Support the creation and storage of device bound passkeys on mobile devices.
PassKeys that are device bound are only stored on a single device.
This would be ideal for Enterprise use cases like Microsoft Entra ID where “synced” passkeys may not be allowed by policy.
Workaround for:
I doubt this will be implemented. I certainly would not want it to be.
Passkeys stored in Bitwarden, are, by definition, syncable (ie: not device bound).
Perhaps it could be technically implemented by the authenticator (bitwarden) lying to the relying party (the website, microsoft entra id, in your case).
But that would mean that Bitwarden deliberately chose not to respect the FIDO standards. And that would be bad (for Bitwarden).
The only valid solution (IMO) would be to ask Microsoft (or whoever set that requirement policy) to remove it.
To be clear, this is not asking for all passkeys to be device bound, but to offer the option to users who want to use passkeys in certain environments that require them to be device bound.
This request is also not asking the Bitwarden application to lie or misrepresent or go against the FIDO standards. The intent is that the device bound passkey created would ONLY be available on the mobile device it is created on.
As it stands today, one CANNOT leverage Bitwarden for device bound passkeys and are forced to use another passkey app. This is a GAP in bitwarden’s feature set.
I agree that where possible synced keys should be used and supported, but in the real world we have to understand that will not always be possible.
Thank you for your thoughtful consideration.
No password manager can create device bound passkeys.
Passkeys stored in a password manager are syncable by definition (that is what a password manager does with passkeys: let you use them in all the devices where you are logged in).
Device bound passkeys, as it’s name implies, have to be bound to a hardware device.
I see what you mean - but I agree with @kpiris: This request can probably never (at least in the foreseeable future) be implemented.
As I understand it, so-called…
platform authenticators (“A FIDO authenticator that is built-in to a user’s device.”)
/ a first-party passkey providers (“A Passkey Provider that is provided by the OS platform vendor and is often enabled by default. Examples include “Windows Hello” on Windows, “Apple iCloud Keychain” on macOS and iOS, and “Google Password Manager” on most Android devices.”)
… have “supremacy” about the device’s hardware regarding e.g. creation/storage/usage of device-bound passkeys, so they manage/administer device-bound passkeys.
I don’t see how another (third-party) software could “take over” here… and even if it were to be implemented somehow, it would have to be able to do that on all existing and not-yet existing different iPhone/iPad models, on all the different Android devices, on different TPM modules, on all different hardware security keys (and their vendors would have to “allow” that)…
So I don’t think it is a gap / missing feature – as it is no gap or missing feature for hardware security keys not being able to store syncable/software-bound passkeys (which would be equally impossible in it’s current implementations), but it is simply not what it was designed for / not within their “domain”.
I really tend to closing this feature request as “practically impossible” / “not implementable”.
So I would like to “ping” @Micah_Edelblut @dwbit @RyanL for their assessment as well. (because I would like to prevent counting votes for something that may be technically “out of reach”)
Although I agree that this feature request may be a far reach, I don’t think it rises to the level of impossible.
Bitwarden can already recognize specific devices that were previously logged in, or that have the 2FA “remember me” flag enabled. Thus, in my estimation, it should in principle be possible to implement a feature that identifies a specific device as being the only one authorized to use an associated “device bound” passkey, and blocks the passkey authentication ceremony from proceeding unless the device used matches the authorized device on record.
I hate to use this specific example here as I’m worried it takes away from the request and could lead us down a rabbit hole but….
Microsoft Authenticator does this today. So it IS possible. https://techcommunity.microsoft.com/blog/microsoft-entra-blog/public-preview-expanding-passkey-support-in-microsoft-entra-id/4062702
I recognize that these feature requests take time to build steam and then time for them to be added to the roadmap, but if Microsoft is doing this with their native Authenticator, then Bitwarden should be considering the capability so that as IdP providers open up to using third party apps for software device bound passkeys, Bitwarden is ready to go.
I know for a fact that many organizations and enterprises are only going to enable device bound passkeys for their users going forward. It’s too great a risk to sync their keys to non-managed devices.
On the contrary, it demonstrates that the proposed feature is feasible. According to the documentation linked below, it seems that the mechanism used for implementing device-bound passkeys in Microsoft Authenticator is an attestation process that relies on communication with Apple and Google servers.
I think that this implies that device-bound passkeys would only be available in the mobile apps, if Bitwarden follows Microsoft’s approach to implementation of such functionality.
Yeah, that is indeed interesting!
Are we talking about “passkey attestation” here then? – Okay, those services that require only device-bound passkeys would be already “not many”, but “requiring attestation” would probably reduce the possible services that do that even more…
In the article you linked, there are requirements for “cross-device registration/authentication” mentioned… So, that would be QR code based then? (and maybe related feature request then: Support for passkey QR codes / CDA (Cross-Device Authentication)) PS: Just found that Note below there: “Users can’t use cross-device registration if you enable attestation.”… 
That was @rengle’s original request…
Hm, I think it’s not surprising that Microsoft does this… With their own services like Entra etc. they apply such strict passkey usage… they offer passkey “management” via their OS (Windows) and Windows Hello… 
Bitwarden likely would need/want to follow the NIST 800-63B standard. which states (pg 25,26):
…if the key is to be non-exportable, it SHALL be stored in an isolated execution environment protected by hardware or in a separate processor with a controlled interface to the
central processing unit of the user endpoint.
In other words, the private key needs to be stored in the devices trusted-platform-module. And, since device manufacturers pretty much all already offer device-bound passkeys, I see little benefit to Bitwarden doing much more than recognizing a passkey as device-bound and deferring to the First-Party Passkey Provider.
Syncable Passkeys, on the other hand, are completely within Bitwarden’s wheelhouse – making one’s vault usable “everywhere”.
Entra ID, which started this conversation, has syncable passkeys on their radar. So, syncable is where I anticipate Bitwarden and Entra ID will meet.
TLDR; I don’t think device-bound is “impossible”, but rather would “never be prioritized”.