Feature: Store WebAuthn/FIDO2 Credentials in Bitwarden
- What will this feature do differently?
Allow Bitwarden to be used as a WebAuthn authenticator (and synchronize WebAuthn soft tokens between devices)
- What benefits will this feature bring?
WebAuthn soft tokens can be synchronized in a cross-platform way between devices
Related topics + references
NOTE: This is NOT a request to be able to log in to Bitwarden with FIDO2/WebAuthn I am aware that functionality already exists. Instead, the idea is to be able to securely generate/store WebAuthn credentials used to log in to various websites in a way easily portable across platforms/devices.
This was discussed on Security Now! shows #870 874, 875
1Password has stated they will be doing this: We’ve joined the FIDO Alliance to build a better future for authentication | 1Password
LastPass may be doing this but their press release is a mess and unclear on exactly what they are doing: LastPass is First Password Manager Committed to a FIDO-Supported Passwordless Future - The LastPass Blog
I think this is a great idea, Ben. I currently use an app called IDmelon that turns my phone into a WebAuthn authentication device, and it works very well. Embedding that same functionality within Bitwarden would be a fabulous feature, and it would put Bitwarden ‘ahead of the technology curve’ of their competitors.
I’m a bit frightened to see how hard it was for me to find that feature request and how little interest it seems to have raised…
For me it seems obvious that storing the private key for passwordless webauthn in bitwarden is an obvious next step, as simple in the beginning as just storing another type of credentials, with the extra complexity on all client apps to integrate the proper APIs to actually get the opportunity to answer the challenge using that private key…
No denying there is a ton of work behind that, just astonished that it hasn’t already made its way into the very top of the roadmap…
thanks @ToXiC @dh024 @bfranske! As @ToXiC indicated there is a lot behind the discussions here but rest assured that Bitwarden is firmly committed to the FIDO Alliance (going on our 3rd year as a member) and developing FIDO2/WebAuthn functionality beyond the use cases in place now. the ideas and suggestions are welcome, Bitwarden remains active in this area, and we look forward to more ahead!
This is suddenly quite important since Google and Apple do something like this with their passkeys implementation of the fido standard in the coming year.
up. Bitwarden please go ahead of the curve and make this feature happen as the first in the market. It sure will gain adoption in the coming years as webauth and Fido becoming more supported by websites
Sad to see there doesn’t seem to be much to say as to using our bitwarden vault to store fido2 secrets and use our bitwarden clients to perform webauthn …
Exactly my thoughts. I just came to check for any news, after reading more announcements around Apple’s Sep event.
I would like to be able to store my FIDO credential in Bitwarden’s vault and then use it from there on any platform and its respective devices.
Hey everyone! Rest assured we’re keeping our eyes on this space as standards solidify! For more information check out Yubico’s A Yubico FAQ about passkeys - Yubico article.
Work is still ongoing on different platforms and browser combinations to complete robust passwordless experiences with both internal and external authenticators. Platform vendors have started publicly signaling their intent to complete that work, and have reaffirmed their ongoing commitment to standards bodies such as the W3C and FIDO.
Seems like Dashlane is releasing this feature “in the coming weeks”: Ushering in the Passwordless Future at Dashlane
The Verge also wrote about it, with a demo screenshot: Dashlane is ready to replace all your passwords with passkeys
Literally what I came to post about!
Good catch + links.
Hey folks, thanks for sharing! We are big supporters of FIDO2 developments and the emergence of passkeys. there are a number of ways you can take advantage of FIDO2 today in Bitwarden, and there are more passwordless options coming. stay tuned!
More from one of the Google blogs on this topic a couple of days ago too -
Although the QR code scanning answers one of my questions about cross platform work I’d prefer to store these logins in Bitwarden rather than Google Cloud so really looking forward to seeing what solution you come up with.
It feels like the wait-and-see approach is perhaps misguided now with Apple promoting Passkeys (WebAuthn) heavily with the launch of macOS Ventura. Does the Bitwarden team have anything concrete to share in response?
Hey @Yeroc the team is already working on passkey support
Thank you for the update. Is there any place this has been noted in the roadmaps or other publicly available documentation to refer to or only your comment at this time? I know that getting ahead of the curve on this (I.e. before everyone sets up Apple’s or Google’s passkey system which would make migrating to using Bitwarden even more difficult and a large hurdle) is important (in my personal opinion anyways) since once my friends and family start setting up passkey with their phones, getting them to switch to Bitwarden will be even harder and make the other, really powerful features of Bitwarden harder to leverage with them (like a shared Vault, file attachments, one-stop MFA via TOTP, customization and adding of custom fields, etc). While I know it’s sudden, I think this feature should really have a very high priority for the devs since being late here will probably affect bitwarden’s long-term popularity, especially as things keep moving forward towards passkeys.
Hey @DannekRose we update the roadmap quarterly, but rest assured the team is already working on passkey support Bitwarden is part of the Fido Alliance and will continue to follow and develop emerging standards.
Good to hear @bw-admin - the roadmap currently says ‘passwordless login’ for 2022H2, but it’s not clear to me if this means using Bitwarden as the ‘Authenticator’ for passkey login to third parties, or merely using a (third-party-authenticated) passkey to unlock the Bitwarden vault? Thanks.
I think it just means that you use one authorized device (i.e., a device already logged in to Bitwarden) to authorize logins to Bitwarden on another device.
Passwordless logins on the current roadmap refers to using a verified mobile device (as an example) to authenticate into other clients, which is slated to be included in November release.