Hi - not even sure what to search for to find an answer to this so I thought I’d just post.
So there are known issues with Windows 10 as well as browsers to make use of Yubikey’s “Log in with passkey” for passwordless login without needing your master password by ticking “use for vault encryption.”
So how come I can register my Yubikey 5 with Microsoft as a security key and the hand off offers up the same Windows Security dialog boxes and yet it fails?
You mean without needing your master, right? Because when it is with encryption, then you don’t need to enter the master password.
I’m not sure I understand the question itself, but I think the answer lies in “PRF” (pseudo-random function)… and that is described well enough here and you maybe want to read this blog post about PRF…
My summary: for “login-with-passkeys” with encryption, you need three things to be PRF-capable:
the OS
the browser
the “authenticator” = the “wallet”, i.e. where the passkey is stored on your end
Browser is probably a lesser problem now (with a few exceptions still). – If you are on a current OS, then that’s also a minor problem. Problem here: Windows 10 is not a current system, and it doesn’t work. – The authenticator: it depends. YubiKeys 5 are working fine. Last time I checked, Windows Hello on my current Windows 11 was also not capable of storing BW-login-passkeys with encryption…
PS: If you search e.g. for “PRF” on the forum (and/or “login with passkeys”) then you might find some threads were this was also discussed.
Yes, I meant without needing your master password - sorry about that
Yes, I think PRF is the important bit here and I think I may know my next question.
What is the standard used/called behind Microsoft’s authentication flow if I am using my Yubikey as a FIDO2 WebAuthn that allows me to seccessfully sign in without having to enter any information?
I think I do need to try and take sometime to read your links and do some research, it’s all quite interesting but a little in depth.
Ha, yeah, I kind of forgot that part - and I would explain it like this:
“Normal” passkeys (i.e. without making use of PRF) can authenticate you / log you in - basically to any service, that allows setting up and using passkeys.
In the case of Bitwarden, logging in / authenticating you isn’t enough. The Bitwarden vault is encrypted. So, to fully access your vault, you 1. have to log in / authenticate and 2. decrypt the vault.
And here PRF comes into play. Don’t ask me for any technical details but PRF allows to decrypt the encrypted vault. (and that’s what’s meant when we talk of BW’s “login-with-passkeys”-passkeys with encryption → it means only those can decrypt the vault – PS: as “login-with-passkeys”-passkeys without encryption can’t decrypt the vault, typing in the master password is still needed, as the master password decrypts the vault.)
And if you think back to your example with Microsoft (or other services): you only have to log in / authenticate there → nothing to “decrypt” → no PRF needed.
Before this thread is closed, could you please clarify whether the word “Firefox” in your topic title is meant to be “Yubikey”? If not, perhaps you can clarify how “Firefox works with Microsoft” in the context of your question.
@TechyTim Ha, I was pondering over the title in a similar way as @grb just articulated . – I just changed the title (before, it was “Firefox works with Microsoft but not Bitwarden”) and please give some feedback if that matches with your original question – or if it is “way off” and then feel free to suggest a better title.
but PRF allows to decrypt the encrypted vault. (and that’s what’s meant when we talk of BW’s “login-with-passkeys”-passkeys with encryption → it means only those can decrypt the vault – PS: as “login-with-passkeys”-passkeys without encryption can’t decrypt the vault, typing in the master password is still needed, as the master password decrypts the vault.)