Passkeys interfering with simplicity of hardware keys

I use the bitwarden extension on Firefox (on Linux). I have bitwarden premium.

I also have a Yubikey 5C NFC that I use to authenticate into multiple websites, and that I use as 2FA on certain sites.

Previously, when I went to websites, I would get a browser popup saying to touch my yubikey. I would do so, and it’d work.

Now, I get this:

Bitwarden appears to “intercept” the webauthn request, and see that I don’t have a passkey on the site.

Clicking on “use browser” will forward it back to Firefox, where I can tap on the key again and it will proceed as normal.

While I think that passkeys are very cool, and I’m certainly going to be playing around with them, I don’t appreciate that I cannot turn them off per-site, or at all, even per the extension settings. That means I will always have to make an extra click, or add the passkey to bitwarden as a 2FA method (which may very well be viable, though I haven’t personally done much research into it).

Upgrade to version 2023.10.2, and this issue should be fixed (as long as your vault is unlocked). Also, you should be able to disable the pop-up per site, using the “Excluded Domains” list (under “Settings”).*

*Edit: After additional testing, it appears that the “Excluded Domains” method only works when the vault is unlocked. Update: Nevermind, it does work, but it is poorly documented: for the “Excluded Domains” list to work, it is necessary to specify the full host name (including the subdomain), not just the base domain.

Thanks for the tip! I’m getting “no updates found” in firefox, but I’ll check later for sure!

The thing is, I don’t want to exclude the entire domain, as I do still need to be able to auto-fill my username/password.

For domains in which you are autofilling your username & password, the pop-up is automatically suppressed as long as you don’t have a passkey stored in the same entry.

That’s an issue for sites where autofill with Bitwarden has never been working. Notably AWS SSO. I always have to press Shift+Ctrl+L on the password input site.

Bitwarden does not detect that it’s a 2-step-login where you put in the username, press enter and get redirected to a second page where you put in your password. Passkey is a third step.

AWS SSO is very cheap, it’s branded as “AWS IAM Identity Center” and can be tested for cents or probably for free for a few users. Would be nice if Bitwarden properly supported such a common provider.

I would suggest creating two separate login items, one that has your username and password (but no passkey), and a different login item that has the passkey. For both items, set the URI Match Detection method to Exact or Starts With and make the stored URI match the specific URL of the username/password input pages and the passkey input page; choose the Starts With option if the last part of the URL includes codes that change each time you log in (in which case you should delete the part of the URL that is not constant from what is stored in the URI1 field.

@grb Is that new feature working for you? I’ve updated all my browser extensions to 2023.10.2 but so far I’m still getting a popup saying there are no passkeys.

EDIT: Nevermind, I tried to reproduce, and it seems to be skipping the popup properly.

Click the “Use browser” text in the bottom left of the Bitwarden popup or close the Bitwarden popup window and the browser should fall back to prompting you to use a hardware key. I think Bitwarden could improve the design to make this more obvious. Assuming that your browser extension is up-to-date (2023.12.1), there is no longer a need to go through these steps (manually dismissing the Bitwarden pop-up) if you don’t have a passkey stored in Bitwarden for a particular site (or if you don’t have any passkeys stored in Bitwarden and don’t plan to).

If you don’t wish to use Bitwarden for storing passkeys at all, you can go to Settings > Options and disable the option “Ask to save and use passkeys”.

If you do store passkeys in Bitwarden for some sites, but have passkeys outside Bitwarden (e.g., on a security key) for other sites, then Bitwarden will automatically detect that you don’t have a passkey stored, and automatically suppress the Bitwarden pop-up for such site. However, for this detection to work, Bitwarden must be unlocked.

If you want to selectively use non-Bitwarden passkeys on some websites while your Bitwarden browser extension is locked, then you can block the Bitwarden passkey pop-up for specific websites by adding their domain (full domain name, including base domain and subdomain) to the exclusion list under Settings > Excluded domains.

1 Like