Could someone please explain WebAuthn AND how to use it in simple terms
I use BitWarden because I want to manage one easy to access vault without having to remember or dink around with hundreds, no actually thousands of passwords and now webauthn interfers with that.
I use a Yubico key in extreme cases to prove I am me, and the little documentation I have found IMPLIES a security issue (bypassing 2FA) without explanation of the alleged problem. Nevertheless, I expect never to have to use Yubikey as I know. My Bitwarden master password.
Webauthn asks for things I donât have and in several options, donât understand how to setup. Blocking access to my vault despite having a master password, so also blocking access to thousands of accounts, which is almost as bad, perhaps as bad, a just breaching all my accounts, at least I could change passwords and still access accounts.
Webauthn offers one particular way to get âauthorizedâ which I find to be a weak form of security, EMAIL. So, now you are asking me to check my email to for a code to open my vault? Isnât that why 2FA was supposed to be better? Is this comedy or what?
And as all the BitWarden doc and posts seem years old, Iâm asking the community how SHOULD we be setting up and using or how to avoid Webauthn, and why i need or want this layer challening my vault management? âExplain it, as you would [to] a child.â
⌠then that has nothing to do with WebAuthn/FIDO2, but that would be the so-called New Device Login Protection. And youâre experiencing it, because you donât have 2FA set up for your Bitwarden account/vault.
Are this dialog and those âemail verification codesâ you get the thing youâre experiencing right now?
Just to get the terminology straight: WebAuthn is a standard or specification and therefore does not ask anything. Are you referring to 2FA setup with a Passkey? What screen did you actually see and when?
Just configure one or more 2FA methods you feel comfortable with. For me this is my (hardware) Passkey and a TOTP app as fallback.
Could you please do us a favor and explain more clearly the problem that you need help with? Specifically, I would like clarification of the following:
WebAuthn should not âinterfereâ in any way with your use of Bitwarden (or the credentials stored in your vault), unless you have made the choice to deliberately enable WebAuthn-related features that are disabled by default.
This is true â you never have to use a Yubikey to use your Bitwraden Password Manager, unlessyou have made the choice to deliberately enable WebAuthn-related features that are disabled by default.
Thus, can you please explain which WebAuthn functions you have enabled in your Bitwarden account and why (i.e., what were you trying to accomplish?)? In addition, please describe in detail (with screenshots, if possible) how WebAuthn now âinterferesâ.
If @NeuronsNeeded is being prompted for the NDLP verification code (âWe donât recognize this deviceâ), then we can probably rule out #2 and #3.
If I had to guess, it is a website (RP) that is automatically prompting for passkeys during login, and OP is assuming that these prompts are triggered by Bitwarden. For example, if doing a username/password/TOTP login on amazon.com, then a passkey prompt appears after the 2FA has been entered:
Thus, can you please explain which WebAuthn functions you have enabled in your Bitwarden account and why (i.e., what were you trying to accomplish?)? In addition, please describe in detail (with screenshots, if possible) how WebAuthn now âinterferesâ.