Understanding the use and security of passkeys

Hi, this is my first post so please be gentle :grinning:
I am very interested in using passkeys over conventional usernames and passwords. I have read about how they work and there implementation but have reservations on their use in practice,which I have tried to outline below

My current workflow for laptop, ipad or phone

Open the device using fingerprint, face id, password or pin
Sign in to website or account using bitwarden - which is secured by biometric only or by typing in master password
Depending on the website then type in 2FA code generated on the phone or other device, secured by biometric or password.
Only then can I use the website / account

In the above scenario it would mean that even if someone were to obtain my device pin then they would not be able to go further without biometric, 2fa or password information (which would be different to device pin or password) thus adding another layer of security.

From what I have read, using a passkey would be possible by simply being able to open my device without further verification. As a consequence if someone were to obtain my device password / pin by looking over my shoulder then they would be able to access whatever account / website that was on my device.

If this is indeed true then the security of everything (including getting into bitwarden if it’s secured by a passkey) will be entirely dependent on the strength of my device pin or password, which somewhat negates all the cryptography and sophistication that underpins passkeys.

Please tell me that my understanding is wrong.

1 Like

If somebody has physical access to your device and pin it is a problem, also today. I presume the first thing a bad actor would do is to get access to your email, from here it is possible to change password, disable 2fa etc.
You have to ask yourself where is the largest attack surface, is that on somebody having access to your physical devices or on the public services you consume?

I am writing in regard to Windows and Android here, and am not sure if MacOS and iOS have similar behaviors.

Windows Hello and Android biometrics can be circumvented using a PIN, so it is important to use biometric verification wherever you might be observed, not the PIN. The security of both the device and whatever can be opened using biometrics depend entirely on the device’s security.

We do not yet know the exact implementation of how passkeys will be used to access Bitwarden, or how users will need to interact with Bitwarden to sign into a web service. However, there are demos available.

The demo shows that logging into Bitwarden with a security device requires the security device’s PIN and biometrics. However, unlocking Bitwarden presumably only requires biometric unlock of the login device, which can currently be circumvented by a PIN. Additionally, if you use the login device’s passkey capability, only the login device’s PIN is required to log into Bitwarden.

In an unlocked state, accessing a web service does not require additional authentication, just like it is now. This is because you must unlock Bitwarden before you can do this. At this point, it depends on the web service implementation whether or not to prompt for 2FA. It is possible that, especially in the beginning, some web services may decide that authentication with a passkey means 2FA is not needed. However, I believe that in the long run, they will allow 2FA at this point.

The takeaway is that, disregarding the 2FA prompt from the web service, using a passkey stored in Bitwarden to authenticate for a web service does not reduce the security of your web service login workflow compared to now. The web service’s 2FA implementation will determine whether or not you will be able to use an additional authentication. Your biometric authentication will depend on the device’s security, as it is now, and will not change with passkey implementations.

On the other hand, your login to Bitwarden (not just unlocking) can be configured to use the login device’s passkey functionality. This means that knowing the login device’s PIN will allow the knower to use any Bitwarden functionalities that now require a password, including logging in and most likely vault export. If you cannot tolerate this level of “looseness,” then using the login device’s passkey capability with Bitwarden is not desirable. You will want to use a separate security key.

1 Like

Thanks for your responses they are both very helpful.

Don’t get me wrong I like and would favour the idea and concept of passkeys as a replacement for usernames and passwords, indeed they will be so much better when it comes to logging in and authenticating accounts etc, not least of all because they will be so much simpler (once people get the hang of them) and simpler generally means that people are more likely to use them, thus leading to a more secure online life for us all. Which basically addresses 9elsens comment about “the online services that you consume”

My main concern is how the passkeys are implemented in practice and whether they can be user configured to ensure they can be used to protect a users accounts as they wish i.e. to be able to prompt a biometric only unlock when logging into specific accounts or websites after the device has been unlocked, which is generally the case in my current workflow and certainly where my Mac / iPad devices are concerned which seem to require face or Touch ID very frequently.

I’m one of these odd people who have an Android phone, iPad, MacBook as well as a windows pc and laptop, although, I have not tried any of these personally with passkeys until I am happy that I am using both the passkeys and my devices properly to ensure, as much as I can that, my workflow doesn’t leave me open or exposed to problems as a result of me missing something, hence my post here.

I think my biggest concern is when I hear or read that passkeys will be able to unlock sites or accounts without further authentication merely by unlocking the device(s) with a pin! This for me would be the weakest link and a potential achilles heel.
I would much prefer to have the option to use a pin or biometric to open my device which would be independent of passkeys and then use, or be prompted to use biometrics every time I want to log in to a website or account, which is pretty much the way I try to work now.

Thinking about all this has at least made me consider how my devices are secured and make sure I lock things down as much as I can, which is no bad thing - without resorting to wearing a foil hat in a lead lined room :grinning:

1 Like

Passkeys are by definition more secure than passwords, because the server/service does not need to know your secret as is the case with a password. Anyhow whoever has access to your private key will be able to use it :slight_smile:
If you store passkeys in bitwarden you can configure your vault to ask for a pin or even login each time via the box timeout settings - this might be what you’re looking for.

2 Likes

Thank you for you help and knowledge, your assistance has allowed me to get closer to using passkeys in my life. I think I will await Bitwarden’s solution which will hopefully allow me to continue within an environment that I am happy with and feel I can trust.
Thanks again

Allow me the following comment here: what I understand, in summary, is that passkeys will shift the burden of security from the sometimes decently secured sites (with many exceptions), to the end user, who typically does not care and has no clue about security.

Docusign asked me to enable passkeys: the private key is kept somewhere in not-to-be-trusted Windows, ‘protected’ by Windows Hello. Hello is very weak, as a simple pin can bypass all the biometrics etc. My pin is an alphanumeric password, but for most users, it is a simple 4 digit pin (like 1234?), nothing else. By no means I would trust this as a protection for all sites.

I will consider passkeys if, and only if the only way a site can be authenticated is by a private key stored in my Bitwarden store, itself duly protected by a strong password.

That is not the majority of people out there, alas! And if I were a hacker, I would already prepare my tools and bots to hack these private keys protected by a Hello pin.

In my view, unless it is used carefully, it does not add a lot of security for the lambda user. But they will rush on it because it is easy.

The passkey is stored in the TPM of your computer (Hardware encryption module) so even if you know the pin you need access to that specific device.
I mean, maybe your wife could try to hack you if she has physical access but that’s it. xD

The TPM is probably the safer encryption method that we as end users have access, since is phisically linked to a device and the tokens can not be exported by design.

Anyway, have you checked if you can disable the PIN of windows hello?

@l0rdraiden You have a point concerning the TPM - that is probably the onlly way to have them stored with the user and still be safe.

As for the pin of Hello, it can be disabled, but biometric authentication, like face recognition, somehow relies on it or requires it. So unless on sticks to only a password, practically, it cannot be disabled without consequences.

The only option therefore is to use a long alphanumeric pin, in effect a password - something that most users will not do. But that is a Microsoft problem.