[HN Gopher] Bitwarden adds support for passkeys
___________________________________________________________________
Bitwarden adds support for passkeys
Author : edsimpson
Score : 146 points
Date : 2023-11-01 17:51 UTC (5 hours ago)
(HTM) web link (bitwarden.com)
(TXT) w3m dump (bitwarden.com)
| traviswt wrote:
| Bitwarden is underrated. Passwords run everything in our digital
| life. I will gladly take a UI compromise here and there for more
| trustworthiness.
| corytheboyd wrote:
| I don't even mind the UI honestly. It works. Some annoying UX
| here and there, but I can live with that. I happily pay for a
| subscription to support them.
| ramenmeal wrote:
| I moved over from Lastpass, I find the experience of filling
| in a password in Bitwarden more jarring/slow than in
| Lastpass. I'm not sure what it is, maybe Lastpass had longer
| timeouts to require FaceID when filling a password? Bitwarden
| requires it every time.
| barbazoo wrote:
| Can you compare to 1Password?
| ramenmeal wrote:
| sorry, no experience with 1password
| lucideer wrote:
| > _Bitwarden requires it every time._
|
| This is configurable - not sure what the default is but
| every time does sound annoying.
| gregschlom wrote:
| This is configurable in the settings. The default timeout
| is indeed too low and very annoying, but you can set it up
| to 4h I believe.
| giarc wrote:
| My biggest peeve is that if you search for a password and you
| happen to be in the "Card" category for example, it will
| return 0 results. A good alternative would be to show No
| Results for the category you are in, but then provide results
| for other categories below.
| corytheboyd wrote:
| Yeah that gets me somewhat frequently too, and second the
| request you have.
|
| Another silly one is adding custom fields, you can't change
| the type between visible/hidden once it's created, so if
| you mess up, you have to delete the custom field and add it
| with the desired visibility. Ughhh
| kwanbix wrote:
| I pay for family, and I like it. The only thing I don't like is
| that 50% of the time it would not recognize that I created a
| new user/pass combination.
| lucideer wrote:
| Bitwarden's UI is far from perfect but I find it better than
| any competitors I've tried (LP & 1Pass).
|
| 1Password _feels_ cleaner, more integrated & polished but in
| practice the UX is inferior to BW - most regular actions take
| more clicks & discoverability is lower. And the password
| generator is even worse than LP's.
|
| Lastpass UI is well known to be poor - Bitwarden's is far less
| worse by every metric.
|
| Bitwarden's not perfect but what's significantly better UI-
| wise?
| throwaway447 wrote:
| Nothing beats www.enpass.io but they charge now. I still ran
| the free version (free version not available for download
| anymore).
| tssva wrote:
| I find Enpass to be great for personal use at least. I've
| never tried it for business use. Luckily I paid for it when
| the Android app was $6.95 and got you lifetime usage on all
| platforms. They recently added passkey support.
| throwaway447 wrote:
| I never installed it on Android. I use it only on my
| computer. But I use it also a lot as an organizer since
| it is so flexible. Has also my ID scans, Degree scans
| etc.
| bmurphy1976 wrote:
| I can't speak for the other password managers, but I find
| Bitwarden's organization management to be pretty terrible. As
| a personal password manager it's pretty good, but as an
| organization password manager, not so much.
| mey wrote:
| Having to manually type a folder path to create nested
| folders is horribly archaic.
|
| / Paying Bitwarden user
| RamRodification wrote:
| I think they fixed that. Can't verify at the moment.
| sph wrote:
| And with the Premium upgrade at only $10 a _year_ , it's
| outstanding. I wouldn't mind paying 10x that.
|
| I introduced it at work to manage all our company credentials,
| and loved the fact that all users also get free premium for
| their personal account.
| razemio wrote:
| Why is it underrated? In my personal bubble everyone is using
| it. Most of them self-hosted. My hole family and some friends
| use my instance. Besides pass (low non tech approval factor)
| there is nothing that comes close.
| breakfastduck wrote:
| Tends to be used by a tech audience, it's nowhere near as
| widely adopted as e.g. last pass for normal consumers.
| carstenhag wrote:
| I have to use bitwarden at my company laptop and don't enjoy it
| at all. Weird UX with unlocking the vault via touch id on a Mac
| (this is literally the most common UI interaction, please make
| it nice). On top of that, weird rare syncs/bugs, but this could
| also be coming from my employer.
| treve wrote:
| I feel I may have made a mistake going all in on keepasscx. Been
| looking for something without a subscription and ideally open
| source. Keepassxc looks like it has a much nicer UI.
| mksybr wrote:
| KeepassXC will have passkey support soon:
| https://github.com/keepassxreboot/keepassxc/issues/1870
|
| Don't get FOMO; both seem to support export and import, and
| they seem to be compatible formats, but you may need to lightly
| modify the CSV from Bitwarden.
