Passkeys: hardware or software-bound? Share your feedback!

Hi Bitwarden community! What’s your take on hardware-bound and software-bound passkeys? Please share your experiences!

The Bitwarden team is seeking general user experiences around passkeys, not necessarily specific to Bitwarden Password Manager (though your thoughts are appreciated there, too)

Are you leaning more towards software-bound passkeys, or do you still prefer traditional hardware keys? Is one better suited over the other for those who are new to passkeys? What about for companies - if you’re an IT security admin, what would be your preference? Please explain.

I will use hardware bound passkeys for the small number of accounts that are super crtical to me. These are the same accounts that I avoided using BW for TOTP.
I will use BW to store passkeys for all other accounts.

The basis is that I believe a passkey in a hardware key is more secure (yubikey, nitrokey are the brands I have) because any attacker will need the key as well as access to my BW vault.

This is a difficult question to answer without having a clear picture of what the final form of software-bound (syncable) passkeys will look like. Will we ultimately be able to export and import these in a secure way? Will a second factor like a PIN be available as an option for securing software-bound passkeys, and if so, will the passkey self-destruct if the PIN is entered incorrectly too many times (like the Yubikey FIDO2 PIN)?

Until the functionality of software-bound passkeys reaches (or exceeds) parity with hardware-bound keys, I will continue to prefer the latter.

And of course, for logging in to my Bitwarden account, I will only trust hardware key based FIDO2.

One more note: I know that Bitwarden is a “sponsor-level” member of the FIDO2 Alliance. If you or your colleagues have any opportunity to hob-nob with representatives of Microsoft and/or hardware kay manufacturers (Yubico, Feitian), I would appreciate if you could convey this user’s frustration that the current Windows implementation of passkey support creates an undue barrier to the use of hardware security keys, by forcing users of FIDO2 hardware keys to make multiple clicks in the now-ubiquitous Windows “Sign-in with your passkey” prompt before being able to use a hardware key for anything (even as 2FA). This design is definitely going to squeeze hardware key manufacturers out of the passkey market, at the detriment of users.

I am in the group of users that don’t put TOTP secrets into the PWM, because we hope that splitting the secrets will give us more protection or more time to react if there is a PWM breach. Using syncable passkeys, with the current BW implementation, makes this feel less safe because 2FA is usually not required for passkey accounts.

I will not store passkeys in a PWM until there is an acceptable level of additional protection to authenticate with passkey.

I most likely wouldn’t use platform-based passkeys (Android, Windows) to get access to BW for the same reason. Putting in a password, or Login with Device, and using the platform as a FIDO2 2FA device, to access BW, still feels safer.

I would consider using a dedicated hardware key, with an additional PIN-based protection, as an acceptable way to access BW, although I see little advantage over using the Login with Device / platform FIDO2 2FA key combination above, except when it can be used cross-platformed. I would consider hardware key with its own biometric authentication much stronger, and more attractive security-wise, to be used for BW access.

Background - software developer (including encryption / security features), dev manager, software architect.

Before passkeys, I used a combination of hardware security keys (Yubikey) for 2FA and TOTP for the most important accounts, password managers with syncing for lower-value accounts. For the occasionally high-value account that did not offer 2FA, those passwords were only stored on pin-protected hardware keys and never in the password manager. It is complicated and not for everyone, but fits my threat model and my tolerance for the complexity. I don’t recommend this model to my non-technical friends and relatives, because they just can’t make it work.

When passkeys became available, I treat them mentally in my threat model as basically equivalent to a username + password. Slightly more convenient, slightly more secure, but the security advantages all disappear the moment they are stored in a syncable software-based password manager. A secure password manager with 2FA certainly reduces the risk considerably, but still represents a single source of failure for all the high-value targets it contains whether they are passwords or passkeys. This is the same principle that precludes ever storing TOTP seeds in software-based password manager. So if the account being protected by passkeys is “low value” in my model, or if it is additionally protected by hardware-based 2FA, then I put the passkey in BW vault for convenience. I didn’t add a new column to mental matrix for passkeys - I treat them as equivalent to a password that depending on value might require a second factor on a different platform. This is commonly understood and practiced in my experience with software development teams, but not for the average computer user in the rest of the company.

