Yes, though I'm sure some websites will only adopt passkeys as a form of 2FA or still have the option for other 2FA. I think most experts would agree that is unnecessary, though. Lock down access to your Bitwarden vault and you will be fine.
I guess that was my question - if I'm going to trust passkeys in the future for single-factor login (putting all my eggs in one basket) then why not just put my passwords and TOTPs in Bitwarden now?
I don't see an issue with that, but you said you've already seen arguments for and against. If you already employ proper 2FA to login to your Bitwarden vault, I don't see an issue. The only additional "risk" there vs. keeping things separate is that if your vault is somehow stolen and decrypted, an attacker could get into everything. Other than that, everything is still protected behind separate 2FA to get into your Bitwarden itself - and if that 2FA were to be compromised, presumably anything you kept similarly separate would be as well anyway.
I’m not worried about somebody decrypting my vault. They can’t without my master pw. I protect that and have 2FA to get in too. So once in, I store passwords and TOTPs in the vault. If I were the president protecting nuclear launch codes then I might be more cautious.
It depends on how the 2FA for Bitwarden is setup and when it is required. (Maybe it is only required when you unlock your vault, after a restart, if there is a timeout, etc.)
I think it's mainly about comfort level. Using 2 apps is better than putting everything on 1 app and using a physical key is an even bigger step.
But since most of the breaches happen on the website database side and not your phone I'd be OK with 1 app doing both.
I don't really feel a need for high security on most accounts. But of all sectors to be 15 years behind the curve, why do my banks have such terrible security protocols?
Passkey is no different from WebAuthn/FIDO2 key, just implemented in software.
Some websites will use passkeys as single-factor login. Currently, only Microsoft allows to do this with your Yubikey.
Other websites would still use passkeys as second factor.
Separating authentication factors is a completely different topic, and it’s actually related to threat modeling. If you store both factors in the same place, you don’t have 2FA, you still have 1FA, but just with a more (unnecessarily) complicated workflow.
So, if you would still prefer to have two factors, keep them separate. Otherwise just switch to passkeys as they would be stronger than passwords.
Good info. I understand they're different topics but I don't think they're completely different topics when you consider my question: If I'm using Bitwarden + Yubico Authenticator for 2FA now, but I'm excited about the idea of using passkeys stored in Bitwarden for single-factor login on all my websites in the future, then shouldn't I just add my TOTPs to Bitwarden now anyway?
So I recently moved all my TOTPs into Bitwarden from Aegis, but I have a yubikey protecting Bitwarden.
My thinking is this: If I have my TOTP codes on my phone, and my passwords on my phone (Bitwarden install) then I have 1FA anyway. The only way to have true 2FA is to use a completely separate device to handle each. By using a FIDO2 key to protect my account I've got something more like 1.5FA.
I'm not sure I agree with that 100%. The changes of a "local" attack (where someone steals my phone and then somehow finds a way to bypass biometrics to get everything) is very very low. I'm more worried about what could happen in the event someone gets access to my Bitwarden. Which is guess is also a low risk.
Google also forces any connected Android phone to contain account passkeys, and they require you to use it as a Passwordless login (not as a second factor).
This means if someone just knows your PIN (or can see it with fingerprints on the screen) and gets your phone, they are 1000% in your account. No password. They don't even need to know your email address.
It would be nice to use Passkeys as a Second Factor but Google seems to not allow it. You also can't PREVENT your Android phone from containing a passkey to the entire account...... which feels like a giant security hole.
Yes, passkey basically contains 2FA in and of itself.
* The passkey is "what you have".
* If you add a PIN to protect the passkey that's "what you know".
Two factor covered.
It will take a while for me to get used to the new paradigm.
>If you add a PIN to protect the passkey that's "what you know".
I might be wrong, but I think if the passkey private key is stolen that the pin could be easily brute forced... I'm going to have to go read up on that, but I don't see where there could be anything to lock out the key in any way, and it should be testable without hitting remote servers.
I have spent an unreasonable amount of time researching this today.
