Bitwarden adds passkey support to log into web password vaults

The open-source Bitwarden password manager has announced that all users can now log into their web vaults using a passkey instead of the standard username and password pairs.

Passkeys are the more secure alternative to the passwords that most people set up and are phishing resistant. In the case of Bitwarden they let users decrypt their vault without the need of the master password, an email address, or two-factor authentication (2FA).

PRF implementation

Bitwarden’s implementation of passkeys is currently in beta and relies on the PRF WebAuthn extension to both authenticate users and to get an encryption key and decrypt data in the vault.

Ryan Luibrand, senior product marketing manager at Bitwarden, explains that end-to-end encrypted applications, such as Bitwarden, need to authenticate users as well as to securely encrypt and decrypt data.

The encryption process requires a static key, which can be derived from a password. A passkey, which is not shared with the application, would generate a different value for each authentication.

To make accessing the vault more convenient without sacrificing security, Bitwarden used the PRF WebAuthn extension, which is a method that allows “deriving a unique, fixed value from a passkey.”

The extension is an emerging standard that enables the creation of symmetric encryption keys from an authenticator, like a security key, when used with a compatible browser.

“This technology sources an encryption key from a passkey in relation to a particular site, which can then be used to reliably encrypt and decrypt data” – Bitwarden

When a user registers a passkey using a hardware security key, they enable Bitwarden to encrypt that user’s vault data using the associated encryption key.

Contrary to how hardware security modules (HSMs) work, the PRF extension does not store keys on the hardware but instead generates keys using input data (salt) from the relying party (the website).

Because the key generation is a deterministic process, the same input will always produce the same output, and hence, passkeys can be reliably used for the same online platform or service.

“Using a passkey to log into Bitwarden accounts combines the passkey security with the zero knowledge, end-to-end encryption protection that Bitwarden delivers for users’ sensitive information and credentials.” – Bitwarden

In a post published last summer, Bitwarden provides more details on its implementation of the PRF extension and how it works.

Setting up the passkeys

The Bitwarden team has created the following video to showcase how the new feature works on the platform and how users can create passkeys from the account settings menu.

During the beta phase, Bitwarden will allow users of all plans to set up a maximum of five passkeys for the web app.

The feature is currently available in Chromium-based browsers that support PRF WebAuthn, but there are plans to extend it to more clients in the future.

For passkeys not supporting the PRF WebAuthn extension, users can still authenticate without an email or 2FA, using the Bitwarden password for decryption.

Source: www.bleepingcomputer.com