[HN Gopher] Bitwarden adds support for passkeys ___________________________________________________________________ Bitwarden adds support for passkeys Author : edsimpson Score : 146 points Date : 2023-11-01 17:51 UTC (5 hours ago) (HTM) web link (bitwarden.com) (TXT) w3m dump (bitwarden.com) | traviswt wrote: | Bitwarden is underrated. Passwords run everything in our digital | life. I will gladly take a UI compromise here and there for more | trustworthiness. | corytheboyd wrote: | I don't even mind the UI honestly. It works. Some annoying UX | here and there, but I can live with that. I happily pay for a | subscription to support them. | ramenmeal wrote: | I moved over from Lastpass, I find the experience of filling | in a password in Bitwarden more jarring/slow than in | Lastpass. I'm not sure what it is, maybe Lastpass had longer | timeouts to require FaceID when filling a password? Bitwarden | requires it every time. | barbazoo wrote: | Can you compare to 1Password? | ramenmeal wrote: | sorry, no experience with 1password | lucideer wrote: | > _Bitwarden requires it every time._ | | This is configurable - not sure what the default is but | every time does sound annoying. | gregschlom wrote: | This is configurable in the settings. The default timeout | is indeed too low and very annoying, but you can set it up | to 4h I believe. | giarc wrote: | My biggest peeve is that if you search for a password and you | happen to be in the "Card" category for example, it will | return 0 results. A good alternative would be to show No | Results for the category you are in, but then provide results | for other categories below. | corytheboyd wrote: | Yeah that gets me somewhat frequently too, and second the | request you have. | | Another silly one is adding custom fields, you can't change | the type between visible/hidden once it's created, so if | you mess up, you have to delete the custom field and add it | with the desired visibility. Ughhh | kwanbix wrote: | I pay for family, and I like it. The only thing I don't like is | that 50% of the time it would not recognize that I created a | new user/pass combination. | lucideer wrote: | Bitwarden's UI is far from perfect but I find it better than | any competitors I've tried (LP & 1Pass). | | 1Password _feels_ cleaner, more integrated & polished but in | practice the UX is inferior to BW - most regular actions take | more clicks & discoverability is lower. And the password | generator is even worse than LP's. | | Lastpass UI is well known to be poor - Bitwarden's is far less | worse by every metric. | | Bitwarden's not perfect but what's significantly better UI- | wise? | throwaway447 wrote: | Nothing beats www.enpass.io but they charge now. I still ran | the free version (free version not available for download | anymore). | tssva wrote: | I find Enpass to be great for personal use at least. I've | never tried it for business use. Luckily I paid for it when | the Android app was $6.95 and got you lifetime usage on all | platforms. They recently added passkey support. | throwaway447 wrote: | I never installed it on Android. I use it only on my | computer. But I use it also a lot as an organizer since | it is so flexible. Has also my ID scans, Degree scans | etc. | bmurphy1976 wrote: | I can't speak for the other password managers, but I find | Bitwarden's organization management to be pretty terrible. As | a personal password manager it's pretty good, but as an | organization password manager, not so much. | mey wrote: | Having to manually type a folder path to create nested | folders is horribly archaic. | | / Paying Bitwarden user | RamRodification wrote: | I think they fixed that. Can't verify at the moment. | sph wrote: | And with the Premium upgrade at only $10 a _year_ , it's | outstanding. I wouldn't mind paying 10x that. | | I introduced it at work to manage all our company credentials, | and loved the fact that all users also get free premium for | their personal account. | razemio wrote: | Why is it underrated? In my personal bubble everyone is using | it. Most of them self-hosted. My hole family and some friends | use my instance. Besides pass (low non tech approval factor) | there is nothing that comes close. | breakfastduck wrote: | Tends to be used by a tech audience, it's nowhere near as | widely adopted as e.g. last pass for normal consumers. | carstenhag wrote: | I have to use bitwarden at my company laptop and don't enjoy it | at all. Weird UX with unlocking the vault via touch id on a Mac | (this is literally the most common UI interaction, please make | it nice). On top of that, weird rare syncs/bugs, but this could | also be coming from my employer. | treve wrote: | I feel I may have made a mistake going all in on keepasscx. Been | looking for something without a subscription and ideally open | source. Keepassxc looks like it has a much nicer UI. | mksybr wrote: | KeepassXC will have passkey support soon: | https://github.com/keepassxreboot/keepassxc/issues/1870 | | Don't get FOMO; both seem to support export and import, and | they seem to be compatible formats, but you may need to lightly | modify the CSV from