Unlock with passkeys / FIDO2

Be.ing · January 25, 2025, 9:18am

Could you elaborate? I was under the impression that it simply hasn’t been implemented yet, not that it’s impossible. It would be awfully disappointing if it isn’t possible. Is this related to why the browser extension opens a browser tab to prompt for WebAuthn when using WebAuthn as a second factor?

grb · January 25, 2025, 4:25pm

I was referring to this:

Nonetheless, apparently, some of the technical roadblocks were removed a few months ago, so there progress on implementation of passkey login for the browser extensions may be coming in 2025:

zmberber · April 11, 2025, 6:58pm

another one of those +1 posts “just writing a comment to support the addition of this feature”.

this feature would allow more convenience to having the vault to have a very short lock time.

is this hard to inplement? i would like to understand the reluctance to add such a feature.

shiveenp · April 25, 2025, 3:25am

Chiming in to say that I would very much like this feature. And 1Password is also currently trialling this in their beta >> Unlock 1Password with a passkey (beta) | 1Password Support

Nail1684 · June 11, 2025, 11:08pm

Note: The title of this Feature Request (FR) was updated from Unlock Bitwarden with 2FA, e.g. security key / YubiKey (instead of, not in addition to password) to Unlock with FIDO2/“passkeys”.

Further info / explanations to that:

This FR proposes the use of FIDO2/“passkeys” (this includes hardware security keys, e.g. YubiKeys) as a new option for unlocking a locked vault – i.e., an alternative to the current unlocking methods (unlocking with master password, PIN, or biometrics).

Though “2FA” was previously mentioned in the title of this FR, to date, the majority of posts in the thread have proposed the use of YubiKeys or similar hardware security keys for unlocking the vault. Furthermore, in the time since this feature request was opened, it has become possible to store FIDO2 credentials not only on hardware security keys but also in TPMs (Trusted Platform Modules), mobile phones, and in “(software) authenticators” (e.g., in the form of syncable passkeys). The scope of the feature request has therefore been broadened to include vault unlocking using any form of “FIDO2” (hardware security keys, passkeys, etc.).

Gatsu · September 7, 2025, 2:42am

I’d like to add that talking with my buddy who is a lawyer he has pointed out to me that at least in the United States biometrics such as a fingerprint can be something you’re compelled to provide by police if they have a warrant or while in custody. While something you “know” such as a FIDO2 passkey and an associated PIN unlocking the FIDO2 authenticator is protected under both the 4th and 5th amendments and you wouldn’t be compelled to provide access to law enforcement under the law.

I know someone could use the old “wrench authentication method” xkcd: Security to unlock your vault but a simple FIDO2 based PIN + FIDO2 device provide significantly more legal and real-world protection than a biometric read on a phone or a short say 4 digit pin that could be brute forced extremely quickly.

I’m not advocating for anyone to break the law but privacy is important. I know the masterpassword is required to decrypt the vault but at least android phones already offer the ability to use your biometrics to unlock the vault which many users may not understand leaves them vulnerable to losing all their passwords if they are asleep, or say sleeping off an innocent night of partying in the police station.

Nail1684 · September 30, 2025, 12:38pm

I just had a casual look into GitHub… and (but probably very early!) there is some interesting news – at least for the web vault and the browser extensions for now:

github.com/bitwarden/clients

PM-2035: PRF Unlock (web + extension)

anders/browser-prf ← anders/unlock-prf-3

opened 11:56AM - 30 Sep 25 UTC

abergs

+690 -65

## 🎟️ Tracking https://bitwarden.atlassian.net/browse/PM-2035 ## 📔 Obj…ective This PR introduces PRF powered unlock in our web + browser clients. It sits on top of the `browser-prf` branch since until that branch is merged. Here's a summary of the changes: * PRF Decryption Options for *all* the users passkeys are included in the server sync response and stored. This allows both offline unlock, but also allows for unlock via any passkey, regardless of method of login. * New KM owned `webauthn-prf-unlock.service.ts`. Internally it forwards a few calls to the existing `WebAuthnLoginPrfKeyServiceAbstraction`. This PR is dependant on the server changes proposed in https://github.com/bitwarden/server/pull/6401. ## 📸 Screenshots ## ⏰ Reminders before review - Contributor guidelines followed - All formatters and local linters executed and passed - Written new unit and / or integration tests where applicable - Protected functional changes with optionality (feature flags) - Used internationalization (i18n) for all UI strings - CI builds passed - Communicated to DevOps any deployment requirements - Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team ## 🦮 Reviewer guidelines - 👍 (`:+1:`) or similar for great changes - 📝 (`:memo:`) or ℹ️ (`:information_source:`) for notes or general info - ❓ (`:question:`) for questions - 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion - 🎨 (`:art:`) for suggestions / improvements - ❌ (`:x:`) or ⚠️ (`:warning:`) for more significant problems or concerns needing attention - 🌱 (`:seedling:`) or ♻️ (`:recycle:`) for future improvements or indications of technical debt - ⛏ (`:pick:`) for minor or nitpick changes

