Could also be faulty memory on my part… 
1 Like
So if I am correcy this unlock with passkey only works if you have PRF.
And as far as I understand Windows 11 (with PIN / Fingerprint / Facelock) does not have PRF so for most Windows users this does not work.
Yes. (I also tested it now to be sure)
Windows 11 itself is perfectly capable to process PRF. But Windows Hello doesn’t support storing passkeys with PRF (yet), that’s the issue here for Windows 11 users. (but you’re not restricted to only use Windows Hello as a possible PRF passkey storage)
Ah, just to clarify: Passkey log in is also possible without PRF. (though that then still requires to enter the master password during log in)
@Preet It works beautifully on Windows 11 using Yubikeys.
Although Microsoft does whatever Microsoft does (and with no public announcement on PRF support), it does seem like a wasted opportunity not to implement something that seems “easy” and fundamental for any app that stores encrypted data. With Google Password Manager (and 1Password) already providing such a service, it’s hard to see how this wouldn’t put pressure on Microsoft in the long run. 
1 Like
The log in with passkey feature has been available in Bitwarden since earlier versions (initially as beta). It is now officially available and no longer considered beta. Some localized documentation (e.g., German) may still contain older beta wording, while the English documentation already reflects the current stable status.
So the correct title would be: “Log in and unlock with passkeys in the web app and browser extension is no longer in beta.”
Hey there and thanks for the feedback! Login with passkey exited beta prior to the launch of unlock with passkey.
1 Like
I think the note in the following link from the documentation leads to confusion.
Great job and thanks for the clarification.
Yeah, I can confirm that this German version of that Help Site is outdated.
This is an enhancement we have in mind for the future, but not currently possible.
This would be a huge improvement. Personally, as much as I’d like to, I probably won’t use Unlock with Passkey unless it is possible to disable Login with Passkey (ideally, on a per-key basis).
If your passkey is stolen, then the only thing protecting a vault that has Login with Passkey enabled is the passkey’s UV (e.g., a PIN). In contrast, for Unlock with Passkey, there is additional protection inherent in the fact that to get access to the vault data using a stolen passkey, the attacker would also need to steal or otherwise access a device that has a logged-in Bitwarden client, and that device would need to be unlocked as well (e.g., using an operating system password).
For these reasons, the UV PIN required for Unlock with Passkey can be significantly weaker than the Passkey PIN required for Login with Passkey (see this discussion of YubiKey PIN strength requirements) — i.e., for a passkey used for both login and unlock, the unlock PIN is going to be unnecessarily complex. In other words, until Login with Passkey can be disabled, there is no real benefit of Unlock with Passkey, because the passkey PIN would have to be more complex than a PIN used for Bitwarden’s Unlock with PIN option.
2 Likes
Unlock can be done offline. Login can not.
Yes, but I meant that if one wants to ensure that Passkey Login/Unlock is secure (i.e., protected by a sufficiently strong UV PIN), then the “Unlock with Passkey” feature has no real benefit over the garden-variety “Unlock with PIN” option.
Hm. At least “Unlock with passkey” doesn’t weaken the encryption of the local vault copy like “Unlock with PIN” can. – And when you used “Unlock with PIN” with “Require master password…” before, you don’t need to enter the master password that often now. (connected to that: overall less regret closing the browser…)
Personally, for now I can live with a relative strong PIN for my YubiKeys.
And there might be a practical problem: I think multiple “full” passkeys (FIDO2 discoverable credentials) for the same relying party / site with the same “username”/ID might be a problem for security keys. – I don’t know for sure, but it could be that you needed two different sets of security keys then for Bitwarden (if you couldn’t store them parallel / would only overwrite each other): one set for “login” and one set for “unlock”. (if those passkey functions – login and unlock – were “split” into two different working credentials)
I think that those who want the ability to disable Login with Passkey (while still allowing Unlock with Passkey) would not need two sets of keys: they would just use their keys for Unlock only.
While I understand the argument to split “passkey unlock” and “passkey login” to be able to not have a “less secure” FIDO PIN making a login also possible – I would doubt that those using passkeys would not want to use passkey login at all…
I think we are starting to debate the number of angels that can dance on the head of a pin now, but assuming similar probabilities of theft of your computer/device (with a logged-in but locked Bitwarden session) vs. theft of your YubiKey, then the YubiKey PIN entropy (for “Login with Passkey”) should be similar to the entropy of the “Unlock with PIN” PIN — i.e., only slightly lower than your master password entropy. So from a convenience perspective, there is not much benefit to using “Login with Passkey” (as compared to just typing in your full master password).
Yes, there are definitely users who want to use “Login with Passkey”, many of whom feel comfortable (or don’t understand the repercussions of) using a reduced-entropy PIN. My perspective is from the point of view of a user who understands the risks associated with a login-YubiKey falling into the wrong hands.
I am sort of in the same shoes as @grb from the standpoint of my hardware key protection being too cumbersome to be used for unlocking. All in all, though, I am happy about this feature for being a good potential enhancement for a substantial, if not the majority, of hardware key users, i.e., those with a PIN convenient enough to be used frequently. It doesn’t improve the protection of their passkeys at all, but it does enhance the cryptographic protection of their locked vault in a major way, especially for those who use a PIN and don’t require a master password on restart. It’s this particular group of people (and those who never lock their vault) that I suspect the infostealers (without keyloggers) would target to exfiltrate Bitwarden’s encrypted vault.
I can personally imagine using one key for passkey login and another for unlocking, but this would just be a nice feature for me, which I might not use for some time.
… but maybe it should be compared to typing in the full master password and 2FA. (even if one uses passkey-2FA instead… login with passkey saves a few clicks). (and not to mentioned the added benefit of phishing-resistance when using login with passkey)