Store WebAuthn/FIDO2 Credentials in Bitwarden (Passkey support)

9elsen · May 3, 2023, 8:31pm

How cool is that works as expected for my gmail account, but not for my workspace account yet.

Paapaa · May 4, 2023, 7:19am

For me, passkey support is the feature I anticipate the most from Bitwarden. I wonder what is the status of this? Has the work started, any schedule?

bw-admin · May 4, 2023, 11:42am

Passkey support is in development

Mystr_E · May 4, 2023, 12:36pm

No possible release date? 1Password is already showing a June availability:

bw-admin · May 4, 2023, 1:54pm

Hey Michael, there are many different teams working on Passkey support this year with varying timelines, stay tuned!

Bristow · May 9, 2023, 4:32pm

Since Google just released Passkeys a lot of people will be looking for alternatives to having Google or Apple hold the passkey. It would be great to use BitWarden to create passkeys and sync them between devices.

RNHurt · May 9, 2023, 5:03pm

Just to add another data point. I tried to install the Bitwarden Chrome extension on my new MacBook Pro and it asked me to authenticate. The only options were NFC YubiKey (which I don’t have), a TOTP (which I did have), and an Apple Passkey.

Since there is no Passkey for bitwarden.com I couldn’t use that one, but it would have been very handy. Actually, I was kinda (pleasantly) surprised that the Passkey option showed up. But disappointed that I couldn’t actually use it.

cksapp · May 9, 2023, 5:55pm

Hey @RNHurt, this request is about storing passkeys into the Bitwarden Vault for use with logging in to services similar to how Bitwarden can be used to store and login with passwords.

You may possibly be referring to using a separate passkey, i.e currently with Google or Apple’s Keychain, for use with login to Bitwarden and access your vault.
There is a current feature request to allow for Login with a passkey if you’d like to support this.

Though at the moment what you experienced would be using a passkey as a 2FA method, which you can currently set up and create as a FIDO2 compatible method of 2FA login for your vault.
You would just need to create this first in the web-vault as described in Two-step Login via FIDO2 WebAuthn | Bitwarden Help Center

DoctorB · May 24, 2023, 5:33pm

I don’t know how widely seen this video is.
Date is Summer 2023.

hajekj · May 24, 2023, 5:34pm

Awesome! Can’t wait for this!

LrrrAc · May 24, 2023, 8:25pm

Heres a blog post from today.

rpaulson · May 24, 2023, 9:49pm

Looks exciting. Looking forward to save passkeys in Bitwarden.

I have a question regarding signing in and unlocking Bitwarden itself with passkeys:

From the blog post and the demo video I can see that there are two steps involved:

Authentication using the WebAuthn credentials (passkey)
Decrypting the vault using the WebAuthn PRF extension (Explainer: PRF extension · w3c/webauthn Wiki · GitHub)

Does this mean the encryption key (Symmetric Key) will not only be encrypted using the Stretched Master Key derived from the Master Password, but additionally it will be encrypted using a per-credential secret key requested via the WebAuthn PRF extension?

Apparently, as seen in the demo video, a YubiKey (and probably other security keys with hardware bound passkeys) supports the necessary WebAuthn PRF extension. Will other authenticators that use copyable passkeys (Bitwarden, other password manager, Google Password Manager, iCloud Keychain etc.) also support this feature?
This makes me wondering, see W3C GitHub page (link above):

Since this extension can be implementing by using the CTAP2 hmac-secret extension, and because many security keys support that, it should immediately have quite wide support. (At least in the subset of users who use security keys.)

In the demo video the YubiKey is called “YubiKey with encryption” and after registering the YubiKey there is a small lock icon with the info text “Used for encryption” next to it. I assume the encryption here refers to the mentioned WebAuthn PRF extension to receive a secret key. But to me it sounds like it’s optional. What happens if I create a passkey without the additional “encryption” feature? Will I be able to log into my account (authentication still possible using the passkey) but unable to decrypt any vault data?

Jccg · June 7, 2023, 3:20pm

Not sure if you can answer this yet, but will Bitwarden be able to import existing passkeys from Windows Hello or will it just be able to save new ones?

andersaberg · June 8, 2023, 2:10pm

Hey @Jccg, as the passkey lead here at bitwarden I can answer this!

It depends on the passkey. Currently - passkeys created in Windows Hello are bound to the device. That means that by design, they will never be syncable or exportable.

However, for all platforms/ecosystems that do allow exports - we will support imports. We’re actively working together with all other platforms to create a safe and encrypted format that will allow safely and easily export your passkeys from one provider to another.

For all of those (me included) who is already using passkeys with Hello/MacOS - We’re working on some features that might make transitioning from Windows Hello to Bitwarden easier, but can’t drop any further details at this point

Handwrite8268 · July 29, 2023, 8:43pm

I’m looking forward to passkeys in Bitwarden too much, I’m following the subject since WebAuthn was created in 2018 and I made a 1Password account in the meantime just to stop the waiting frustration.
Please add this as soon as you can
And let’s hope it will be as seamless as 1Password and support account choosing on login in case of multiple accounts for one site
Thanks in advance for the great work

zarutman · August 15, 2023, 2:23pm

The Bitwarden passkeys page says “coming this summer,” so is this feature planned to release in later August or is there another, more specific estimated release period

harmonize0944 · August 27, 2023, 7:51am

In this blog entry it says: Bitwarden to launch passkey management | Bitwarden Blog

Editor’s note August 22, 2023: Passkey storage in Bitwarden Password Manager will be released in September. Sign in with passkey will come shortly after.

l0rdraiden · September 1, 2023, 11:41am

@bw-admin @kspearrin

Passkeys “are meant” to be stored in a TPM of a device which is the strongest way to be stored available for end users.
Your approach is to store the passkeys in bitwarden? will something be improved in the vault encryption?

Any thoughs to apply quantum encryption?

You could be the first quantum resistant password manager… that is good and free publicity on internet blogs, news sites, social, forums, etc.

grb · September 1, 2023, 12:59pm

@l0rdraiden
For the most part, Bitwarden uses AES-CBC-256 for encryption, which is already quantum-resistant. Unless you store passkeys in an Org vault, you won’t have to worry about real or imagined threats from quantum computing. Please refer to the this thread and the discussions linked therein.

At the same time, TPM is not invincible either (see here and here).

Encryption of secrets is literally Bitwarden bread-and-butter and raison d’être, so there is no reason to believe that they are not already on top of the latest developments in cryptography and will make adjustments to the codebase as needed to counter any nascent threats.

Link · September 18, 2023, 12:52pm

New update from the same blog post:
Editor’s note September 5, 2023: Passkey storage in Bitwarden Password Manager will be released in October. Sign in with passkey will come shortly after.