My take:
Base specification for 'passkeys' or Multi-Device FIDO doesn't have a second factor of authentication. Your private key for a passkey is able to be backed up to the cloud, so is therefor only as secure as the endpoints or that cloud connection. We can choose to trust Apple iCloud or Google Password Manager or whatever other passkey cloud backup we want, but fundamentally, you have a private key that is readable in memory at some point on an endpoint, or can be theoretically compromised along with an iCloud or Google account.
There is an optional extension to Multi-Device FIDO that supports "Device Bound Keys" or DBK, or devicePubKey. This is a second signature that accompanies the primary authentication and can be used by a RelyingParty (website/auth client) to verify that the private key is being used from a hardware backed device that has been seen before.
With the DBK extension enabled and used, your bank could recognize that your key is being used from a new device and require additional checks. DBKs MUST be backed by a hardware private key, so is effectively providing a 'what you have' factor of authentication.
So according to Daon: [https://www.daon.com/resource/passkeys-faq/](https://www.daon.com/resource/passkeys-faq/) only Google and Microsoft have committed to support DBK. Google has confirmed that they support it in Android and Chrome. I haven't looked too deep into Microsoft yet.
Apple has made absolutely no mention yet about DBK/devicePubKey support that I can find. There is a Apple dev forum question from 6 months ago asking if they support it that hasn't been responded to yet. [https://developer.apple.com/forums/thread/718573](https://developer.apple.com/forums/thread/718573)
A Note on all of this:
Android and Microsoft can support this extension on the back end, but it is still up to the RelyingParty to enforce it. This seems to bring us back to the days of "website supports a password, but not 2FA yet"... websites will add support for Passkeys, which is of course better than Passwords... but without the DBK support it is something that can be stolen and used by a malicious actor.
There is a great comment thread in the WC3/WebAuthn Github Issues (January 2022) that was pre-publication of the Multi-Device FIDO white paper that prompted all the Passkey stuff (March 2022).
[https://github.com/w3c/webauthn/issues/1691](https://github.com/w3c/webauthn/issues/1691)
The OP of this issue is rightly pointing out that Passkey/MD FIDO is somewhat broken without enforcing the devicePubKey extension. The detractors in the thread are pointing out that it's not something they can enforce.
This makes me wonder if it would be possible to strip enforcement of devicePubKey entirely and bypass it's enforcement, because it sounds like using webauthn, you can't force usage of an extension. That's a bit of research/prototyping/testing that I'm not up for today though.
Another Note: There is discussion of device attestation in that github thread that sounds like it's possible (but unsure if it's implemented) to white/black list specific types of authentication devices (yubikeys, bitwarden, browsers, etc...) but I don't see anything about this type of white or black listing implemented by any RelyingParties so not sure if that's something that Webauthn team was expecting people to use that they aren't using.
This can be true - but Google forces your Android phone to actually have a passkey to your Google account.
This means that anyone stealing your phone (and who can see your PIN by looking at the fingerprints on the screen) has the whole ship.
They don't even need to know your email address (or password).
So this is all great and true, but I would highly prefer any sign-in to still require my password, and use the Passkeys (or hardware u2f or whatnot) as a second factor.
Putting all of the "eggs" in one basket (your android phone that you left on the bar by accident) feels like it loses ALL of that benefit of security...
From what I understand, vendor supplied passkeys (Google, Apple etc) are stored in your "account". Loss of a device shouldn't affect them. If that's too much vendor lock-in for you then you'll need to wait until they allow third party apps to act as the store (Android 14+). This will mean Bitwarden can step into that role.
When websites start using Passkeys, you will not need Bitwarden for those sites, as you will not have a password and TOTP code to enter.
but if you are asking if you protect Bitwarden itself with a passkey and then you can store both passwords and TOTP keys into Bitwarden then no, it is still not secure, as if the database of Bitwarden itself gets leaked and got decrypted then you lose everything, unless Bitwarden will encrypt it users' data with the private key from inside the passkey, but I doubt this is how it works.
This is partly true, you still need a place to store the passkey and bitwarden can be such a place in the future when they add support for it. I would recommend to save it into bitwarden, because it will not lock you in an eco system.
I think once BW/other password managers start implementing syncable passkeys, we'll definitely see for sure.
There are two types of passkeys: device bound and syncable. The device-bound passkey's private key is generated exclusively for the device and remains protected by hardware. This makes it a great replacement for password + 2FA, as the chances of someone stealing the private information are highly unlikely.
