With iOS 15.4 it appears there is support for the new “passwordless” spec that Apple, Google and Microsoft are promoting. When I try WebAuthn from Mac Safari, one of the options is “iPhone, iPad or Android Device (Use passkey from a device with a camera)”. This would be a fantastic replacement for physical Yubico keys I think.
When I follow the process, it shows me a QR Code which I scan from my phone, which then leads to a popup that says that there are no passkeys for vault.bitwarden.com in my iCloud Keychain.
This is getting more important now that Apple has shown it again during this year’s WWDC and more companies really putting their weight behind it. I will have to look into account recovery of this feature some more, because I don’t want my iPhone to be a single point of failure, potentially locking me out of all accounts. But I’m generally wondering how bitwarden’s role might evolve in a passwordless future. Would be interesting to get your thoughts on it @kspearrin
+1, using bitwarden with bitwarden_rs makes my password manager ecosystem free of centralized cloud solutions, and i’d like to keep it that way.
What’d be interesting is how open Google and Microsoft will be with this implementation, and if it means that bitwarden needs to position itself more to a system level, rather than an extension level, or (like enpass) link the two together.
Thanks for the feedback everyone! Here is a recent post from the Bitwarden team:
rest assured that Bitwarden is firmly committed to the FIDO Alliance (going on our 3rd year as a member) and developing FIDO2/WebAuthn functionality beyond the use cases in place now. the ideas and suggestions are welcome, Bitwarden remains active in this area, and we look forward to more ahead!
I’ve been really happy with the WebAuthn option in Bitwarden. Unfortunately, the description is not as user-friendly as it could be. The ability to use any of the Windows Hello options is not clearly explained to users. When setting up a new WebAuthn key, Bitwarden asks the user for a “security key,” which usually indicates a hardware token.
I believe that a choice may have been made here in an attempt to save users from themselves from setting up a WebAuthn key that’s not portable like a Yubikey. In order to change the language here, Bitwarden needs to expand support for the “Log in with device” option to include any device where the user has signed into their Bitwarden account including desktop and web vaults.
Will this be part of the plan in Bitwarden’s implementation of Passkey support?