such as this forum) but others do not.
So, to your question: no, I don’t think it is meant by the FIDO alliance and others, that users can deactivate user verification as they wish…
But it is not set, that you have to use your master password for user verification. As Bitwarden has implemented it for now, more or less your method of login/unlock determines, what is used as passkey-user verification. If you used, e.g., a non-biometric PIN and unlock your vault, you would be asked that PIN for user verification (same goes for biometric unlock etc.).
Well, understood. However, I’ve already unlocked anyway (to gain access to the vault). Also, you can fill passwords all day long without having to reenter you master password (as long as you don’t let the browser extension lock) so why should passkeys be any different? I can see for some, highly-sensitive or risky accounts, have it set to require a master password reentry but not on everything.
And, @ Nail1684, I did read through that thread you linked to. I understand that this isn’t a BW thing, that it’s driven by the passkey alliance (or whatever it’s called). I tend to agree with some of the sentiments in that other thread that this will discourage passkey adoption. I’ll probably still keep migrating to passkeys as sites allow for them, mainly to alleviate the risk from phishing, but this usability thing really stings. Hopefully the feedback on this is getting communicated loudly to the passkey rulemakers. I mean, for sure make a 2nd verification the default but allow users to turn it off if they’ve already authenticated, which is what happens automatically when using a password manager.
@bwuser10000 It is up to the Relying Party (the website that you are logging in to) to specify that User Verification for passkeys should be either required, preferred, or discouraged. In a Reddit thread on the topic of the onerous master password requirement, Bitwarden employee /u/bwmicah (@Micah_Edelblut ??) seemed to pass the blame to the Relying Parties — which I feel is a bit of a cop-out, frankly. While the FIDO standards absolutely mandate that an Authenticator (like Bitwarden) perform “some form of user verification” when the Relying Party has specified that User Verification is required, there is nothing in the FIDO or CTAP specs that requires the User Verification to be in the form of a master password (or that it must match the vault unlock method).
In fact, it seems that using the master password or vault unlock PIN for User Verification can lead to noncompliance with the FIDO/CTAP specifications, as explained in Points #3 and #4 of this GitHub Issue:
If you have a Yubikey, I think that is a good model for how the User Verification works when compliant with the standards: each time that you need to authenticate using a passkey stored on the Yubikey, you will need to input your Yubikey PIN (if the Relying Party is requiring User Verification) — and if you enter the wrong PIN too many times (>8), then the PIN will stop working. If Bitwarden wants to be compliant with the standards, they will ultimately have to implement something analogous. However, as I’ve explained in the Feature Request thread, I don’t think they will be able to get there as long as they use the paradigm of making the User Verification method match the vault unlock method.
Anybody reading this who is bothered by the new User Verification requirement — if you have any votes left to give, please vote in this Feature Request thread:
I am using the browser extension on Firefox and Windows. Recently when I tried to sign in with a Passkey that I had created a while back, BW now asks me for verification by signing in with my Master PW --even though I am already signed in the BW browser extension. Previously when I tried to sign in with a PK to the same website, a box would come up and and I would only have to just click CONFIRM and I was in.
Not sure why all of a sudden it asks me to reenter my master PW when I am already signed in on the browser extension!
I moved your post into a thread on the same topic. As noted by @Nail1684, there are also other related threads.on the forum. It’s a hot topic right now!
BitWarden passkey support seems to be regressing. Not only is it not easier to use passkeys, but now I’m required to type in my (very, very long) master password every time I want to use a passkey.
If I have to type in a long, secure master password every time, I’m either going to stop using passkeys, or switch to a shorter passcode. Please don’t go the Apple way of thinking you know about my security needs better than me, I get that sane defaults are good, but there’s no option for me to change these behaviors at all.
So, when using a passkey and BW browser extension, BW asks for master password every time. This is not very handy. This only happens on one of my PCs. Tried comparing settings between the two, but haven’t been able to find the difference.
Thank you but I don’t think this is the subject I’m asking about.
I’ve two different PCs that respond differently using the (Brave) browser BW extension. On the first, when I log into, for example, Google, it asks me for a passkey, and I click the screen button Confirm and it logs me in. On the second PC, when I log into Google, clicking on the screen button Confirm then asks me to put in the Master password (again). IDK what setting is different between the browser BW extensions on these two PCs??
Maybe the answer to the other posts lies with the setting differences between my two PCs?
Yeah, and that’s why you are in the right thread now. Welcome to (the current implementation of) User Verification, introduced with 2024.6.0 (–> your Laptop 2!):
OK, got it. W3 and FIDO might be right, but going to a passkey is now really hard for the 10 or so websites I log in to do work each day. I could see people just giving up on it. Hopefully someone will come up with a non-arduous process.
In the meantime, if you start unlocking your vault with a PIN (go to Settings > Account Security and enable “Unlock with PIN”), then you’ll only need to enter the vault PIN when doing user verification of passkeys.
I came here hoping to find a solution to this nonsense but obviously this crap isnt fixed.
Its making passkeys pointless and useless… if I wanted to be typing a password why would I bother with passkeys… (and yes Im highly aware of the actual reasons… I dont need a best practices lecture).
Now when I get asked to re-enter my master pass I click log in another way and skip passkeys all together, again makes them useless. Im at the point Im seriously thinking of dumping the whole process.
This isnt making my life smoother, simpler or more secure, its just annoying and a time suck. AND Im still entering passwords.
My data security is at a level Im very comfortable with and if I dont want to re-verify who I am 30 times a day that is my choice.
So lets add a “dont ask me again” checkbox and move on, can we please???