Store WebAuthn/FIDO2 Credentials in Bitwarden (Passkey support)

Just to add another data point. I tried to install the Bitwarden Chrome extension on my new MacBook Pro and it asked me to authenticate. The only options were NFC YubiKey (which I don’t have), a TOTP (which I did have), and an Apple Passkey.

Since there is no Passkey for bitwarden.com I couldn’t use that one, but it would have been very handy. Actually, I was kinda (pleasantly) surprised that the Passkey option showed up. But disappointed that I couldn’t actually use it. :frowning_face:

Hey @RNHurt, this request is about storing passkeys into the Bitwarden Vault for use with logging in to services similar to how Bitwarden can be used to store and login with passwords.

You may possibly be referring to using a separate passkey, i.e currently with Google or Apple’s Keychain, for use with login to Bitwarden and access your vault.
There is a current feature request to allow for Login with a passkey if you’d like to support this.

Though at the moment what you experienced would be using a passkey as a 2FA method, which you can currently set up and create as a FIDO2 compatible method of 2FA login for your vault.
You would just need to create this first in the web-vault as described in Two-step Login via FIDO2 WebAuthn | Bitwarden Help Center

I don’t know how widely seen this video is.
Date is Summer 2023.

3 Likes

Awesome! Can’t wait for this!

Heres a blog post from today.

2 Likes

Looks exciting. Looking forward to save passkeys in Bitwarden.

I have a question regarding signing in and unlocking Bitwarden itself with passkeys:

From the blog post and the demo video I can see that there are two steps involved:

Does this mean the encryption key (Symmetric Key) will not only be encrypted using the Stretched Master Key derived from the Master Password, but additionally it will be encrypted using a per-credential secret key requested via the WebAuthn PRF extension?

Apparently, as seen in the demo video, a YubiKey (and probably other security keys with hardware bound passkeys) supports the necessary WebAuthn PRF extension. Will other authenticators that use copyable passkeys (Bitwarden, other password manager, Google Password Manager, iCloud Keychain etc.) also support this feature?
This makes me wondering, see W3C GitHub page (link above):

Since this extension can be implementing by using the CTAP2 hmac-secret extension, and because many security keys support that, it should immediately have quite wide support. (At least in the subset of users who use security keys.)

In the demo video the YubiKey is called “YubiKey with encryption” and after registering the YubiKey there is a small lock icon with the info text “Used for encryption” next to it. I assume the encryption here refers to the mentioned WebAuthn PRF extension to receive a secret key. But to me it sounds like it’s optional. What happens if I create a passkey without the additional “encryption” feature? Will I be able to log into my account (authentication still possible using the passkey) but unable to decrypt any vault data?

Not sure if you can answer this yet, but will Bitwarden be able to import existing passkeys from Windows Hello or will it just be able to save new ones?