With iOS 15.4 it appears there is support for the new “passwordless” spec that Apple, Google and Microsoft are promoting. When I try WebAuthn from Mac Safari, one of the options is “iPhone, iPad or Android Device (Use passkey from a device with a camera)”. This would be a fantastic replacement for physical Yubico keys I think.
When I follow the process, it shows me a QR Code which I scan from my phone, which then leads to a popup that says that there are no passkeys for vault.bitwarden.com in my iCloud Keychain.
This is getting more important now that Apple has shown it again during this year’s WWDC and more companies really putting their weight behind it. I will have to look into account recovery of this feature some more, because I don’t want my iPhone to be a single point of failure, potentially locking me out of all accounts. But I’m generally wondering how bitwarden’s role might evolve in a passwordless future. Would be interesting to get your thoughts on it @kspearrin
+1, using bitwarden with bitwarden_rs makes my password manager ecosystem free of centralized cloud solutions, and i’d like to keep it that way.
What’d be interesting is how open Google and Microsoft will be with this implementation, and if it means that bitwarden needs to position itself more to a system level, rather than an extension level, or (like enpass) link the two together.
Thanks for the feedback everyone! Here is a recent post from the Bitwarden team:
rest assured that Bitwarden is firmly committed to the FIDO Alliance (going on our 3rd year as a member) and developing FIDO2/WebAuthn functionality beyond the use cases in place now. the ideas and suggestions are welcome, Bitwarden remains active in this area, and we look forward to more ahead!
I’ve been really happy with the WebAuthn option in Bitwarden. Unfortunately, the description is not as user-friendly as it could be. The ability to use any of the Windows Hello options is not clearly explained to users. When setting up a new WebAuthn key, Bitwarden asks the user for a “security key,” which usually indicates a hardware token.
I believe that a choice may have been made here in an attempt to save users from themselves from setting up a WebAuthn key that’s not portable like a Yubikey. In order to change the language here, Bitwarden needs to expand support for the “Log in with device” option to include any device where the user has signed into their Bitwarden account including desktop and web vaults.
Will this be part of the plan in Bitwarden’s implementation of Passkey support?
Could you confirm the request here a bit?
As far as I understand, you are requesting to Log in to your account with the use of a Passkey (which as discussed is just WebAuthn under the hood so adding this would also allow Log in with a Yubikey or the like) which would allow for a seamless and Passwordless Login experience similar to the current Log in with Device feature available.
Otherwise, as mentioned current Apple, Google, and Microsoft Passkeys would be supported as a premium 2FA method that can be used with your Master Password on Log in in place of a YubiKey, or in conjunction with as you can have up to 5 associated within your account.
I would really love to have passwordless login to my Bitwarden vault using passkeys, and for it to be available across all Bitwarden apps/extensions.
Bitwarden has been very inconsistent in how it allows me to unlock each of these recently.
I use the iPhone app, macOS desktop application, and extensions for Safari, Chrome and Firefox on Mac. Face ID configured on the phone, Touch ID on the Mac. (Also the Firefox extension on Linux.)
Just this morning, the extensions had locked in Safari and Firefox even though the browsers had not been restarted. Firefox worked with Touch ID (via the desktop application). Safari did not. It gave me the option to “log in with device”, so I used that (with my phone). It was anything but a passwordless login experience. Instead of allowing me to unlock Bitwarden using Face ID to approve the login, I had to type in my password. I could have just done that in the extension on my Mac with a real keyboard.
A few days ago, I completely wiped Firefox and profile data from my laptop and reinstalled it. Logging back into the Bitwarden extension, it did not give me the “log in with device” option, and I had to log in before I could configure it to connect to the desktop app to unlock with touch ID.
So for touch ID on Mac with Safari and other browsers, currently I think you have to be logged in. So you can have the extension locked after some time period, but it should remain logged in. At least that how it is for me. I am not sure why the log in with device didn’t work with FaceID on iPhone as I don’t have an iPhone.
I think here it might be useful to see how the log in with device works under the hood. I am not sure exactly how it works, but based on the Help Center documentation and some educated guesses my theory is the following.
When you log in to a Bitwarden extension for the first time, I suspect that it creates an access code that is stored in the extension storage as well as Bitwarden’s database. Now say that after the first time you log in, you want to use log in with device. In the documentation, it says the access code is used to authenticate the initiating client (i.e. the browser extension) with Bitwarden. So based on that we can reasonably guess that if you wipe your Firefox profile, it won’t be able to authenticate you because you don’t have an access code that matches the code in Bitwarden’s server.
A small update. Lately, the browser extensions have more consistently worked well on my Mac to unlock using Touch ID via the standalone app.
On my phone, though, several times recently I’ve been asked to use my password to unlock my vault (unlock, not log in) when opening the app, when it should be using Face ID. The crazy thing is that at the same time, I can use the iOS autofill password mechanism to fill in a password on that form from Bitwarden itself, and that mechanism uses Face ID to unlock the vault.
Really, this is a bug, and adding the feature to be able to both log into and unlock a vault using a passkey won’t mean there won’t be bugs with log in and unlock in the future, but it would help a lot with the consistency of the experience. If the regular “unlock with Face ID” fails, then maybe at least I’d be able to unlock via passkey, which is a similar mechanic and almost as easy.