I use a Yubico key (several actually) to allow a second factor for when I log on to Bitwarden. One of the keys has a firmware which allows me to look at the credentials stored on the key with the command
ykman fido credentials list
and this shows only credentials for my logon to Microsoft (RP ID login.microsoft.com) and nothing for Bitwarden
Does the method of registering a FIDO2/WebAuthn key in Bitwarden not require a credential to be stored on the key itself?
Apologies if this is a noob question. My understanding of FIDO2 in general isn’t great (other than it’s a good thing )
It is quite possible.
I have 4 Yubikeys, I’m a huge GPG user (yubikeys make an excellent OpenPGP card)
Each of my yubikeys has a different firmware revision.
You’re correct in that the firmware can’t be updated but Yubico are developing it and ship later keys with later firmare revision.
Earlier firmware didn’t let you see the FIDO credentials. OP must have a newish key.
Thinking aloud, I suppose the credentials I see on the key are for ‘true’ passwordless logon to Microsoft, whereas the logon to Bitwarden isn’t passwordless (still have to provide email and either master password or ‘sign in on device’ and only then does it ask for the key for WebAuthn). Maybe the HWID of the key alone is all BitWarden is after?
That test actually says “You just logged in using Web Authentication. Instead of using a traditional, shared-key password, you used a piece of secure hardware to create a strong, attested, and scoped credential that is virtually unphishable!”
So it mentions a credential.
And unlike BitWarden I can ‘passwordlessly’ logon to that site once registered.
Credential Management allows the WebAuthn Client to display the credentials that reside on the YubiKey with firmware 5.2.3 and above so that the user can act upon them. The client can display each credential’s relying party information and credential descriptor, as well as the number of discoverable credentials on the authenticator. Credential management does not have the capability to display non-discoverable keys (including U2F based credentials) as that information is not stored on the authenticator in any fashion."
After a bit of digging, I found an article to shine some light.
It is fine to use WebAuthn without storing a credential on the key if you are using it for 2FA and so BitWarden register your key with the requireResidentKey property set to false. This means BW do not store a credential on your key but it is still WebAuthn.
If you want 1FA (just the key with no username) which BW do not support yet then requireResidentKey property will need to be set to true and then a credential WILL be stored on your yubikey. This must be what Microsoft are doing.