The open-source Bitwarden password manager has announced that all users can now log into their web vaults using a passkey instead of the standard username and password pairs.
Passkeys are the more secure alternative to the passwords that most people set up and are phishing resistant. In the case of Bitwarden they let users decrypt their vault without the need of the master password, an email address, or two-factor authentication (2FA).
PRF implementation
Bitwarden’s implementation of passkeys is currently in beta and relies on the PRF WebAuthn extension to both authenticate users and to get an encryption key and decrypt data in the vault.
Ryan Luibrand, senior product marketing manager at Bitwarden, explains that end-to-end encrypted applications, such as Bitwarden, need to authenticate users as well as to securely encrypt and decrypt data.
The encryption process requires a static key, which can be derived from a password. A passkey, which is not shared with the application, would generate a different value for each authentication.
To make accessing the vault more convenient without sacrificing security, Bitwarden used the PRF WebAuthn extension, which is a method that allows "deriving a unique, fixed value from a passkey."
The extension is an emerging standard that enables the creation of symmetric encryption keys from an authenticator, like a security key, when used with a compatible browser.
"This technology sources an encryption key from a passkey in relation to a particular site, which can then be used to reliably encrypt and decrypt data" - Bitwarden
When a user registers a passkey using a hardware security key, they enable Bitwarden to encrypt that user’s vault data using the associated encryption key.
Contrary to how hardware security modules (HSMs) work, the PRF extension does not store keys on the hardware but instead generates keys using input data (salt) from the relying party (the website).
Because the key generation is a deterministic process, the same input will always produce the same output, and hence, passkeys can be reliably used for the same online platform or service.
In a post published last summer, Bitwarden provides more details on its implementation of the PRF extension and how it works.
Setting up the passkeys
The Bitwarden team has created the following video to showcase how the new feature works on the platform and how users can create passkeys from the account settings menu.
During the beta phase, Bitwarden will allow users of all plans to set up a maximum of five passkeys for the web app.
The feature is currently available in Chromium-based browsers that support PRF WebAuthn, but there are plans to extend it to more clients in the future.
For passkeys not supporting the PRF WebAuthn extension, users can still authenticate without an email or 2FA, using the Bitwarden password for decryption.
Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Comments
h_b_s - 1 year ago
"Passkeys are the more secure alternative to the passwords"
Not if they're poorly implemented. It's a guarantee if it can be screwed up, many deployments are going to do so. So far, if anyone gains access to the main account (Google, Apple, Microsoft) hosting the passkey, ALL of a user's passkeys are compromised with no recourse. If the host's authentication implementation is flawed, given today's manifest incompetence in web design and deployments across the board that's likely, that site's access tokens are also compromised regardless if they use passwords or passkeys. Randomized passwords for each website + MFA stored locally is practically more secure than any cloud based - eggs in one basket - authentication approach. I don't buy that Google, MS, or Apple does not have access to those cloud stores any longer. Especially not after the Kaspersky Operation Triangulation revelation hardware backdoor in Apple products - which still exists and always will no matter what software bugs are closed that allowed some unauthorized TLA access.