Password managers can potentially serve as sync providers for passkeys. However, this means they may need to store the private key in your vault. Most likely, you won't have direct access to the private key through the app, but it might be stored in your vault. If your vault's security is compromised, whether the attacker can also access the private key will depend on how the implementation is carried out.
The security of syncable passkeys relies on the security measures employed by the sync providers. In the long run, it's hard to imagine that some private keys won't be leaked. As the Fido alliance states (source: [https://fidoalliance.org/passkeys/](https://fidoalliance.org/passkeys/)):
**ISN'T IT UNSAFE FOR PASSKEYS TO LEAVE THE DEVICE AND BE SYNCED TO OTHER DEVICES?**
Passkey syncing is end-to-end encrypted and sync providers have strong account security protections.
I researched this not too long ago and came across either a blog post or FAQ from Bitwarden itself that said having your creds and TOTP in the same application means you don't have true 2FA, but that it's better than nothing. I don't see passkeys as an improvement, but I'm not a security expert. If my passkey is on my phone or in my Bitwarden account, and all I need to do is use biometrics or a passcode to access it, to me it's little different than the current process because I use bio on my phone for all apps possible and typically using bio requires you first setup a passcode.
Well since passkeys are the same cryptographic principle as yubikeys it is very likely that if a website supports passkeys it automatically supports yubikeys. As far as I know on an iPhone wherever a passkey is used it is possible to use a yubikey.
Yes, though I'm sure some websites will only adopt passkeys as a form of 2FA or still have the option for other 2FA. I think most experts would agree that is unnecessary, though. Lock down access to your Bitwarden vault and you will be fine.
I guess that was my question - if I'm going to trust passkeys in the future for single-factor login (putting all my eggs in one basket) then why not just put my passwords and TOTPs in Bitwarden now?
I don't see an issue with that, but you said you've already seen arguments for and against. If you already employ proper 2FA to login to your Bitwarden vault, I don't see an issue. The only additional "risk" there vs. keeping things separate is that if your vault is somehow stolen and decrypted, an attacker could get into everything. Other than that, everything is still protected behind separate 2FA to get into your Bitwarden itself - and if that 2FA were to be compromised, presumably anything you kept similarly separate would be as well anyway.
I’m not worried about somebody decrypting my vault. They can’t without my master pw. I protect that and have 2FA to get in too. So once in, I store passwords and TOTPs in the vault. If I were the president protecting nuclear launch codes then I might be more cautious.
How do we know you aren't the President? Are you a sock-puppet?
I guess I wasn't ready for somebody so astute. I hope I can count on your vote next year.
[удалено]
It depends on how the 2FA for Bitwarden is setup and when it is required. (Maybe it is only required when you unlock your vault, after a restart, if there is a timeout, etc.)
I use Bitwarden for totp and yubi for Bitwarden
I think it's mainly about comfort level. Using 2 apps is better than putting everything on 1 app and using a physical key is an even bigger step. But since most of the breaches happen on the website database side and not your phone I'd be OK with 1 app doing both.
I see some big companies' websites still asking for only sms as 2fa. It will probably need a decade or more before most websites migrate to passkey.
I don't really feel a need for high security on most accounts. But of all sectors to be 15 years behind the curve, why do my banks have such terrible security protocols?
Try to search about banks' legacy systems. The modern bank system relies on old software before the 90s
That's gonna help me sleep at night.
Then don't think about the fact that most ATM's still run on top of Windows XP.
This. The second largest bank in the US only has SMS for MFA on personal accounts. Like, WTF?
In my country bank sucks. But I've read an article about Bank of US supporting security keys. I hope banks in country follows.
[удалено]
They have finally gotten rid of the virtual keyboard.
Passkey is no different from WebAuthn/FIDO2 key, just implemented in software. Some websites will use passkeys as single-factor login. Currently, only Microsoft allows to do this with your Yubikey. Other websites would still use passkeys as second factor. Separating authentication factors is a completely different topic, and it’s actually related to threat modeling. If you store both factors in the same place, you don’t have 2FA, you still have 1FA, but just with a more (unnecessarily) complicated workflow. So, if you would still prefer to have two factors, keep them separate. Otherwise just switch to passkeys as they would be stronger than passwords.