| TheChaplain wrote:
| Very cool, thanks for the tip. I use KeePassXC together with
| Syncthing, so now I just need a compatible android client.
| mksybr wrote:
| I recommend KeepassDX.
|
| https://f-droid.org/en/packages/com.kunzisoft.keepass.libre
| /
| renewiltord wrote:
| Great news. This is my favourite (and now only) password manager.
| sigio wrote:
| Looks like the new version isn't approved for the firefox addons
| repository just yet... So haven't been able to try it out, but
| very happy with bitwarden (self-hosting a server using
| vaultwarden)
| dhd415 wrote:
| Doesn't appear to be available yet for Chrome in the Chrome Web
| Store or for Android in the Google Play Store, either. :(
| andix wrote:
| Looks like it not really released yet. I still have 2023.9.x
| everywhere, and 2023.10 is the version with passkey support.
| gingerlime wrote:
| perhaps a better link? https://bitwarden.com/help/storing-
| passkeys/
|
| Not sure if passkeys are supported on iOS or Android (only the
| browser extension is explicitly mentioned) and also they cannot
| be imported or exported according to the page.
| josteink wrote:
| I may be stupid, but I just cant get this to work. Ive tried in
| both Safari and Chrome.
|
| Anyone have any luck so far?
| andix wrote:
| No, I didn't get the update yet (Firefox, Chrome, iOS).
| Everything is still at 2023.9 and 2023.10 is the version with
| passkey support.
| Spunkie wrote:
| One of the benefits we saw moving from lastpass to bitwarden is
| it allow us to much more easily reduce duplicate entries for the
| same site/account.
|
| So it's pretty annoying to see in the docs for this passkey
| feature that they just expect you to make a duplicate bitwarden
| entry for every additional passkey you need to add to an account.
| Especially when it's standard to register a backup key for any
| service that uses passkeys.
| Ajedi32 wrote:
| What would be the purpose of having multiple passkeys for the
| same account stored in the same BitWarden vault? You're going
| to have a backup key and store it in the exact same place as
| the primary key?
| wkat4242 wrote:
| The idea of passkeys is that they can be synced so you don't
| lose them when you lose a device. So there's a lot less need
| to have two
| artdigital wrote:
| > Especially when it's standard to register a backup key for
| any service that uses passkeys.
|
| I've never heard of this for Passkeys, only for hardware keys.
|
| Passkeys are meant to be something "that you have", similar to
| one hardware key, why would you want to store 2 within the same
| password manager? What would that give you?
| deutschepost wrote:
| One of the nicest thing about bitwarden is the ability to
| selfhost it. I don't think there is anything like it.
|
| 1password seems to have the best UX in the field. But you always
| have to trust some company with the keys to your digital life.
|
| Self hosting password managers is not as big of a deal as it
| should be.
| Axsuul wrote:
| Do you get the same features self-hosting as you do paying for
| their cloud offering?
| robertjglick wrote:
| Some features require paying. For example: TOTP. But if you
| want just for passwords it is free.
| ghosty141 wrote:
| You can use vaultwarden and get everything for free
| artdigital wrote:
| You're not really "trusting a company with the keys to your
| digital life".
|
| The vault is encrypted with a password that never gets
| transmitted, and even if your password and vault gets stolen,
| without the additional "secret key" that also never leaves your
| device (and you should probably print and store somewhere
| safe), an attacker won't be able to do much with it.
|
| The inclusion of an additional secret key makes a huge
| difference in this setup. but yes, it would be much nicer if I
| could use my own sync store like in the past... (looking at
| EnPass currently which also has a secret key setup and own sync
| store)
| noname120 wrote:
| You realize that trust is not just about privacy the day your
| vault disappears from all your devices with no option
| whatsoever for recovery[1].
|
| [1] https://1password.community/discussion/120403/delete-
| family-...
| quaffapint wrote:
| So it's browser extension only? I can't use the android app to
| login with a passkey I stored from my desktop browser? Hopefully
| they'll add that support soon enough, because password access on
| my mobile is a big pain point.
| aborsy wrote:
| Does the code in Vaultwarden mimic the code in the self hosted
| version of Bitwarden?
|
| Or a code audit in Bitwarden has no bearing on vaultwarden?
| figmert wrote:
| Vaultwarden is unaffiliated with Bitwarden. Vaultwarden is a
| hobbyist re-implementation of the Bitwarden server API.
| Anything the frontends (extensions, web ui, apps, etc) need to
| function properly, must would need to be re-implemented in
| Vaultwarden.
| andix wrote:
| In theory the Bitwarden server (and Vaultwarden) shouldn't have
| any access to the passwords, so a data breach of the server
| should never disclose any contents of the vault. Vaultwarden
| "feels" safe to me, but I would also be interested if there is
| some possibility it could introduce some degraded security
| compared to the official Bitwarden server.
