Just to add another data point. I tried to install the Bitwarden Chrome extension on my new MacBook Pro and it asked me to authenticate. The only options were NFC YubiKey (which I don’t have), a TOTP (which I did have), and an Apple Passkey.
Since there is no Passkey for bitwarden.com I couldn’t use that one, but it would have been very handy. Actually, I was kinda (pleasantly) surprised that the Passkey option showed up. But disappointed that I couldn’t actually use it.
Hey @RNHurt, this request is about storing passkeys into the Bitwarden Vault for use with logging in to services similar to how Bitwarden can be used to store and login with passwords.
You may possibly be referring to using a separate passkey, i.e currently with Google or Apple’s Keychain, for use with login to Bitwarden and access your vault.
There is a current feature request to allow for Login with a passkey if you’d like to support this.
Though at the moment what you experienced would be using a passkey as a 2FA method, which you can currently set up and create as a FIDO2 compatible method of 2FA login for your vault.
You would just need to create this first in the web-vault as described in Two-step Login via FIDO2 WebAuthn | Bitwarden Help Center
Does this mean the encryption key (Symmetric Key) will not only be encrypted using the Stretched Master Key derived from the Master Password, but additionally it will be encrypted using a per-credential secret key requested via the WebAuthn PRF extension?
Apparently, as seen in the demo video, a YubiKey (and probably other security keys with hardware bound passkeys) supports the necessary WebAuthn PRF extension. Will other authenticators that use copyable passkeys (Bitwarden, other password manager, Google Password Manager, iCloud Keychain etc.) also support this feature?
This makes me wondering, see W3C GitHub page (link above):
Since this extension can be implementing by using the CTAP2 hmac-secret extension, and because many security keys support that, it should immediately have quite wide support. (At least in the subset of users who use security keys.)
In the demo video the YubiKey is called “YubiKey with encryption” and after registering the YubiKey there is a small lock icon with the info text “Used for encryption” next to it. I assume the encryption here refers to the mentioned WebAuthn PRF extension to receive a secret key. But to me it sounds like it’s optional. What happens if I create a passkey without the additional “encryption” feature? Will I be able to log into my account (authentication still possible using the passkey) but unable to decrypt any vault data?
Hey @Jccg, as the passkey lead here at bitwarden I can answer this!
It depends on the passkey. Currently - passkeys created in Windows Hello are bound to the device. That means that by design, they will never be syncable or exportable.
However, for all platforms/ecosystems that do allow exports - we will support imports. We’re actively working together with all other platforms to create a safe and encrypted format that will allow safely and easily export your passkeys from one provider to another.
For all of those (me included) who is already using passkeys with Hello/MacOS - We’re working on some features that might make transitioning from Windows Hello to Bitwarden easier, but can’t drop any further details at this point
I’m looking forward to passkeys in Bitwarden too much, I’m following the subject since WebAuthn was created in 2018 and I made a 1Password account in the meantime just to stop the waiting frustration.
Please add this as soon as you can
And let’s hope it will be as seamless as 1Password and support account choosing on login in case of multiple accounts for one site
Thanks in advance for the great work
Passkeys “are meant” to be stored in a TPM of a device which is the strongest way to be stored available for end users.
Your approach is to store the passkeys in bitwarden? will something be improved in the vault encryption?
Any thoughs to apply quantum encryption?
You could be the first quantum resistant password manager… that is good and free publicity on internet blogs, news sites, social, forums, etc.
For the most part, Bitwarden uses AES-CBC-256 for encryption, which is already quantum-resistant. Unless you store passkeys in an Org vault, you won’t have to worry about real or imagined threats from quantum computing. Please refer to the this thread and the discussions linked therein.
At the same time, TPM is not invincible either (see here and here).
Encryption of secrets is literally Bitwarden bread-and-butter and raison d’être, so there is no reason to believe that they are not already on top of the latest developments in cryptography and will make adjustments to the codebase as needed to counter any nascent threats.
Nobody has said that. The 2023.8 release was on August 15, the 2023.7 release was on July 11, the 2023.6 release was skipped, the 2023.5 release was May 30, the 2023.4 release was April 26, etc.. There is no regularly scheduled release date.