Unlock with FIDO2/“passkeys”

Be.ing · January 25, 2025, 9:18am

Could you elaborate? I was under the impression that it simply hasn’t been implemented yet, not that it’s impossible. It would be awfully disappointing if it isn’t possible. Is this related to why the browser extension opens a browser tab to prompt for WebAuthn when using WebAuthn as a second factor?

grb · January 25, 2025, 4:25pm

I was referring to this:

Nonetheless, apparently, some of the technical roadblocks were removed a few months ago, so there progress on implementation of passkey login for the browser extensions may be coming in 2025:

zmberber · April 11, 2025, 6:58pm

another one of those +1 posts “just writing a comment to support the addition of this feature”.

this feature would allow more convenience to having the vault to have a very short lock time.

is this hard to inplement? i would like to understand the reluctance to add such a feature.

shiveenp · April 25, 2025, 3:25am

Chiming in to say that I would very much like this feature. And 1Password is also currently trialling this in their beta >> Unlock 1Password with a passkey (beta) | 1Password Support

Nail1684 · June 11, 2025, 11:08pm

Note: The title of this Feature Request (FR) was updated from Unlock Bitwarden with 2FA, e.g. security key / YubiKey (instead of, not in addition to password) to Unlock with FIDO2/“passkeys”.

Further info / explanations to that:

This FR proposes the use of FIDO2/“passkeys” (this includes hardware security keys, e.g. YubiKeys) as a new option for unlocking a locked vault – i.e., an alternative to the current unlocking methods (unlocking with master password, PIN, or biometrics).

Though “2FA” was previously mentioned in the title of this FR, to date, the majority of posts in the thread have proposed the use of YubiKeys or similar hardware security keys for unlocking the vault. Furthermore, in the time since this feature request was opened, it has become possible to store FIDO2 credentials not only on hardware security keys but also in TPMs (Trusted Platform Modules), mobile phones, and in “(software) authenticators” (e.g., in the form of syncable passkeys). The scope of the feature request has therefore been broadened to include vault unlocking using any form of “FIDO2” (hardware security keys, passkeys, etc.).

Gatsu · September 7, 2025, 2:42am

I’d like to add that talking with my buddy who is a lawyer he has pointed out to me that at least in the United States biometrics such as a fingerprint can be something you’re compelled to provide by police if they have a warrant or while in custody. While something you “know” such as a FIDO2 passkey and an associated PIN unlocking the FIDO2 authenticator is protected under both the 4th and 5th amendments and you wouldn’t be compelled to provide access to law enforcement under the law.

I know someone could use the old “wrench authentication method” xkcd: Security to unlock your vault but a simple FIDO2 based PIN + FIDO2 device provide significantly more legal and real-world protection than a biometric read on a phone or a short say 4 digit pin that could be brute forced extremely quickly.

I’m not advocating for anyone to break the law but privacy is important. I know the masterpassword is required to decrypt the vault but at least android phones already offer the ability to use your biometrics to unlock the vault which many users may not understand leaves them vulnerable to losing all their passwords if they are asleep, or say sleeping off an innocent night of partying in the police station.

Nail1684 · September 30, 2025, 12:38pm

I just had a casual look into GitHub… and (but probably very early!) there is some interesting news – at least for the web vault and the browser extensions for now:

github.com/bitwarden/clients

PM-2035: PRF Unlock (web + extension)

anders/browser-prf ← anders/unlock-prf-3

opened 11:56AM - 30 Sep 25 UTC

abergs

+690 -65

## 🎟️ Tracking https://bitwarden.atlassian.net/browse/PM-2035 ## 📔 Obj…ective This PR introduces PRF powered unlock in our web + browser clients. It sits on top of the `browser-prf` branch since until that branch is merged. Here's a summary of the changes: * PRF Decryption Options for *all* the users passkeys are included in the server sync response and stored. This allows both offline unlock, but also allows for unlock via any passkey, regardless of method of login. * New KM owned `webauthn-prf-unlock.service.ts`. Internally it forwards a few calls to the existing `WebAuthnLoginPrfKeyServiceAbstraction`. This PR is dependant on the server changes proposed in https://github.com/bitwarden/server/pull/6401. ## 📸 Screenshots ## ⏰ Reminders before review - Contributor guidelines followed - All formatters and local linters executed and passed - Written new unit and / or integration tests where applicable - Protected functional changes with optionality (feature flags) - Used internationalization (i18n) for all UI strings - CI builds passed - Communicated to DevOps any deployment requirements - Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team ## 🦮 Reviewer guidelines - 👍 (`:+1:`) or similar for great changes - 📝 (`:memo:`) or ℹ️ (`:information_source:`) for notes or general info - ❓ (`:question:`) for questions - 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion - 🎨 (`:art:`) for suggestions / improvements - ❌ (`:x:`) or ⚠️ (`:warning:`) for more significant problems or concerns needing attention - 🌱 (`:seedling:`) or ♻️ (`:recycle:`) for future improvements or indications of technical debt - ⛏ (`:pick:`) for minor or nitpick changes

Dependent on (server) PR:

github.com/bitwarden/server

PM-2035: PRF Unlock

main ← anders/prf-options

opened 11:57AM - 30 Sep 25 UTC

abergs

+72 -21

## 🎟️ Tracking https://bitwarden.atlassian.net/browse/PM-2035 ## 📔 Obj…ective This PR is complimentary to the client changes proposed in https://github.com/bitwarden/clients/pull/16662. It adds all PRF enabled passkeys to the DecryptionOptions response in both the SyncResponse and GrantResponse. We can discuss wether returning all in the webauthn grant response is really necessary. ## 📸 Screenshots ## ⏰ Reminders before review - Contributor guidelines followed - All formatters and local linters executed and passed - Written new unit and / or integration tests where applicable - Protected functional changes with optionality (feature flags) - Used internationalization (i18n) for all UI strings - CI builds passed - Communicated to DevOps any deployment requirements - Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team ## 🦮 Reviewer guidelines - 👍 (`:+1:`) or similar for great changes - 📝 (`:memo:`) or ℹ️ (`:information_source:`) for notes or general info - ❓ (`:question:`) for questions - 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion - 🎨 (`:art:`) for suggestions / improvements - ❌ (`:x:`) or ⚠️ (`:warning:`) for more significant problems or concerns needing attention - 🌱 (`:seedling:`) or ♻️ (`:recycle:`) for future improvements or indications of technical debt - ⛏ (`:pick:`) for minor or nitpick changes

dabura667 · November 27, 2025, 4:34pm

Glad to see PRF unlock coming down the pipeline.

PRF login for extension works well, but I need to keep the local cache active for when I go offline and access internal LAN sites while not connected to the internet.

sclark · December 13, 2025, 2:23am

So I love that login with passkey was added to some Browser extensions in 2025.11.0! But why is there not an option to unlock the browser extension with a passkey?

I’d consider just logging out every time, but I can’t tell what settings get deleted on logout, and which ones stay.

I did minimal testing, and saw that the Account Security > “Unlock with PIN” option was removed (unchecked) after logout and login with passkey. However a change to Autofill >“Copy TOTP Automatically” persisted after logout and login with passkey. Is there any documentation on what settings persist or clear upon logout?

Would it be better to add an option to unlock with passkey or just set the vault to logout every time?

grb · December 13, 2025, 2:43am

@sclark I have moved your comment into the relevant feature request thread.