Bitwarden adds support for passkeys (opens in new tab)

I hope they get over that. It's a blob of data. It's no more special than a TOTP secret or a conventional password, and I am completely uninterested in pretending otherwise because of a slick marketing campaign. It's a "thing I know" whether anybody likes it or not and you can't turn it into a "thing I have" just because you won't let me export it from this particular software. (Proof that it is a "thing I know": It fits into Bitwarden, which is a "thing I know" storage mechanism. Anything that can be stored by BitWarden is a thing-I-know.) As long as it's a thing I know you might as well give me the benefits of being a thing I know, since I'm paying the costs of it anyhow.

I back up at the Vaultwarden backend store level anyhow. Probably shouldn't give me that sort of advantage over the commercial option.

You're not really vulnerable to phishing if you use a password manager with a browser extension.

Cross-platform import/export for passkeys is considered a "nice-to-have" because you can always just add a new device via other established factors (email/SMS).

So, what's the point, then? Why can't passkeys just be strings that I can extract via biometric authentication?

The answer: everyone pushing this has a significant interest in making it harder to migrate between operating systems and password managers.

It's a land grab.

Maybe the authors saw this comment because the page you link to says, "A: Passkeys imports and exports will be included in a future release."

That's really a shame, I know keepassxc has (recently) added support for passkeys, but does it also support import/exporting them? I only found this comment[0] in the github issue.

EDIT: According to the pr[1] it does support import/export

---

0: https://github.com/keepassxreboot/keepassxc/issues/1870#issu...

1: https://github.com/keepassxreboot/keepassxc/pull/8825

> But essentially it's a certificate...

I'll put upfront that I'm no expert in any of this, but ... unlike passwords and certificates, attestation is a thing for passkeys. The thing being attested to is "the private key of this cert is being secured by X". X might be YubiKey in the case of a FIDO2 key, or Google or Apple in the case of passkeys.

This aspect of passkeys made me uncomfortable with them. If Google is going to attest they manage your passkey, then it follows the aren't giving a copy to anybody, including you. That means if you lose your Google account you've lost control of your ID. But note: that's control, not the keys themselves. You probably will have a copy of them on a phone, so you can still use them until that phone dies. But when it does you've in a world of pain because you can't backup / transfer / copy them - only Google can do that. In effect you don't own your Google passkey - Google does.

I don't know if Bitwarden does attestation now, or if the are planning to implement it in the future. But if either of those things are true they can't give you a copy of the key, ever.

This still makes me uncomfortable. But I can see why it is so. You and I may be capable of protecting a private key, but my mother and 99% of the rest of the planet aren't. Your bank or whoever trusting me on my say so isn't going to work, so the end result of us never being able to manage our own keys is inevitable. We have to put them in the hands of a 3rd party the bank or whoever can trust.

And it is ameliorated by another aspect of FIDO2 / passkeys: unlike passwords where you can only have one per site, sites are expected to support many FIDO2 keys for the same person. And, you are expected to keep several of them and authenticate each of them at every site you use. So you might have a Google one, and a Bitwarden one, and maybe even a Keypass one. If you did you solve the "Google owns my ID" problem, but it's such a pain in the arse to do I don't see it happening.

We've seen several iterations of this concept: FIDO, WebAuthn/FIDO2, and now passkeys. I'd like to see one more: some way of bundling up a whole pile of passkeys from different providers, so when I establish a new account on a web site, I register all of them. That would make maintaining a bunch of PassKeys trackable. Right now, the reality is bugger all people are going to do it. And as a consequence, a good chunk of the planet is going to end up with Apple / Google / whoever owning their identities. And of course some of them are going to lose their relationship they had with there ID manager, and wake up one day to discover themselves wiped from the digital planet.

> But essentially it's a certificate... so I wonder why no private key export? Maybe because current implementation uses some CA that binds you to the issuer?

It's a private key, not a certificate (at least not without using attestation).

But there is currently no portable specification of WebAuthN credentials; each authenticator is free to implement its own storage backend, and in fact some hardware authenticators deterministically re-derive the private key from an internal secret and the key handle before each signature.

Others store a randomly generated key in local storage, indexed by the key handle; yet others encrypt a randomly generated key and make that encrypted key part of the key handle.

The point being: Not all implementations can even support key imports, and there's no standardized serialization format for key exports yet.

It does seem like a real "lock-in" move.

But. If you run your own vaultwarden there must be a way to export it.

It's just a false issue. You generate more key pairs when you have more devices. You get a new pw manager? Revoke the old ones and generate new ones. You get a new device? Revoke the old ones and generate new ones. Passkeys are a commodity.

It was a benefit that keys were device locked until the brain trust told you it was user hostile.

+1. Lastpass was the love child until they got sold and sold out. I switched over to bitwarden but after being burned, keeping it basic with no lock in for now.

Is this true for all of the incumbent password managers? If so, it seems like the worst of software lock-in.

what's the phishing risk if bitwarden autofills only on the correct domains stored in the vault?

What stops anyone from forking their client and adding an "Export" button?

I don’t even mind the UI honestly. It works. Some annoying UX here and there, but I can live with that. I happily pay for a subscription to support them.

Bitwarden's UI is far from perfect but I find it better than any competitors I've tried (LP & 1Pass).

1Password feels cleaner, more integrated & polished but in practice the UX is inferior to BW - most regular actions take more clicks & discoverability is lower. And the password generator is even worse than LP's.

