Have you recently replaced a traditional TOTP code with a Passkey? How was your experience?
For those new to passkeys, they are phishing-resistant, meaning they only work on the originating service. This adds an extra layer of security by ensuring that passkeys can’t be used on fake websites.
Help Center
Blogs
Other
I have added some passkeys, but I do not yet trust them, especially with respect to recovery, that I am willing to remove legacy authentication methods. Part of this may be me. I love having a Plan-B and maybe a Plan-C.
With a Bitwarden-stored passkey or any passkey? I certainly use Yubikey passkeys as 2FA on sensitive accounts (e.g., bank accounts, Bitwarden account, etc.) whenever possible.
Conversely, I use Bitwarden-stored 2FA passkeys for convenience on accounts that are less sensitive, especially when there are also alternative (but less convenient) methods of 2FA enabled for those accounts.
I use passkeys everywhere I can, but I don’t store them in Bitwarden. I love it; it’s fast and convenient, but just like others, I don’t trust the recovery (or sometimes even deletion) processes. I have had my Microsoft account’s passkey just stop working. Passkeys do have some fundamental quirks:
Deleting from the relying-party account doesn’t delete the credential from the authenticator either automatically or via a warning.
There’s no way to verify if the passkey set up in your account matches the one you have. The names can be changed. A verification hash would have been better for verification.
Only a couple websites I visit support passkeys. I am successfully using them on those sites.
I use them everywhere I can, and save them in Bitwarden. Currently, not enough sites support them.
I use it on a few sites that offer it. It works without any problems.
Only the position of the passkey window annoys me.
I hope that this will be fixed soon or that it will even get the new design from “Save Login.”
Well, I guess the easy and short answer is: where it works, it works.
Overall, the train is slower than we thought - and passkeys are more complex than it seemed.
That is something I fear as well. Those incidents should be investigated.
I hadn’t focused my attention to passkeys until today. Just to check out this concept, I tried setting a passkey on my Android (v16) phone for the Bitwarden Password Manager Web site.
Perhaps I’m missing something but when using the saved passkey, login proceeds to requesting my master password. What’s up with that?
BTW, the saved passkey status claims it is unable to encrypt. Dunno if that is to be expected. Anyway, as I say, perhaps I’m missing something but if so, perhaps the process needs some further human factor design.
Cheers, Ike
Yes, it’s somewhat lost in the technical jargons that not all passkey authenticators are the same, and not all browsers are the same. See doc here:
The summary: both your browser (e.g. Google Chrome) and authenticator (e.g. YubiKey 5) must be PRF-capable in order to support using the passkey for vault encryption and decryption.
Either cross-device passkey authenticators are not PRF capable, or Android is not a PRF-capable cross-device authenticator yet.
edited
What browser are you using to access the Web Vault? According to this table, even Google Password Manager does not support PRF passkeys in Firefox on Android. However, for third-party password managers (like Bitwarden), the availability of PRF support is not well documented.
I use my passkey wherever possible, but I don’t store them in Bitwarden. In my opinion, Bitwarden is missing something, some additional security measure to store my passkey there. If I store my regular password in Bitwarden and my 2FA codes in another app, even if Bitwarden is hacked, access to other services will still be very difficult, if not impossible. If I had my passkey in Bitwarden, hacking Bitwarden would mean hacking all my other accounts. That’s why I have a separate app for my 2FA codes, and I store my passkey in two places. 1. In Google - I have the Advanced Protection program active + a sync passphrase set. This makes hacking into my Google account very difficult. Even if someone were to hack into my Google account, they wouldn’t have access to the passkey without the sync passphrase. 2. And second place is the Apple Keychain, also secured with Yubikey keys + active advanced data protection, so hacking into an Apple account is similarly difficult. Even in the event of a successful hack without confirming access from another Apple device, access to the passkey is impossible. Bitwarden lacks this additional protection, so that hacking into Bitwarden doesn’t automatically mean access to the passkey. PS: As an emergency, there’s also the passkey on physical Yubikey keys; this requires stealing the key itself + entering the correct PIN for the key. If Bitwarden improved the security of the passkey, I’d gladly store it in Bitwarden as well. As it stands, I only use the passkey to log in to Bitwarden as a backup option in case I forget my master password. Sorry for the language, I’m using a translator.
PRF/encryption does work with Edge on Windows and Google Password Manager on Android (cross-device). It doesn’t work with Firefox on Windows.
Thanks.
I think if you trust Google, using Google Password Manager with the Google Advanced Protection Program seems like a decent idea. I may use a similar arrangement (with an account dedicated solely to the password manager) in the future. Thanks for the idea.
AFAIK, the device encryption applies to the secret info only (passwords, passkey private keys); the rest Google can see. You also have to trust that the anti-brute-forcing of the device PIN (with hardware control, etc.) is really in place and effective.
So, for security, it’s probably okay for some people, but maybe not enough for others. Privacy, not so much. For most, a FIDO2 hardware key may still reign supreme.
A hardware key is obviously more secure than anything stored in the cloud.
For example, I don’t always carry a physical security key with me, so I find it useful to have a passkey stored in my Google account (that way, I can use it through my phone and confirm logins on other devices via Bluetooth), or on my MacBook where I use the Keychain.
This way, I always have access to my passkeys, it’s convenient to use, and at the same time still very secure (let’s be honest — most people only use simple login passwords, usually without 2FA…).
Just remember — if you create a separate Google account with the Advanced Protection Program, it’s still best to also set a custom sync passphrase.
If you don’t, Google will be able to see your passkeys and other data, and in the event of a Google account compromise, someone would immediately gain access to your passkeys.
A custom sync passphrase adds end-to-end encryption — without that passphrase, even Google cannot see your passkeys or saved passwords.
(You can easily notice this by the fact that when you go to the password manager via the web, no passwords or passkeys will be displayed.)
It’s a good thing. Only the passkey window continues to be displayed offset. This should be fixed to improve the user experience there as well.
Just as context information – I think you mean this effect:
… that is described here:
And I’m also still seeing this on Vivaldi…
PS: I think there is or was a similar issue with a second monitor, therefore I’m not sure, if you also mean another issue @mutilator .
Exactly. That behavior really annoys me. Also, the window design could be more attractive.
No. What I would really like is to replace the username/password combination with a phishing-resistant Passkey and add 2FA TOTP as extra security. However, nearly everywhere I try to add a Passkey, 2FA is then completely disabled. Right now Amazon is the only exception.
Since I currently only use device-bound passkeys, I actually hope for the reverse: no forced 2FA for passkey logins. Amazon (and Adobe, and maybe still others) annoy me.
I wish they would make such things configurable, but given how things are, there seems to be little chance in the short run.