Bitwarden. | TheChaplain wrote: | Very cool, thanks for the tip. I use KeePassXC together with | Syncthing, so now I just need a compatible android client. | mksybr wrote: | I recommend KeepassDX. | | https://f-droid.org/en/packages/com.kunzisoft.keepass.libre | / | renewiltord wrote: | Great news. This is my favourite (and now only) password manager. | sigio wrote: | Looks like the new version isn't approved for the firefox addons | repository just yet... So haven't been able to try it out, but | very happy with bitwarden (self-hosting a server using | vaultwarden) | dhd415 wrote: | Doesn't appear to be available yet for Chrome in the Chrome Web | Store or for Android in the Google Play Store, either. :( | andix wrote: | Looks like it not really released yet. I still have 2023.9.x | everywhere, and 2023.10 is the version with passkey support. | gingerlime wrote: | perhaps a better link? https://bitwarden.com/help/storing- | passkeys/ | | Not sure if passkeys are supported on iOS or Android (only the | browser extension is explicitly mentioned) and also they cannot | be imported or exported according to the page. | josteink wrote: | I may be stupid, but I just cant get this to work. Ive tried in | both Safari and Chrome. | | Anyone have any luck so far? | andix wrote: | No, I didn't get the update yet (Firefox, Chrome, iOS). | Everything is still at 2023.9 and 2023.10 is the version with | passkey support. | Spunkie wrote: | One of the benefits we saw moving from lastpass to bitwarden is | it allow us to much more easily reduce duplicate entries for the | same site/account. | | So it's pretty annoying to see in the docs for this passkey | feature that they just expect you to make a duplicate bitwarden | entry for every additional passkey you need to add to an account. | Especially when it's standard to register a backup key for any | service that uses passkeys. | Ajedi32 wrote: | What would be the purpose of having multiple passkeys for the | same account stored in the same BitWarden vault? You're going | to have a backup key and store it in the exact same place as | the primary key? | wkat4242 wrote: | The idea of passkeys is that they can be synced so you don't | lose them when you lose a device. So there's a lot less need | to have two | artdigital wrote: | > Especially when it's standard to register a backup key for | any service that uses passkeys. | | I've never heard of this for Passkeys, only for hardware keys. | | Passkeys are meant to be something "that you have", similar to | one hardware key, why would you want to store 2 within the same | password manager? What would that give you? | deutschepost wrote: | One of the nicest thing about bitwarden is the ability to | selfhost it. I don't think there is anything like it. | | 1password seems to have the best UX in the field. But you always | have to trust some company with the keys to your digital life. | | Self hosting password managers is not as big of a deal as it | should be. | Axsuul wrote: | Do you get the same features self-hosting as you do paying for | their cloud offering? | robertjglick wrote: | Some features require paying. For example: TOTP. But if you | want just for passwords it is free. | ghosty141 wrote: | You can use vaultwarden and get everything for free | artdigital wrote: | You're not really "trusting a company with the keys to your | digital life". | | The vault is encrypted with a password that never gets | transmitted, and even if your password and vault gets stolen, | without the additional "secret key" that also never leaves your | device (and you should probably print and store somewhere | safe), an attacker won't be able to do much with it. | | The inclusion of an additional secret key makes a huge | difference in this setup. but yes, it would be much nicer if I | could use my own sync store like in the past... (looking at | EnPass currently which also has a secret key setup and own sync | store) | noname120 wrote: | You realize that trust is not just about privacy the day your | vault disappears from all your devices with no option | whatsoever for recovery[1]. | | [1] https://1password.community/discussion/120403/delete- | family-... | quaffapint wrote: | So it's browser extension only? I can't use the android app to | login with a passkey I stored from my desktop browser? Hopefully | they'll add that support soon enough, because password access on | my mobile is a big pain point. | aborsy wrote: | Does the code in Vaultwarden mimic the code in the self hosted | version of Bitwarden? | | Or a code audit in Bitwarden has no bearing on vaultwarden? | figmert wrote: | Vaultwarden is unaffiliated with Bitwarden. Vaultwarden is a | hobbyist re-implementation of the Bitwarden server API. | Anything the frontends (extensions, web ui, apps, etc) need to | function properly, must would need to be re-implemented in | Vaultwarden. | andix wrote: | In theory the Bitwarden server (and Vaultwarden) shouldn't have | any access to the passwords, so a data breach of the server | should never disclose any contents of the vault. Vaultwarden | "feels" safe to me, but I would also be interested if there is | some possibility it could introduce some degraded security | compared to the official Bitwarden server. | | My Vaultwarden instance is "hidden" on a subdomain that | probably nobody would ever guess (or scan for), so at least | there is some added security by obscurity. If someone would | know my credentials and master password, they probably won't | find where to use them. In this case the reverse proxy in front | of it also serves other content, just be hitting the IP nobody | would ever know there is a Vaultwarden running on this server. | | Edit: the subdomain is behind a wildcard DNS, so it's also not | listed in the zone file. Although it will show in DNS logs of | the ISP when I'm using it. | aborsy wrote: | Good point actually, the passwords are encrypted with | official Bitwarden client apps. | BOOSTERHIDROGEN wrote: | How do you hide subdomain ? | mnahkies wrote: | What's the story with passkeys and broken/lost devices? | | I'm a bit out of touch here, and I assume adding support to | password managers like bitwardon mitigates this risk similar to | using them to store MFA seeds, or apps like authy over Google | authenticator | Mandatum wrote: | You can still have a password, but think of it as a backup. Or | you rely solely on the lost password process to reaccess your | account. | yonixw wrote: | From the FAQ [1]: | | > Q: Are stored passkeys included in Bitwarden imports and | exports? | | > A: Passkeys are not included in imports and exports. | | I think it's the same for iCloud [2]. That is why I don't love | it. I prefer a very long password, and Bitwarden "Device login" | that will prompt in my iPhone that will require FaceID (So | essentially I have bio login). And 2FA to lower hacking chances. | I'm aware I'm still vulnerable to phishing but because there is | no export, this is a marriage to Bitwarden. And as much as I love | them... I'm not ready yet. | | But essentially it's a certificate... so I wonder why no private | key export? Maybe because current implementation uses some CA | that binds you to the issuer? | | [1] https://bitwarden.com/help/storing-passkeys/ | | [2] https://redd.it/143acl5 | emptysongglass wrote: | Is this true for all of the incumbent password managers? If so, | it seems like the worst of software lock-in. | camkego wrote: | It does seem like a real "lock-in" move. | eviks wrote: | what's the phishing risk if bitwarden autofills only on the | correct domains stored in the vault? | vorpalhex wrote: | Mobile apps, slightly tweaky domain names (which happens | normally), much less fancy xss type attacks, plus general | data exfil. | eviks wrote: | Mobile BW app also wouldn't fill a password for a different | domain | josteink wrote: | > what's the phishing risk if bitwarden autofills only on the | correct domains stored in the vault? | | The whole point of passkeys is that they should be tied to a | specific domain, and thus be nonphisable. | | If Bitwarden allows reuse for different domains, that would | be (as I understand it) a violation of the spec and a bug in | their implementation. | eviks wrote: | The question was about the password alternative the op was | describing | imran-iq wrote: | That's really a shame, I know keepassxc has (recently) added | support for passkeys, but does it also support import/exporting | them? I only found this comment[0] in the github issue. | | EDIT: According to the pr[1] it does support import/export | | --- | | 0: | https://github.com/keepassxreboot/keepassxc/issues/1870#issu... | | 1: https://github.com/keepassxreboot/keepassxc/pull/8825 | jerf wrote: | I hope they get over that. It's a blob of data. It's no more | special than a TOTP secret or a conventional password, and I am | completely uninterested in pretending otherwise because of a | slick marketing campaign. It's a "thing I know" whether anybody | likes it or not and you can't turn it into a "thing I have" | just because you won't let me export it from this particular | software. (Proof that it is a "thing I know": It fits into | Bitwarden, which is a "thing I know" storage mechanism. | Anything that can be stored by BitWarden is a thing-I-know.) As | long as it's a thing I know you might as well give me the | benefits of being a thing I know, since I'm paying the costs of | it anyhow. | | I back up at the Vaultwarden backend store level anyhow. | Probably shouldn't give me that sort of advantage over the | commercial option. | SheinhardtWigCo wrote: | It is special - it should be a reference to an asymmetric key | stored in hardware. But it's not clear whether they are | actually doing this. | SV_BubbleTime wrote: | If it is just a pointer a hardware, even more reason to let | you export it. | ryan29 wrote: | Some snippets from the FAQ [1]. | | > The public key is stored on the website and the private | key is stored on your device or in your passkey provider, | e.g. your Bitwarden Vault. | | > Passkeys are often able to sync across your devices, | however not all platforms support this yet. | | So it sounds like it's not stored in hardware. It'll be | interesting to see how it works if solutions that use a TPM | or similar start