Windows 11: Logging-in to BW webvault with a passkey, stored in Bitwarden vault, prompts for master password

Ask the Community Password Manager
, ,
1

Having seen the blog entry suggesting the use of passkeys to access bitwarden instead of the master password, I set up a passkey in the bitwarden webvault, but when I use the passkey, after I’ve entered the biometric or PIN crediential, it takes me to the master password entry dialog anyway.

Am I missing something?

2

Hello and welcome back :waving_hand:

To log into Bitwarden with a passkey without a password successfully:

  • The passkey authenticator (security key, password manager) must support PRF extensions.
  • The browser must support the PRF extension (Chrome, Edge, and Firefox do).

Bitwarden currently doesn’t support the PRF extension as a passkey authenticator, so you can’t use it to log in without a password.

You can vote for the feature here:

PS:

  • Storing a passkey for logging into your Bitwarden account in Bitwarden could create a circular dependency. It should probably be used for convenience only, even if PRF support is added in the future.
  • Passkey authenticators that support the PRF extension currently include FIDO2 security keys and Google Password Manager.
3

The OS must also support this. (e.g. it still doesn’t work on Windows 10)

I think iCloud Keychain also supports storing PRF passkeys already.

1 Like
4

OK, thanks for the response - I followed the instructions given in the blog post Login with passkeys, using the MS Edge browser on a Surface Pro Windows 11 laptop. The only options in that procedure were to use face recognition or PIN, I chose PIN.

There wasn’t anything about PRF when setting up the passkey, and I was hoping the blog instructions would apply to such a widely-used hardware & software setup… I’m not familiar with the technical details such as the PRF extension, and how to enable or install it.

So do I take it that my setup can’t actually use a passkey to log in to Bitwarden web vault after all?

5

Well, that already is the deciding question here: where did you store that login-passkey? From what you wrote, it sounds like Windows Hello. And it seems, Windows Hello supports storing PRF-capable passkeys now, but so far we have no report that it worked successfully. (I know, that sounds complicated – here the whole discussion: Encryption (PRF) via Windows Hello passkey?)

First, there is no “PRF-setting” – it either works with PRF, or it doesn’t work with PRF (when not all requirements are met). And the “blog instructions” cover all possibilities, as far as I see – but they can’t predict where you try to store the login-passkey or what OS and browser you are using… :man_shrugging: (PS: with up-to-date (!) browsers and OS, PRF should be supported on that front…)

I’m also not familiar with the technical details… But as written before: you neither need nor can enable it. If all conditions are met, it works. (OS, browser, and the “authenticator” must all support PRF – BTW, the “authenticator” here is just the name for the location where you store the passkey – and from where you use it then subsequently…)

I don’t think so. There are actually two BW-login-passkeys:

  1. with encryption = need PRF → make it possible to log in with that passkey without the master password and without 2FA

  2. without encryption = work also when PRF is not supported → make it possible to log in with that passkey without 2FA, but still needs that you enter the master password (–> without encryption means, that passkey can’t decrypt your vault, therefore the master password is still needed)

So, it’s possible to log in to the web vault and the Chromium browser extensions with both kind of login-passkeys – but only those with encryption/PRF work without entering the master password.

In the web vault you can see if a passkey is created with encryption, or if encryption is supported (and you can upgrade to it) or not supported:

image
image832×266 49.8 KB

(screenshot from Log In With Passkeys | Bitwarden)

6

And conversely: If even one prerequisite condition is not met, then it will not work. And a corollary relevant to @Dave: if Login with Passkey" doesn’t work, that means that at least one prerequisite condition has not been met.

7

Concerning with encryption/PRF: right…

Hmmm… if you write it that generalized, then I would add:

  • if with encryption/PRF doesn’t work – yeah, then that means that at least one prerequisite condition has not been met
  • but if “Log in with Passkey” doesn’t work at all, then we have an entirely different problem…
1 Like
8

OK, thanks - the passkey setup gave me three choices for where to store the passkey:

  1. ‘This Windows device’
  2. ‘iPhone, iPad, or Android device’
  3. ‘Security key’

I chose the default, ‘This Windows device’.

The newly-created passkey entry in the Bitwarden web vault says, “Encryption not supported”.

So, judging from what you guys have said, it looks like passkey access to Bitwarden isn’t yet ready for a bog-standard Windows 11 system - and still has a way to go before it’s ready for the average (i.e. non-technical) user without good technical support.

Thanks again for taking the time to explain the technicalities.

Dave

2 Likes
9

I think it would be more accurate to word it the other way around:

“…a bog-standard Windows 11 system isn’t yet ready for providing passkey access to Bitwarden…”

1 Like
10

Lol! Yes, good point, that is more accurate :wink:

2 Likes