I do like the concept of software-based passkeys instead of passwords, and I strongly prefer having them in a cross-platform synced BW vault instead of being tied to O/S or browser ecosystems. I’m just not going to give up the additional layer of hardware-based, non-syncable MFA for high-value accounts.

Finally, I will offer my opinion that roll-out of passkeys has been a technical communications disaster from everywhere. It’s been sold as “it just works, you don’t have to understand the details” with a lot of hand-waving to ignore the obvious problems. The benefits of passkeys are being extremely over-sold as being more secure and automatically managed. Every tradeoff that makes them more secure makes them less convenient and more likely to be irrecoverably lost. Every tradeoff that makes them more convenient makes them less secure. This is a common principle to anyone with experience in software security. Passkeys are being pushed to the average consumer as a magic solution to this fundamental tradeoff, and they are not.

There has been very little useful information about what is actually being stored, and where, for the O/S implementations, browser implementations, password manager implementations, mobile phone as separate key, hardware keys. There are trade-offs of security vs. convenience for every choice, and even if all the information accurately communicated the average consumer isn’t suited to make the decisions. The simple default could be “if you were using a username and password, use a passkey instead.” That still doesn’t touch the decisions about whether to use O/S, browser, or password manager. My concern is that people will use all these interchangeably without knowing the difference. In a few months when all these inexperienced users start replacing lost mobile phones or switching home computers they will lose access to some portion of their passkeys and not understand why. That’s the importance of at least understanding the choices, and picking only one of them to use exclusively. The current ecosystem of O/S, browers, password managers makes it very hard to do.

@mtaylor Welcome to the forum, and thank you for your valuable post. Many good points — especially in your general comments in the last two paragraphs.

I would like to follow up with one more point about the “irrecoverably lost” problem. From frequently viewing the Community Support boards for several different password managers I see that the vast majority of reported problems are users who are locked out of their account and can’t recover. It’s a much more common problem than unauthorized access.

This matters, because the first round of rolling out passkeys by the leading password manager apps and by many finance-related websites has made it really easy to register a single passkey, and difficult or impossible to register multiple passkeys for the same account. Not so much of a problem if it is a software-based syncable key, but bad practice for the typical usage pattern of hardware-based keys. A related problem is how many providers seem to think that passkeys eliminate the need for 2FA so you can use one or the other, but not both. Faced with that choice I will use a hardware-based passkey, but then the site must let me register 2 or more separate hardware passkeys so I have a backup option.

I’m largely in agreement with the above comments. Software passkeys are fine for low value accounts and it’s great to now be able to create/store them in Bitwarden. However, I was surprised that software passkeys can be used without any sort of second factor beyond clicking “Confirm” in the Bitwarden popup window. Currently an increased level of security can be enforced by requiring a master password reprompt for using that passkey. I presume that when it’s possible to use Bitwarden entirely passwordless, the alternative to the master password reprompt would be requiring reproviding the passkey used to login to Bitwarden. In that case, I’d feel more comfortable using software passkeys for high value accounts if I can require that every use of the software passkey requires confirmation with a hardware passkey.

I bought 4 Yubikeys around 2 years ago. I got 4 because my plan was to give at least two away to trusted friends/family for emergency backups. However, once I received the Yubikeys and started registering them for 2FA with various accounts, I realized that once I sent the Yubikeys to someone else, I wouldn’t be able to use those Yubikeys with any accounts I register in the future. Bitwarden with software passkeys almost solves this problem already; I’m just waiting on using passkeys to log into Bitwarden without the master password to send away my emergency backup Yubikeys. By registering those hardware passkeys to my Bitwarden account, I can use Bitwarden to generate software passkeys for accounts I will create in the future, and still be able to get into those accounts by retrieving an emergency Yubikey that I sent away to a friend in the past. I wouldn’t even need to keep all the hardware keys around for high value accounts if an option is added in Bitwarden to require using a hardware passkey to authorize use of a software passkey.

I agree. It’s awfully confusing how the word “passkey” is being used by different companies with different meanings. To GitHub and Discourse, a “passkey” is always a discoverable FIDO credential, whereas any FIDO credential can be used for 2FA with a password. But Bitwarden can generate what it calls a “passkey” for those same 2FA + password systems, even though that doesn’t create a discoverable credential. And Bitwarden can also generate what GitHub and Discourse call a “passkey”, but in the Bitwarden UI, there’s no distinction between discoverable and nondiscoverable credentials