to emerge. I have nearly 1000 passwords | and many of them are shared with colleagues, parents, | siblings, etc.. I can't even imagine a way you could make | that work if the private key is owned by a TPM (aka a | hardware bound key) and needs to be enrolled somehow prior | to becoming usable. | | What happens if I have 500 passkeys backed by keys in a TPM | and I get a new computer? | | 1. https://bitwarden.com/resources/passkeys-faq/ | tw04 wrote: | > What happens if I have 500 passkeys backed by keys in a | TPM and I get a new computer? | | In theory the same thing that happens today with a | yubikey - you have multiple devices with valid keys. | Racing0461 wrote: | Agreed. unless its stored in a tpm module or on an actual | piece of hardware like a yubikey, no amount of software | (especially a browser plugin written in javascript let alone | low level drivers for an OS) can turn a "thing i know" into a | "thing i have". | SheinhardtWigCo wrote: | You're not really vulnerable to phishing if you use a password | manager with a browser extension. | | Cross-platform import/export for passkeys is considered a | "nice-to-have" because you can always just add a new device via | other established factors (email/SMS). | | So, what's the point, then? Why can't passkeys just be strings | that I can extract via biometric authentication? | | The answer: everyone pushing this has a significant interest in | making it harder to migrate between operating systems and | password managers. | | It's a land grab. | jiveturkey wrote: | https://matduggan.com/passkeys-as-a-tool-for-user-retention/ | | > It is also, as currently implemented, one of the most | effective platform lock-ins I've ever seen. | Racing0461 wrote: | +1. Lastpass was the love child until they got sold and sold | out. I switched over to bitwarden but after being burned, | keeping it basic with no lock in for now. | noname120 wrote: | In which way did you get burned while using Bitwarden? | rstuart4133 wrote: | > But essentially it's a certificate... | | I'll put upfront that I'm no expert in any of this, but ... | unlike passwords and certificates, attestation is a thing for | passkeys. The thing being attested to is "the private key of | this cert is being secured by X". X might be YubiKey in the | case of a FIDO2 key, or Google or Apple in the case of | passkeys. | | This aspect of passkeys made me uncomfortable with them. If | Google is going to attest they manage your passkey, then it | follows the aren't giving a copy to anybody, including you. | That means if you lose your Google account you've lost control | of your ID. But note: that's control, not the keys themselves. | You probably will have a copy of them on a phone, so you can | still use them until that phone dies. But when it does you've | in a world of pain because you can't backup / transfer / copy | them - only Google can do that. In effect you don't own your | Google passkey - Google does. | | I don't know if Bitwarden does attestation now, or if the are | planning to implement it in the future. But if either of those | things are true they can't give you a copy of the key, ever. | | This still makes me uncomfortable. But I can see why it is so. | You and I may be capable of protecting a private key, but my | mother and 99% of the rest of the planet aren't. Your bank or | whoever trusting me on my say so isn't going to work, so the | end result of us never being able to manage our own keys is | inevitable. We have to put them in the hands of a 3rd party the | bank or whoever can trust. | | And it is ameliorated by another aspect of FIDO2 / passkeys: | unlike passwords where you can only have one per site, sites | are expected to support many FIDO2 keys for the same person. | And, you are expected to keep several of them and authenticate | each of them at every site you use. So you might have a Google | one, and a Bitwarden one, and maybe even a Keypass one. If you | did you solve the "Google owns my ID" problem, but it's such a | pain in the arse to do I don't see it happening. | | We've seen several iterations of this concept: FIDO, | WebAuthn/FIDO2, and now passkeys. I'd like to see one more: | some way of bundling up a whole pile of passkeys from different | providers, so when I establish a new account on a web site, I | register all of them. That would make maintaining a bunch of | PassKeys trackable. Right now, the reality is bugger all people | are going to do it. And as a consequence, a good chunk of the | planet is going to end up with Apple / Google / whoever owning | their identities. And of course some of them are going to lose | their relationship they had with there ID manager, and wake up | one day to discover themselves wiped from the digital planet. | wkat4242 wrote: | I hate attestation with a passion. But luckily Apple has not | implemented it and nobody wants to lock all Apple users out. | So at least right now it's not a thing in practice. | wkat4242 wrote: | But. If you run your own vaultwarden there must be a way to | export it. ___________________________________________________________________ (page generated 2023-11-01 23:00 UTC)