Store WebAuthn/FIDO2 Credentials in Bitwarden (Passkey support)

Just to add another data point. I tried to install the Bitwarden Chrome extension on my new MacBook Pro and it asked me to authenticate. The only options were NFC YubiKey (which I don’t have), a TOTP (which I did have), and an Apple Passkey.

Since there is no Passkey for bitwarden.com I couldn’t use that one, but it would have been very handy. Actually, I was kinda (pleasantly) surprised that the Passkey option showed up. But disappointed that I couldn’t actually use it. :frowning_face:

Hey @RNHurt, this request is about storing passkeys into the Bitwarden Vault for use with logging in to services similar to how Bitwarden can be used to store and login with passwords.

You may possibly be referring to using a separate passkey, i.e currently with Google or Apple’s Keychain, for use with login to Bitwarden and access your vault.
There is a current feature request to allow for Login with a passkey if you’d like to support this.

Though at the moment what you experienced would be using a passkey as a 2FA method, which you can currently set up and create as a FIDO2 compatible method of 2FA login for your vault.
You would just need to create this first in the web-vault as described in Two-step Login via FIDO2 WebAuthn | Bitwarden Help Center

I don’t know how widely seen this video is.
Date is Summer 2023.

4 Likes

Awesome! Can’t wait for this!

Heres a blog post from today.

3 Likes

Looks exciting. Looking forward to save passkeys in Bitwarden.

I have a question regarding signing in and unlocking Bitwarden itself with passkeys:

From the blog post and the demo video I can see that there are two steps involved:

Does this mean the encryption key (Symmetric Key) will not only be encrypted using the Stretched Master Key derived from the Master Password, but additionally it will be encrypted using a per-credential secret key requested via the WebAuthn PRF extension?

Apparently, as seen in the demo video, a YubiKey (and probably other security keys with hardware bound passkeys) supports the necessary WebAuthn PRF extension. Will other authenticators that use copyable passkeys (Bitwarden, other password manager, Google Password Manager, iCloud Keychain etc.) also support this feature?
This makes me wondering, see W3C GitHub page (link above):

Since this extension can be implementing by using the CTAP2 hmac-secret extension, and because many security keys support that, it should immediately have quite wide support. (At least in the subset of users who use security keys.)

In the demo video the YubiKey is called “YubiKey with encryption” and after registering the YubiKey there is a small lock icon with the info text “Used for encryption” next to it. I assume the encryption here refers to the mentioned WebAuthn PRF extension to receive a secret key. But to me it sounds like it’s optional. What happens if I create a passkey without the additional “encryption” feature? Will I be able to log into my account (authentication still possible using the passkey) but unable to decrypt any vault data?

Not sure if you can answer this yet, but will Bitwarden be able to import existing passkeys from Windows Hello or will it just be able to save new ones?

Hey @Jccg, as the passkey lead here at bitwarden I can answer this!

It depends on the passkey. Currently - passkeys created in Windows Hello are bound to the device. That means that by design, they will never be syncable or exportable.

However, for all platforms/ecosystems that do allow exports - we will support imports. We’re actively working together with all other platforms to create a safe and encrypted format that will allow safely and easily export your passkeys from one provider to another.

For all of those (me included) who is already using passkeys with Hello/MacOS - We’re working on some features that might make transitioning from Windows Hello to Bitwarden easier, but can’t drop any further details at this point :slight_smile:

10 Likes

I’m looking forward to passkeys in Bitwarden too much, I’m following the subject since WebAuthn was created in 2018 and I made a 1Password account in the meantime just to stop the waiting frustration.
Please add this as soon as you can :slight_smile:
And let’s hope it will be as seamless as 1Password and support account choosing on login in case of multiple accounts for one site :crossed_fingers:
Thanks in advance for the great work :slight_smile:

The Bitwarden passkeys page says “coming this summer,” so is this feature planned to release in later August or is there another, more specific estimated release period

1 Like

In this blog entry it says: Bitwarden to launch passkey management | Bitwarden Blog

Editor’s note August 22, 2023: Passkey storage in Bitwarden Password Manager will be released in September. Sign in with passkey will come shortly after.

5 Likes

@bw-admin @kspearrin

Passkeys “are meant” to be stored in a TPM of a device which is the strongest way to be stored available for end users.
Your approach is to store the passkeys in bitwarden? will something be improved in the vault encryption?

Any thoughs to apply quantum encryption?

You could be the first quantum resistant password manager… that is good and free publicity on internet blogs, news sites, social, forums, etc.

@l0rdraiden
For the most part, Bitwarden uses AES-CBC-256 for encryption, which is already quantum-resistant. Unless you store passkeys in an Org vault, you won’t have to worry about real or imagined threats from quantum computing. Please refer to the this thread and the discussions linked therein.

At the same time, TPM is not invincible either (see here and here).

Encryption of secrets is literally Bitwarden bread-and-butter and raison d’être, so there is no reason to believe that they are not already on top of the latest developments in cryptography and will make adjustments to the codebase as needed to counter any nascent threats.

New update from the same blog post:
Editor’s note September 5, 2023: Passkey storage in Bitwarden Password Manager will be released in October. Sign in with passkey will come shortly after.

3 Likes

Great, It’s October.
Is it up and running or is there a date or standard, the last day?

Bitwarden issues new releases on a monthly schedule. The initial September release (v2023.9.0) came out on September 19. The October release is not yet out.

A search on GitHub reveals that 26 pull requests mentioning the word “passkey” have already been merged:

https://github.com/bitwarden/clients/pulls?page=1&q=is%3Apr+is%3Amerged+passkey

If you’re interested in the status if this feature, the main PRs to keep track of seem to be these two:

2 Likes

So the October update will be in 9 days?

Nobody has said that. The 2023.8 release was on August 15, the 2023.7 release was on July 11, the 2023.6 release was skipped, the 2023.5 release was May 30, the 2023.4 release was April 26, etc.. There is no regularly scheduled release date.

Both of the above PRs have been merged, so passkey support will be appearing as soon as the next release is published

3 Likes

@andersaberg Can you tell if there is still work left regarding Passkey support for Bitwarden? If there is, how much?