YubiKey, PRF for vault encryption

I’m really interested in the feature to use a YubiKey to encrypt the vault. As described here and here (can’t post more than two links in one topic, "PRF WebAuthn and its role in passkeys
")

I have a few questions I haven’t been able to find the answer to.

  • Is this feature ready for prime time? Meaning, is there any known bugs or limitations?
  • I want to rotate the encryption keys on my vault. I know for a fact I’ve had malware on one of my devices, so I must assume my master password is compromised. I guess I’ll try to follow the steps in this guide, although some parts of this guide is a bit confusing.
  • Can I use two separate YubiKeys for this? Meaning, can both individually decrypt my vault, without me ever typing my master password (if I would even still need a master password).

@Protegee4619 Welcome to the forum!

This feature is officially in a “beta” release, and I would characterize the status as “experimental”. In part, this is because the FIDO Alliance has not even finished developing a complete set of standards for how passkey functionality should be implemented, and because even major players (including Mozilla, and Bitwarden itself) have not yet fully implemented existing standards for passkeys.

Currently, if you wish to use passwordless login, you can only do so when logging in to the Web Vault (e.g., https://vault.bitwarden.com), and only on a Chromium-based browser, and only on some operating systems (I don’t have a comprehensive list of compatible operating systems, but it is known to work on Windows 11 and it is known to not work on Windows 10).

If you do so, any passkeys that for which you have enabled encryption (i.e., fully passwordless login into Bitwarden) will no longer be able to encrypt/decrypt your vault (meaning you can authenticate, but you will need to supply the master password before your vault is unlocked/decrypted). Thus, you would most likely need to re-register the passkeys in order to enable encryption again.

Yes, you can register up to 5 passkeys for passwordless login with encryption.

1 Like

I currently have a set up where I am required to input my master password on first login to my PC (Linux) and after that I just use my BIO Yubikey with PAM to authorize unlocking every time.

If PRF inside the BIO could be used to remove the initial master password entry that would make things so much simpler.

I guess technically it would be “PRF for unlock decryption” instead of “Login with PRF decryption” since I want to be able to access the logged in locally saved passwords in the event that Bitwarden is down etc.

It’s possible for the Web Vault (at least on PRF-compatible browsers in PRF-compatible operating systems), but not in other Bitwarden clients.