Bitwarden offers users the ability to log in with passkeys. Password Manager is the next application to ditch passwords.

Bitwarden has been setting up the passkey system for a year. Bitwarden announces the wide availability in a blog. Password manager users no longer need a master password to access their vault, but rather log in with a created password key.

You can register up to five passkeys in Bitwarden. You can create this via the settings. The passkeys themselves are stored on a device or a physical passkey like Yubikey. The company shares a video on Vimeo that explains step by step how to create and use passkeys in the password manager.

PRF

For a password manager like Bitwarden, security is of course the number one priority. The underlying system is the PRF WebAuthn extension. Most FIDO2 implementations generate a random sequence of numbers and characters on each login attempt, which is not shared with the web application. Bitwarden needs to approach this differently as the password vault is end-to-end encrypted.

PRF therefore creates a passkey for two purposes: on the one hand to identify you, on the other hand the key also contains an encryption key to decrypt data. The encryption key consists of a unique, constant value. “This technology derives an encryption key from a passkey associated with a specific site, which can then be used to reliably encrypt and decrypt data,” Bitwarden explains in the blog.

Since Bitwarden is based on PFR, the use of passkeys is currently limited to browsers that support the extension, primarily Chromium-based web browsers. In the future, Bitwarden would like to provide passkeys for all possible browsers. If you don’t yet have access to passkeys, you’ll have to make do with a master password and 2FA for the time being.

What key?

For those who have never heard of the term “passkeys,” this new login method should eventually make passwords obsolete. A passkey can consist of a PIN code, but also your fingerprint or facial recognition. Passkeys are not stored on the web administrators’ servers, but on a physical device. More and more web applications support the system, including Google and WhatsApp.