Please make Bitwarden compliant. Notably, when the Relying Party requests:
UV=Required prompt for verification, proceeding only when successful,
UV=Preferred prompt for verification, with the option to “skip” and reply with UV=true or UV=false as appropriate,
UV=Discouraged proceed without prompting for verification.
This differs from a similar FR in that this proposes strict compliance, whereas the other proposes always requiring UV, apparently even when UV=Discouraged.
Bitwarden previously indicated they will be adding support for this (thanks, @Nail1684 for the screenshot), but has now removed that commitment from the help document.
So, even though I’ve unlocked the vault with a PIN, password, pattern, or biometric factor, I would be required to do so AGAIN each time I access a site/service that has a passkey?
Yes, if the site/service specifies UV=required. Bitwarden would prompt you for a PIN, password, pattern, or biometric factor at the time that you use the passkey, even if you are already logged into the vault.
No, if the site specifies UV=discouraged then a logged in vault would be sufficient.
In other words, to remain (become) Standards-Compliant, Bitwarden needs to comply with the site’s requirements. The current state is that Bitwarden claims it verified the user when it did not.
Lying is a really good way to get blackballed, and my suspicion is that the only reason we have not seen much of it is because so many passkey providers are non-compliant.
I was motivated to create this FR after seeing the first sign of trouble. While enabling passkeys within my employer’s SSO, I had to manually whitelist Bitwarden whereas Yubikey, Apple and others were on there by default. Hoping that if Bitwarden plays by the rules, they can work their way onto vendor’s default whitelists, leading to much wider usability.