Dependent on (server) PR:

github.com/bitwarden/server

PM-2035: PRF Unlock

main ← anders/prf-options

opened 11:57AM - 30 Sep 25 UTC

abergs

+72 -21

## 🎟️ Tracking https://bitwarden.atlassian.net/browse/PM-2035 ## 📔 Obj…ective This PR is complimentary to the client changes proposed in https://github.com/bitwarden/clients/pull/16662. It adds all PRF enabled passkeys to the DecryptionOptions response in both the SyncResponse and GrantResponse. We can discuss wether returning all in the webauthn grant response is really necessary. ## 📸 Screenshots ## ⏰ Reminders before review - Contributor guidelines followed - All formatters and local linters executed and passed - Written new unit and / or integration tests where applicable - Protected functional changes with optionality (feature flags) - Used internationalization (i18n) for all UI strings - CI builds passed - Communicated to DevOps any deployment requirements - Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team ## 🦮 Reviewer guidelines - 👍 (`:+1:`) or similar for great changes - 📝 (`:memo:`) or ℹ️ (`:information_source:`) for notes or general info - ❓ (`:question:`) for questions - 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion - 🎨 (`:art:`) for suggestions / improvements - ❌ (`:x:`) or ⚠️ (`:warning:`) for more significant problems or concerns needing attention - 🌱 (`:seedling:`) or ♻️ (`:recycle:`) for future improvements or indications of technical debt - ⛏ (`:pick:`) for minor or nitpick changes

dabura667 · November 27, 2025, 4:34pm

Glad to see PRF unlock coming down the pipeline.

PRF login for extension works well, but I need to keep the local cache active for when I go offline and access internal LAN sites while not connected to the internet.

sclark · December 13, 2025, 2:23am

So I love that login with passkey was added to some Browser extensions in 2025.11.0! But why is there not an option to unlock the browser extension with a passkey?

I’d consider just logging out every time, but I can’t tell what settings get deleted on logout, and which ones stay.

I did minimal testing, and saw that the Account Security > “Unlock with PIN” option was removed (unchecked) after logout and login with passkey. However a change to Autofill >“Copy TOTP Automatically” persisted after logout and login with passkey. Is there any documentation on what settings persist or clear upon logout?

Would it be better to add an option to unlock with passkey or just set the vault to logout every time?

grb · December 13, 2025, 2:43am

@sclark I have moved your comment into the relevant feature request thread.

dwbit · February 5, 2026, 3:40pm

Hi everyone, you can now unlock your Bitwarden account with a passkey through the web app (available now), or a Chromium-based browser (rolling out this week), more information here: You can now unlock your vault with a passkey

You can now for example, use a passkey on a Yubikey protected by pin to both login and unlock.

feldi · February 5, 2026, 4:30pm

Bitwarden could further strengthen local security by offering optional support for hardware-backed key protection using platform features such as TPM (Windows/Linux), Secure Enclave / Secure Element (iOS, macOS, Android) and FIDO2 hardware tokens.

These mechanisms allow encryption keys (or key-wrapping keys) to be generated, stored, and used inside secure hardware, making them inaccessible to malware, memory dumps, or disk extraction attacks. Even if a device is compromised at the OS level, the vault key would remain protected.

snippet9807 · February 7, 2026, 3:38pm

So I guess the main use case for yubikey unlock would be if you’re offline and can’t login and download your vault again? Since passkey login handles 2FA and decrypt, is there another advantage to passkey unlock?

grb · February 7, 2026, 4:05pm

Not besides the obvious: Not having to enter your master password every time you unlock the vault (or reduce your vault data security by unlocking with a simple PIN). Biometric unlock is not an option for everybody.

Edited to Add: And unlock with passkey provides a secure method for avoiding master password entry on browser restart!

snippet9807 · February 7, 2026, 4:31pm

Absolutely! I love this feature, it’s 90% of why I choose bitwarden Only downside is it’s harder to remember my master password now!
I was trying to differentiae between the login with passkey and unlock with passkey, so I was using each method optimally

Nail1684 · February 7, 2026, 4:40pm

A general advantage of locking/unlocking is, that it retains some settings, like generator settings (including API keys)…

grb · February 7, 2026, 4:41pm

You shouldn’t really need login with passkey, unless you are setting up your account on a new device (or new browser, etc.), or you are forcibly logged out (e.g., due to making changes to account security settings in the Web Vault). Just set your Vault Timeout action to “Lock”, and use unlock with passkey to get back in.

Write it down on your Emergency Sheet.

And if you have set your Timeout Action to “Lock”, then you could develop a habit of manually logging out of your most commonly used Bitwarden client on a regular basis (e.g., at the end of each day, or once a week, etc.), and then refraining from using the passkey option when logging back in.

bcfp · February 15, 2026, 2:15pm

Thank you! This feature is very much appreciated and the main reason I went with Bitwarden. Looking forward, is there any ongoing or planned work for passkey unlock in the Android app?

If the Yubico Developers Guide to PRF (mentioned by Nail1684 in the related thread about passkey login) is still up to date and I understand it correctly, iOS is problematic, while the latest Android versions supports roaming FIDO 2 hardware tokens. It also looks like there is some kind of reference implementation for PRF in Android. So adding passkey unlock to the Android app would hopefully be easier than other platforms while at the same time giving at least one “full set” of password-less unlock for both desktop (by browser extension) and mobile.