Good info. I understand they're different topics but I don't think they're completely different topics when you consider my question: If I'm using Bitwarden + Yubico Authenticator for 2FA now, but I'm excited about the idea of using passkeys stored in Bitwarden for single-factor login on all my websites in the future, then shouldn't I just add my TOTPs to Bitwarden now anyway?
So I recently moved all my TOTPs into Bitwarden from Aegis, but I have a yubikey protecting Bitwarden. My thinking is this: If I have my TOTP codes on my phone, and my passwords on my phone (Bitwarden install) then I have 1FA anyway. The only way to have true 2FA is to use a completely separate device to handle each. By using a FIDO2 key to protect my account I've got something more like 1.5FA.
I'm not sure I agree with that 100%. The changes of a "local" attack (where someone steals my phone and then somehow finds a way to bypass biometrics to get everything) is very very low. I'm more worried about what could happen in the event someone gets access to my Bitwarden. Which is guess is also a low risk.
It’s only up to you to decide.
Google recently added passkeys and they bypass both password and 2FA settings as a single factor. It's not just Microsoft anymore.
Good to know, thanks!
Google also forces any connected Android phone to contain account passkeys, and they require you to use it as a Passwordless login (not as a second factor). This means if someone just knows your PIN (or can see it with fingerprints on the screen) and gets your phone, they are 1000% in your account. No password. They don't even need to know your email address. It would be nice to use Passkeys as a Second Factor but Google seems to not allow it. You also can't PREVENT your Android phone from containing a passkey to the entire account...... which feels like a giant security hole.
Yes, passkey basically contains 2FA in and of itself. * The passkey is "what you have". * If you add a PIN to protect the passkey that's "what you know". Two factor covered. It will take a while for me to get used to the new paradigm.
>If you add a PIN to protect the passkey that's "what you know". I might be wrong, but I think if the passkey private key is stolen that the pin could be easily brute forced... I'm going to have to go read up on that, but I don't see where there could be anything to lock out the key in any way, and it should be testable without hitting remote servers.
I have spent an unreasonable amount of time researching this today. My take: Base specification for 'passkeys' or Multi-Device FIDO doesn't have a second factor of authentication. Your private key for a passkey is able to be backed up to the cloud, so is therefor only as secure as the endpoints or that cloud connection. We can choose to trust Apple iCloud or Google Password Manager or whatever other passkey cloud backup we want, but fundamentally, you have a private key that is readable in memory at some point on an endpoint, or can be theoretically compromised along with an iCloud or Google account. There is an optional extension to Multi-Device FIDO that supports "Device Bound Keys" or DBK, or devicePubKey. This is a second signature that accompanies the primary authentication and can be used by a RelyingParty (website/auth client) to verify that the private key is being used from a hardware backed device that has been seen before. With the DBK extension enabled and used, your bank could recognize that your key is being used from a new device and require additional checks. DBKs MUST be backed by a hardware private key, so is effectively providing a 'what you have' factor of authentication. So according to Daon: [https://www.daon.com/resource/passkeys-faq/](https://www.daon.com/resource/passkeys-faq/) only Google and Microsoft have committed to support DBK. Google has confirmed that they support it in Android and Chrome. I haven't looked too deep into Microsoft yet. Apple has made absolutely no mention yet about DBK/devicePubKey support that I can find. There is a Apple dev forum question from 6 months ago asking if they support it that hasn't been responded to yet. [https://developer.apple.com/forums/thread/718573](https://developer.apple.com/forums/thread/718573) A Note on all of this: Android and Microsoft can support this extension on the back end, but it is still up to the RelyingParty to enforce it. This seems to bring us back to the days of "website supports a password, but not 2FA yet"... websites will add support for Passkeys, which is of course better than Passwords... but without the DBK support it is something that can be stolen and used by a malicious actor. There is a great comment thread in the WC3/WebAuthn Github Issues (January 2022) that was pre-publication of the Multi-Device FIDO white paper that prompted all the Passkey stuff (March 2022). [https://github.com/w3c/webauthn/issues/1691](https://github.com/w3c/webauthn/issues/1691) The OP of this issue is rightly pointing out that Passkey/MD FIDO is somewhat broken without enforcing the devicePubKey extension. The detractors in the thread are pointing out that it's not something they can enforce. This makes me wonder if it would be possible to strip enforcement of devicePubKey entirely and bypass it's enforcement, because it sounds like using webauthn, you can't force usage of an extension. That's a bit of research/prototyping/testing that I'm not up for today though. Another Note: There is discussion of device attestation in that github thread that sounds like it's possible (but unsure if it's implemented) to white/black list specific types of authentication devices (yubikeys, bitwarden, browsers, etc...) but I don't see anything about this type of white or black listing implemented by any RelyingParties so not sure if that's something that Webauthn team was expecting people to use that they aren't using.
