I like to create a device bounded passkey to ChromeOS to log into the bitwarden website from the browser. I set password manager to not allow passkeys so it doesn’t save to the cloud. I then select device option to save the passkey to the device. However when I tried this,Bitwarden give me a message that saving to device is not supported.
I read through the Bitwarden documentation Log In With Passkeys | Bitwarden and it seems to imply I need to have both PRF-capable browser and authenticators. Chrome is a PRF-capable browser, so is ChromeOS not a PRF-capable authenticator?
ps: edited by @neuron5569 to remove extraneous templated text.
I’d like to add to that, that you don’t necessarily need PRF(-support) to create a “login-with-passkeys”-passkey for the Bitwarden account/vault – though then such a passkey would be without encryption and you had to still type in the master password when you login with it. (–> see also this tab here in the Help Sites: Log In With Passkeys | Bitwarden)
Thanks for the link, can someone explanin what a local authenticator is and what its role?
So from that I can determine, you can either save the passkey into an external device like a Yubikey or an external mobile device, or a into google password manager. I have tested all 3 and they all work properly. Thje problem is that the family member I am supporting is tech challenged and can’t use a Yubikey,. I do not like the idea of storing the bitwarden passkey into the google password manager where a hack into the google account will expose the vault.This is why I was trying to go for device bounded to avoid this issue.
The chief reason why I am doing this is because the family member has trouble typing in the master password whenever an update forces them to re-enter the master password. They can’t seemed to type in the master password without a lot of retries. I suspect it’s because they have arthritis and is super impatient. I can usually get them to retype the password by repeating that they need to type it in slowly.
I am going to have them login using device option for now. It has the same issue using the phone as the authenticator. They can’t seemed to understand the concept of using another device to authentiate, but at least it’s easier to walk though through it. I can also setup another bitwarden mobile client to approve them from my end.
In short and in your case, ChromeOS itself (maybe in combination with the hardware it potentially could use - like a TPM if it was there?!) is or would be the local FIDO authenticator. I think you could say it would be the (OS’s / “device’s”) “wallet” and “app” for storing and using passkeys.
I guess on mobile device, this would be the secure enclave while on Windows that would be considered the TPM. In the case of windows, the passkey dev site sliams that it doesn’t work in windows either. This is confusing since I managed to save some passkeys to the Windows Hello.
I am surprised that ChromeOS has no local authenticator mechasnism.
If the phone has that. – That is a complicated topic in itself… I think e.g. many Android phones don’t have such a secure enclave / hardware security model (HSM) – and Google Password Manager “only” stores passkeys in one’s Google account then, instead of on the device.
(On my Fairphone 5, I can’t store device-bound passkeys because of exactly that…)
Where does it say that? Do you have a link and/or screenshot?
I suspect most android phone probably have an seecure enclave. My parents have a Samsung A14, probably one of the cheaper phone and it has one.
As for Windows, here’s the link:
The claim is that you can create device bounded, but I don’t know the difference between a green checkmark or a yellow one.. I have successfullly save a Bitwarden passkey to windows hello but it doesn’t work as expected. Encryuption is not possible so you get prompted for master password.
Why can’t they use a Yubikey, if you help them with the initial configuration of the PIN? Get them a Yubikey Nano and just leave it plugged in to their computer. To log in, they just type the PIN, and touch the Nano.
They are too afraid to plug in something. You may be able to mitigate that by using a nano.
You have to click on “Login as Passkey”. It’s hard to get them to understand the difference between passkey and password. Let’s say I get them to press the button probably using a picture with a circle around the control to press.
The next step is select the Yubikey. Now they are really confused, shouldn’t this be selected automatically they think. This may be the hardest part for them.
Touch the yubikey.
Enter a pin, they are bad at typing and is impatient. If they were at my work place, they probably would have burn the key from too many retries, but the default is 8 times, so it’s unlikely they will fail 8x but I wouldn’t put it pass them. They also forget that you have to have the cursor in the input box to enter something.
Press the button again, they might say “Wait I did that already it must not be working, must call son for help”.
In the past, they don’t get it. They don’t get TOTP either. Looking up an entry and typing it a number is too difficult. SMS code is equially difficult because they can’t figure out how to get the noficiation back. This is why the paste TOTP code in Bitwarden is valuable since it allows them to use TOTP.
Steps 2, 3, and 4 or 5 would also need to be done if you were successfully able to create a device bounded passkey in ChromeOS for logging in to Bitwarden (which was your original quest in this thread) — so I don’t think that using a Yubikey Nano would be much more difficult than what you were trying to do.
Also, for the record, there is only a single Yubikey touch during the login process (at least when using a Chrome browser in Windows). After letting the OS/browser know that the passkey is on a hardware security key, the user should be prompted for a PIN (with the cursor key automatically placed in the PIN input field) — enter the PIN, press Enter, and touch the Yubikey when prompted.
For your family member, their vault security will be tied primarily to the physical security of their computer, so they could use a simple PIN (e.g., 0000). If the Yubikey always stays with the computer, and if the computer always stays at home, and if no malicious actors have access to the home, then the PIN security is not so important.
Finally:
It is a rare occurrence that a Bitwarden update will result in a forced logout; personally I have experienced this maybe once or twice in 3 years of using Bitwarden. Thus, if I were you, I would keep the family member’s master password stored in your own vault. Then, if they are ever logged out of their account, they contact you for help — you log in to their Bitwarden account and then direct the family member to log in using “Login with Device”, which you will be able to approve remotely.
Yes after I play round with passkey I think they can’t figure it out. The passkey in bitwarden in contrast are fairly streamlined.
It may not happen often, but whenever the master password is required and they fail to enter it they immediately blame the software even though every time it’s their bad typing. So each time they have to enter the master password it’s essentially an hour long affair, if I were a Best Buy tech support person I would have misplaced their support contract but I can’t escape because of family obligations
I will try to use the login using device in the future
They wouldn’t have to, since OP can read them the code over the phone. If worse comes to worse, they could temporarily disable 2FA, and re-enable it after their family member has been logged back in.
On Android, bitwarden is set up to use biometric. On ChromeOS desktop, the extension is set up to use a PIN.
The Bitwarden 2FA is setup to use TOTP on Authy, Based on experience, my mom is able to use TOTP from an app more easily than Yubikey. I have e set up an Authy client on a device at my end so I can either tell her the code over the phone or walk her through the process of looking up the code using Authy. She can be walked through to use Authy, but it would take half an hour. The Yubikey is less flexible since I can’t remotely insert the key.
If an update cause the client to require re-entering the password, I can walk her through logging out and then logging in through a device, which I can then authorized using a device at my end. I am not sure if this mean I also need to use 2FA if I login using device. Login using device would work on her end, too but she can’t figure out how to get the notification. She also has the master password but she is bad at typing and will require repeated prodding to enter the password slowly.
Yes, if your mom uses “Login with Device”, she will still have to complete the 2FA prompt (unless she has enabled “Remember me” within the past 30 days).
Again, a Yubikey Nano could be left permanently inserted (if there is a free USB port).
