You can now unlock your vault with a passkey

dwbit · February 5, 2026, 3:32pm

What’s new?

By community request, Passkeys can now handle both log in and unlock for Bitwarden, on the web app (available now) and Chromium-based browser extensions (rolling out this week).

Why log into Bitwarden with a passkey?

Faster than entering your master password. Plus, passkeys only work on the originating website, preventing you from entering your Bitwarden credentials into a phishing site

How to enable unlock with passkey

Passkey log in and unlock requires a compatible PRF-capable setup (compatible browser and authenticator). Learn how to set up encryption for unlock.

Windows 10 is known to have issues with PRF-capable passkeys.

Nail1684 · February 5, 2026, 3:40pm

… and OS!

(PRF won’t work with e.g. Windows 10)

dwbit · February 5, 2026, 3:44pm

Thanks @Nail1684, I added the line from the requirements article to the bottom of the post above.

grb · February 5, 2026, 3:48pm

@dwbit, does this authentication (unlocking) use userVerification: 'preferred'?

AllisonR · February 5, 2026, 4:01pm

From what I understand Windows Hello (any version of Windows) is NOT PRF capable. I tried to setup a passkey in Windows 11 but was unable to setup encryption.

dwbit · February 5, 2026, 4:06pm

Hi there, are you using a PRF-capable hardware key? More detail on requirements here: Log In With Passkeys | Bitwarden

AllisonR · February 5, 2026, 4:10pm

No, I was not using a hardware key. I created a passkey in Windows 11 native. It was not valid for encryption.

marlin · February 5, 2026, 5:25pm

Is it possible to restrict a key so that unlock is possible but not login?

dwbit · February 5, 2026, 5:38pm

@AllisonR Currently you would need something other than Windows Hello such as a PRF-capable hardware key.

@marlin Not that I’m aware of, but you can protect a Yubikey with a pin for extra protection as an example, which wipes after X failed attempts.

AllisonR · February 5, 2026, 6:59pm

Thank you @dwbit . I am now using open with biometrics and it is working great. Fingers crossed that Microsoft adds the PRF extension to Windows Hello at some point or I get PRF capable hardware keys.

Neuron5569 · February 5, 2026, 8:06pm

@grb, would you discuss briefly why setting userVerification: 'preferred' would be desirable? At least enough to go search some more? Thanks.

marlin · February 5, 2026, 8:18pm

Since there is a documented distinction regarding “Log in” and “Unlock”, perhaps that could be more specific in the new documentation.

Title: Log In & Unlock with Passkeys (both)
Section: Unlock vault requirements (unlock only?)
Section: Set up encryption for unlock (unlock only?)
Section: Log in and unlock with your passkey (both)

grb · February 5, 2026, 8:42pm

Otherwise, someone with access to your passkey authenticator (e.g., a YubiKey) could unlock your vault with no additional verification.

OpSec · February 5, 2026, 8:50pm

That possibility would cause me to abort using a passkey on my end.

Neuron5569 · February 5, 2026, 9:18pm

I note that currently, whenever I try logging in or unlocking with my hardware key on a Windows 11 system, it always prompts for a FIDO PIN and another touch.

grb · February 5, 2026, 11:18pm

Likely because Entra mandates it. Just as Bitwarden should.

Neuron5569 · February 6, 2026, 1:33am

Not answering the question (not knowing all the possible conditionals that would get you there), but I note that in this client’s code:

github.com/bitwarden/clients

libs/key-management-ui/src/lock/services/default-webauthn-prf-unlock.service.ts

831bde21f


      
                // The credential ID is already base64url encoded from login storage
                // We need to decode it to ArrayBuffer for WebAuthn
                const decodedId = Fido2Utils.stringToBuffer(credentialId);
                return {
                  type: "public-key",
                  id: decodedId,
                  transports: (transports || []) as AuthenticatorTransport[],
                };
              }),
              rpId,
              userVerification: "preferred", // Allow platform authenticators to work properly
              extensions: {
                prf: { eval: { first: prfSalt } },
              } as any,
            },
          };
          
          const response = await this.navigatorCredentials.get(options);
          
          if (!response) {
            throw new Error("WebAuthn get() returned null/undefined");

the userVerification is hardcoded to be “preferred”; as this code seems to be used for unlock, there’s a good chance what you think is good might be true, or at least some of the time.

Nail1684 · February 7, 2026, 2:16pm

If someone doesn’t see the new “Unlock with passkey” option on the browser extension after the update to 2026.1.0: on two browsers, I had to log out and log back in on the extension to see that new option.

grb · February 7, 2026, 4:27pm

I had the same experience, but I don’t believe that I logged out to fix the problem. It was either locking/unlocking a second time, or closing/re-opening the browser extension.

And to close the loop on this:

Unlock with passkey does require CTAP2 user verification when a PIN has been set, so presumably, the implementation does in fact use userVerification: "preferred" (as also suggested by the source code posted by @Neuron5569 above).

Nail1684 · February 7, 2026, 4:36pm

Interesting. I can’t say if I locked/unlocked twice (before it worked), but I even closed/reopened the browser, restarted the PC, until it worked with a log out/log in.