|
| My Vaultwarden instance is "hidden" on a subdomain that
| probably nobody would ever guess (or scan for), so at least
| there is some added security by obscurity. If someone would
| know my credentials and master password, they probably won't
| find where to use them. In this case the reverse proxy in front
| of it also serves other content, just be hitting the IP nobody
| would ever know there is a Vaultwarden running on this server.
|
| Edit: the subdomain is behind a wildcard DNS, so it's also not
| listed in the zone file. Although it will show in DNS logs of
| the ISP when I'm using it.
| aborsy wrote:
| Good point actually, the passwords are encrypted with
| official Bitwarden client apps.
| BOOSTERHIDROGEN wrote:
| How do you hide subdomain ?
| mnahkies wrote:
| What's the story with passkeys and broken/lost devices?
|
| I'm a bit out of touch here, and I assume adding support to
| password managers like bitwardon mitigates this risk similar to
| using them to store MFA seeds, or apps like authy over Google
| authenticator
| Mandatum wrote:
| You can still have a password, but think of it as a backup. Or
| you rely solely on the lost password process to reaccess your
| account.
| yonixw wrote:
| From the FAQ [1]:
|
| > Q: Are stored passkeys included in Bitwarden imports and
| exports?
|
| > A: Passkeys are not included in imports and exports.
|
| I think it's the same for iCloud [2]. That is why I don't love
| it. I prefer a very long password, and Bitwarden "Device login"
| that will prompt in my iPhone that will require FaceID (So
| essentially I have bio login). And 2FA to lower hacking chances.
| I'm aware I'm still vulnerable to phishing but because there is
| no export, this is a marriage to Bitwarden. And as much as I love
| them... I'm not ready yet.
|
| But essentially it's a certificate... so I wonder why no private
| key export? Maybe because current implementation uses some CA
| that binds you to the issuer?
|
| [1] https://bitwarden.com/help/storing-passkeys/
|
| [2] https://redd.it/143acl5
| emptysongglass wrote:
| Is this true for all of the incumbent password managers? If so,
| it seems like the worst of software lock-in.
| camkego wrote:
| It does seem like a real "lock-in" move.
| eviks wrote:
| what's the phishing risk if bitwarden autofills only on the
| correct domains stored in the vault?
| vorpalhex wrote:
| Mobile apps, slightly tweaky domain names (which happens
| normally), much less fancy xss type attacks, plus general
| data exfil.
| eviks wrote:
| Mobile BW app also wouldn't fill a password for a different
| domain
| josteink wrote:
| > what's the phishing risk if bitwarden autofills only on the
| correct domains stored in the vault?
|
| The whole point of passkeys is that they should be tied to a
| specific domain, and thus be nonphisable.
|
| If Bitwarden allows reuse for different domains, that would
| be (as I understand it) a violation of the spec and a bug in
| their implementation.
| eviks wrote:
| The question was about the password alternative the op was
| describing
| imran-iq wrote:
| That's really a shame, I know keepassxc has (recently) added
| support for passkeys, but does it also support import/exporting
| them? I only found this comment[0] in the github issue.
|
| EDIT: According to the pr[1] it does support import/export
|
| ---
|
| 0:
| https://github.com/keepassxreboot/keepassxc/issues/1870#issu...
|
| 1: https://github.com/keepassxreboot/keepassxc/pull/8825
| jerf wrote:
| I hope they get over that. It's a blob of data. It's no more
| special than a TOTP secret or a conventional password, and I am
| completely uninterested in pretending otherwise because of a
| slick marketing campaign. It's a "thing I know" whether anybody
| likes it or not and you can't turn it into a "thing I have"
| just because you won't let me export it from this particular
| software. (Proof that it is a "thing I know": It fits into
| Bitwarden, which is a "thing I know" storage mechanism.
| Anything that can be stored by BitWarden is a thing-I-know.) As
| long as it's a thing I know you might as well give me the
| benefits of being a thing I know, since I'm paying the costs of
| it anyhow.
|
| I back up at the Vaultwarden backend store level anyhow.
| Probably shouldn't give me that sort of advantage over the
| commercial option.
| SheinhardtWigCo wrote:
| It is special - it should be a reference to an asymmetric key
| stored in hardware. But it's not clear whether they are
| actually doing this.
| SV_BubbleTime wrote:
| If it is just a pointer a hardware, even more reason to let
| you export it.
| ryan29 wrote:
| Some snippets from the FAQ [1].
|
| > The public key is stored on the website and the private
| key is stored on your device or in your passkey provider,
| e.g. your Bitwarden Vault.
|
| > Passkeys are often able to sync across your devices,
| however not all platforms support this yet.
