Talking about the implementation of Passkeys where the Bitwarden Extension/App acts as the A in CTAP. (Authenticator)
PRF support → For one of my accounts, I have Bitwarden master password in Bitwarden. I was planning on adding my Bitwarden as a “Login with Passkeys” for Bitwarden, but noticed Bitwarden didn’t support encryption for login with passkeys. I would love to see support.
Bitwarden does support PRF. In order for it to work, though, the passkey must be registered in an authenticator that supports PRF, and using a browser that supports PRF. If you are seeing “Encryption not supported” than I would suggest trying with a different browser or authenticator.
I apologize if my post was poorly worded; I was able to set up PRF based “Login with Passkey” for the web vault with my Yubikey… so I know that the browser I am using supports PRF.
The thing that does not work is registering my bitwarden extension as a “Login with Passkey” passkey with encryption (PRF) on the web vault.
To make it a little easier, I’ll explain the steps and expected/actual results:
Reproduction steps:
Create Bitwarden account and buy Yubikey (or PRF enabled device)
Install Bitwarden extension on a PRF enabled browser.
Log into Bitwarden on the extension.
Enter your Bitwarden master password and email as an entry in your own bitwarden (so the vault holds its own master password).
Activate Login with Passkey for Yubikey, check “use encryption” and confirm that PRF works.
Add another passkey for “Login with Passkey” beta, but this time, use the Bitwarden extension itself and select the Bitwarden entry item inside the Bitwarden extension.
Expected: You should be able to check “use encryption” and log in without the master password.
Actual: You can not check “use encryption” and continuing with the process will add a “Login with Passkey” key that says “Encryption not supported”. Logging in with the Bitwarden Extension’s Vault Item’s Passkey will present you with a lock screen asking for the master password (showing that PRF was not successful, and Bitwarden Extension being used as a Passkey Authenticator does not support PRF.
This thread is asking for supporting PRF in that instance.
My understanding is that this use-case (storing a Bitwarden “login with passkey” key inside the same vault that the passkey is meant to be used for) is not supported, to prevent circular dependence and account lock-out.
Regardless, there are other use-cases for storing PRF-enabled passkeys in the Bitwarden vault, so it would be helpful if this were supported. My understanding is that there were plans to implement such functionality, so I’m hoping for a status update from @Micah_Edelblut.
@dabura667 FYI, feature request topics should only contain a single topic. I would suggest that you remove your proposal about the PIN from this thread (there is already a feature request on plausible deniability, or you can start a separate feature request), and that we change the title of your topic to be more precisely worded. For now, I have changed the title to “Support for Storing PRF-Capable Passkeys in Bitwarden Vault” (old title was “PRF and additional PIN support for Passkeys”).
I would always add to this, that the OS also plays a role in it…
You can have a Chromium-based browser and e.g. a YubiKey 5, so both the browser and the “authenticator” support PRF. On Windows 11, I can create login-passkeys for Bitwarden “with encryption” – but on Windows 10, it produces an error message and doesn’t work.
(not even such properly on Windows 11 created Bitwarden-login-passkeys with encryption can be used successfully when using Windows 10, as that produces also an error when you try to login… at least, with my last test a few months ago…)
Besides, it would be very useful to store Bitwarden account passkeys that serve as login credentials (and decryption keys) for other Bitwarden accounts (not your own).
+1 from me.
We developers should all work towards a passwordless future where E2EE is the norm and not the exception.
I am currently working in a project where we are deriving client E2EE keys from given passwords and starting to implement WebAuthn/Passkey support for which we would need the PRF extension. I was happy to see that Bitwarden itself is doing the same (I am a satisfied customer of Bitwarden for many years myself). See link posted by micah_edelblut and thanks for the detailed explanation and motivation, why the PRF extension is such an important thing!
Surprisingly, when experimenting with PRF and several test pages (see e.g. Manual test suite) I had to realize, that although Bitwarden is relying on authenticators supporting PRF passkeys for login, when Bitwarden itself acts as authenticator (for other applications relying on PRF), Bitwarden seems to NOT support PRF. That is quite disappointing and should be fixed.
Allowing Bitwarden Passkeys that use PRF to sign into Bitwarden Vaults is a pretty obvious use case. I’m hoping the team not including PRF support is more of a time limitation than a design choice.
Is this on the roadmap? This is one of the blockers to us adopting Bitwarden Enterprise for our organization.
I am developing an application that performs encryption using prf extensions. During testing I noticed that bitwarden does not support prf. It is very important that Bitwarden users have a seamless experience.
I also hope that bitwarden will play a role as a workaround for Windows Hello and other issues where prf support is lagging.