Lastpass UI is well known to be poor - Bitwarden's is far less worse by every metric.

Bitwarden's not perfect but what's significantly better UI-wise?

I have to use bitwarden at my company laptop and don't enjoy it at all. Weird UX with unlocking the vault via touch id on a Mac (this is literally the most common UI interaction, please make it nice). On top of that, weird rare syncs/bugs, but this could also be coming from my employer.

And with the Premium upgrade at only $10 a year, it's outstanding. I wouldn't mind paying 10x that.

I introduced it at work to manage all our company credentials, and loved the fact that all users also get free premium for their personal account.

Why is it underrated? In my personal bubble everyone is using it. Most of them self-hosted. My hole family and some friends use my instance. Besides pass (low non tech approval factor) there is nothing that comes close.

For hackers there is a CLI and with that also JS libs etc. to get it into anything you might want. For anyone else the UI is already miles ahead of Lastpass so there is no big compromise.

I pay for family, and I like it. The only thing I don't like is that 50% of the time it would not recognize that I created a new user/pass combination.

I am very happy to pay for a family plan. The price of one coffee per month. Thank you Bitwarden.

I've been incredibly happy with https://www.passwordstore.org/ for years. The data store is a file hierarchy, with the files themselves encrypted with GPG. Sync is via git. TOTP support with a plugin.

Do you get the same features self-hosting as you do paying for their cloud offering?

You’re not really “trusting a company with the keys to your digital life”.

The vault is encrypted with a password that never gets transmitted, and even if your password and vault gets stolen, without the additional “secret key” that also never leaves your device (and you should probably print and store somewhere safe), an attacker won’t be able to do much with it.

The inclusion of an additional secret key makes a huge difference in this setup. but yes, it would be much nicer if I could use my own sync store like in the past… (looking at EnPass currently which also has a secret key setup and own sync store)

What would be the purpose of having multiple passkeys for the same account stored in the same BitWarden vault? You're going to have a backup key and store it in the exact same place as the primary key?

I can see the point of having multiple passkeys (e.g. backed by different passkey managers, like 1Password in addition to Bitwarden, or a combination of physical security keys and passkeys), as well as the point of being able to store multiple passkeys for different accounts in a single Bitwarden profile (e.g. for work and personal Google accounts).

But when would anyone need multiple passkeys for the same site account in the same Bitwarden vault?

> Especially when it's standard to register a backup key for any service that uses passkeys.

I’ve never heard of this for Passkeys, only for hardware keys.

Passkeys are meant to be something “that you have”, similar to one hardware key, why would you want to store 2 within the same password manager? What would that give you?

Doesn't appear to be available yet for Chrome in the Chrome Web Store or for Android in the Google Play Store, either. :(

Looks like it not really released yet. I still have 2023.9.x everywhere, and 2023.10 is the version with passkey support.

From the website:

> Passkeys support for mobile applications is planned for a future release.

Given the title of this post being about Bitwarden adding passkeys; I would think linking directly to the specific release note would be the best link.

https://bitwarden.com/help/releasenotes/#2023-10-0

I may be stupid, but I just cant get this to work. Ive tried in both Safari and Chrome.

Anyone have any luck so far?

> Webauthn puts a private key into a firewalled section of hardware

This is not true. In general, Webauthn doesn’t care where and how the keys are stored. There is attestation feature, but AFAIK e.g. Apple intentionally doesn’t implement it for unmanaged devices.

In theory the Bitwarden server (and Vaultwarden) shouldn't have any access to the passwords, so a data breach of the server should never disclose any contents of the vault. Vaultwarden "feels" safe to me, but I would also be interested if there is some possibility it could introduce some degraded security compared to the official Bitwarden server.

My Vaultwarden instance is "hidden" on a subdomain that probably nobody would ever guess (or scan for), so at least there is some added security by obscurity. If someone would know my credentials and master password, they probably won't find where to use them. In this case the reverse proxy in front of it also serves other content, just be hitting the IP nobody would ever know there is a Vaultwarden running on this server.

Edit: the subdomain is behind a wildcard DNS, so it's also not listed in the zone file. Although it will show in DNS logs of the ISP when I'm using it.

Vaultwarden is unaffiliated with Bitwarden. Vaultwarden is a hobbyist re-implementation of the Bitwarden server API. Anything the frontends (extensions, web ui, apps, etc) need to function properly, must would need to be re-implemented in Vaultwarden.

You can still have a password, but think of it as a backup. Or you rely solely on the lost password process to reaccess your account.

KeepassXC will have passkey support soon: https://github.com/keepassxreboot/keepassxc/issues/1870

Don't get FOMO; both seem to support export and import, and they seem to be compatible formats, but you may need to lightly modify the CSV from Bitwarden.

There's no pricing information for mailpass.io. There isn't even a contact email address or form. I'm hesitant to trust services that do not list the pricing (or future plans for pricing) transparently. Same for not having a support contact either. The help page here shows Slack as the only way to connect, but that's not convenient for people who don't use it or don't want to use it.

Third party apps can integrate with iOS’s native password autofill, just like how keychain works. Bitwarden supports this as well. I’ve been using Bitwarden seamlessly on all my devices, iOS included, for a while now. It works in apps other than safari too. Anywhere where the native iOS password manager would appear, my Bitwarden passwords appear as well.

I don’t think apps can turn on autofill automatically, you might have to manually turn it on in Settings->Passwords->Password Options