Support for Windows 11 Hello as a Passkey

jeffmpitman · December 3, 2024, 7:04pm

Is there a status on using Windows 11 Hello as a passkey service for Bitwarden browser extension.

Currently you must decrypt with a master password anytime authentication is required (login or unlock) which defeats the whole purpose of password-less authentication.

I realize this may be a compatibility issue and may actually fall more on Microsoft but a status from Bitwarden of what the problem is and when/what is required to enable functionality would help.

As an FYI the issue is not in setting up a passkey because that can be done without error. When setup Bitwarden says the passkey has “Encryption not supported”

The behaviour on login is that the passkey is accepted but immediately asks for the master password, presumably because the passkey cannot decrypt the vault.

Please advise

Thanks

kpiris · December 3, 2024, 9:02pm

AFAIK, logging in the browser extension with a passkey is not possible on any platform. It’s something in the roadmap, but not available ATM.

Right now, it’s only possible to login with a passkey to the web vault.

That’s exactly true.

In order to login to the web vault with a passkey that is able to decrypt it:

1.- The browser must support the PRF WebAuthn extension.

2.- And the authenticator (the security key) has to support the HMAC-SECRET CTAP2 optional extension.

[1] IINM, only chrome and edge (both chromium based) support PRF today.

[2] If you want to use Windows 11 Hello as an authenticator, then it would need to support HMAC-SECRET. I think it does not.

In any case, Bitwarden has done their part of the work, it would be Microsoft that would need to update Windows Hello.

I don’t see the point in a feature request to bitwarden.

jeffmpitman · December 4, 2024, 6:59pm

Why does Bitwarden allow a user to go through the process of setting up a passkey when they know it doesn’t work then. Why would they not detect a user is on a platform they do not support and warn them that this option is not supported or just trim that option from an unsupported platform. With respect, there are millions of windows users and probably 0.0000001% of them would understand anything you just said.

Nail1684 · December 4, 2024, 7:14pm

Depends on what you consider as “doesn’t work”. You can either set up login-passkeys with and without encryption. That is described in detail here: Log in with Passkeys | Bitwarden Help Center

The login-passkeys without encryption are also functional - they only can’t decrypt the vault and therefore the master password is still needed.

That may be true. As it is described in the help sites, I guess the more easy kind of “explanation” to remember is, every part of that passkey creation process and the later usage (1. the OS, 2. the browser and 3. the “authenticator” = the “wallet” where the passkey get’s stored) has to support PRF (pseudo random function).

jeffmpitman · December 4, 2024, 7:41pm

Thank you. That help article helps and looks like I missed or I didn’t understand it. You have cleared that up and indeed it would appear that MSFT would need to advance in this area. I will keep an eye out for their roadmap. I do know that Windows 11 24H2 has updates to Hello but a bit short on details. I have not updated to 24H2 yet.

Best Regards and Thanks