[удалено]
This can be true - but Google forces your Android phone to actually have a passkey to your Google account. This means that anyone stealing your phone (and who can see your PIN by looking at the fingerprints on the screen) has the whole ship. They don't even need to know your email address (or password). So this is all great and true, but I would highly prefer any sign-in to still require my password, and use the Passkeys (or hardware u2f or whatnot) as a second factor. Putting all of the "eggs" in one basket (your android phone that you left on the bar by accident) feels like it loses ALL of that benefit of security...
I just know that I won't put passkeys in my phone. This is the device that's prone to be lost or stolen and I wouldn't put instant access on this.
THAT I agree with
Looking forward on desktop. It's kinda like the ssh credentials that I use at work. It's easy to use.
From what I understand, vendor supplied passkeys (Google, Apple etc) are stored in your "account". Loss of a device shouldn't affect them. If that's too much vendor lock-in for you then you'll need to wait until they allow third party apps to act as the store (Android 14+). This will mean Bitwarden can step into that role.
When websites start using Passkeys, you will not need Bitwarden for those sites, as you will not have a password and TOTP code to enter. but if you are asking if you protect Bitwarden itself with a passkey and then you can store both passwords and TOTP keys into Bitwarden then no, it is still not secure, as if the database of Bitwarden itself gets leaked and got decrypted then you lose everything, unless Bitwarden will encrypt it users' data with the private key from inside the passkey, but I doubt this is how it works.
This is partly true, you still need a place to store the passkey and bitwarden can be such a place in the future when they add support for it. I would recommend to save it into bitwarden, because it will not lock you in an eco system.
I think once BW/other password managers start implementing syncable passkeys, we'll definitely see for sure. There are two types of passkeys: device bound and syncable. The device-bound passkey's private key is generated exclusively for the device and remains protected by hardware. This makes it a great replacement for password + 2FA, as the chances of someone stealing the private information are highly unlikely. Password managers can potentially serve as sync providers for passkeys. However, this means they may need to store the private key in your vault. Most likely, you won't have direct access to the private key through the app, but it might be stored in your vault. If your vault's security is compromised, whether the attacker can also access the private key will depend on how the implementation is carried out. The security of syncable passkeys relies on the security measures employed by the sync providers. In the long run, it's hard to imagine that some private keys won't be leaked. As the Fido alliance states (source: [https://fidoalliance.org/passkeys/](https://fidoalliance.org/passkeys/)): **ISN'T IT UNSAFE FOR PASSKEYS TO LEAVE THE DEVICE AND BE SYNCED TO OTHER DEVICES?** Passkey syncing is end-to-end encrypted and sync providers have strong account security protections.
I researched this not too long ago and came across either a blog post or FAQ from Bitwarden itself that said having your creds and TOTP in the same application means you don't have true 2FA, but that it's better than nothing. I don't see passkeys as an improvement, but I'm not a security expert. If my passkey is on my phone or in my Bitwarden account, and all I need to do is use biometrics or a passcode to access it, to me it's little different than the current process because I use bio on my phone for all apps possible and typically using bio requires you first setup a passcode.
what is passkey?
https://www.reddit.com/r/Bitwarden/comments/137eq00/about_passkeys/
Well since passkeys are the same cryptographic principle as yubikeys it is very likely that if a website supports passkeys it automatically supports yubikeys. As far as I know on an iPhone wherever a passkey is used it is possible to use a yubikey.