|
| So it sounds like it's not stored in hardware. It'll be
| interesting to see how it works if solutions that use a TPM
| or similar start to emerge. I have nearly 1000 passwords
| and many of them are shared with colleagues, parents,
| siblings, etc.. I can't even imagine a way you could make
| that work if the private key is owned by a TPM (aka a
| hardware bound key) and needs to be enrolled somehow prior
| to becoming usable.
|
| What happens if I have 500 passkeys backed by keys in a TPM
| and I get a new computer?
|
| 1. https://bitwarden.com/resources/passkeys-faq/
| tw04 wrote:
| > What happens if I have 500 passkeys backed by keys in a
| TPM and I get a new computer?
|
| In theory the same thing that happens today with a
| yubikey - you have multiple devices with valid keys.
| Racing0461 wrote:
| Agreed. unless its stored in a tpm module or on an actual
| piece of hardware like a yubikey, no amount of software
| (especially a browser plugin written in javascript let alone
| low level drivers for an OS) can turn a "thing i know" into a
| "thing i have".
| SheinhardtWigCo wrote:
| You're not really vulnerable to phishing if you use a password
| manager with a browser extension.
|
| Cross-platform import/export for passkeys is considered a
| "nice-to-have" because you can always just add a new device via
| other established factors (email/SMS).
|
| So, what's the point, then? Why can't passkeys just be strings
| that I can extract via biometric authentication?
|
| The answer: everyone pushing this has a significant interest in
| making it harder to migrate between operating systems and
| password managers.
|
| It's a land grab.
| jiveturkey wrote:
| https://matduggan.com/passkeys-as-a-tool-for-user-retention/
|
| > It is also, as currently implemented, one of the most
| effective platform lock-ins I've ever seen.
| Racing0461 wrote:
| +1. Lastpass was the love child until they got sold and sold
| out. I switched over to bitwarden but after being burned,
| keeping it basic with no lock in for now.
| noname120 wrote:
| In which way did you get burned while using Bitwarden?
| rstuart4133 wrote:
| > But essentially it's a certificate...
|
| I'll put upfront that I'm no expert in any of this, but ...
| unlike passwords and certificates, attestation is a thing for
| passkeys. The thing being attested to is "the private key of
| this cert is being secured by X". X might be YubiKey in the
| case of a FIDO2 key, or Google or Apple in the case of
| passkeys.
|
| This aspect of passkeys made me uncomfortable with them. If
| Google is going to attest they manage your passkey, then it
| follows the aren't giving a copy to anybody, including you.
| That means if you lose your Google account you've lost control
| of your ID. But note: that's control, not the keys themselves.
| You probably will have a copy of them on a phone, so you can
| still use them until that phone dies. But when it does you've
| in a world of pain because you can't backup / transfer / copy
| them - only Google can do that. In effect you don't own your
| Google passkey - Google does.
|
| I don't know if Bitwarden does attestation now, or if the are
| planning to implement it in the future. But if either of those
| things are true they can't give you a copy of the key, ever.
|
| This still makes me uncomfortable. But I can see why it is so.
| You and I may be capable of protecting a private key, but my
| mother and 99% of the rest of the planet aren't. Your bank or
| whoever trusting me on my say so isn't going to work, so the
| end result of us never being able to manage our own keys is
| inevitable. We have to put them in the hands of a 3rd party the
| bank or whoever can trust.
|
| And it is ameliorated by another aspect of FIDO2 / passkeys:
| unlike passwords where you can only have one per site, sites
| are expected to support many FIDO2 keys for the same person.
| And, you are expected to keep several of them and authenticate
| each of them at every site you use. So you might have a Google
| one, and a Bitwarden one, and maybe even a Keypass one. If you
| did you solve the "Google owns my ID" problem, but it's such a
| pain in the arse to do I don't see it happening.
|
| We've seen several iterations of this concept: FIDO,
| WebAuthn/FIDO2, and now passkeys. I'd like to see one more:
| some way of bundling up a whole pile of passkeys from different
| providers, so when I establish a new account on a web site, I
| register all of them. That would make maintaining a bunch of
| PassKeys trackable. Right now, the reality is bugger all people
| are going to do it. And as a consequence, a good chunk of the
| planet is going to end up with Apple / Google / whoever owning
| their identities. And of course some of them are going to lose
| their relationship they had with there ID manager, and wake up
| one day to discover themselves wiped from the digital planet.
| wkat4242 wrote:
| I hate attestation with a passion. But luckily Apple has not
| implemented it and nobody wants to lock all Apple users out.
| So at least right now it's not a thing in practice.
| wkat4242 wrote:
| But. If you run your own vaultwarden there must be a way to
| export it.
___________________________________________________________________
(page generated 2023-11-01 23:00 UTC)