228
Bitwarden begins adding passkey support to its password manager - The Verge
(www.theverge.com)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 02 Nov 2023
228 points (99.1% liked)
Android
17180 readers
305 users here now
The new home of /r/Android on Lemmy and the Fediverse!
Android news, reviews, tips, and discussions about rooting, tutorials, and apps.
🔗Universal Link: !android@lemdro.id
💡Content Philosophy:
Content which benefits the community (news, rumours, and discussions) is generally allowed and is valued over content which benefits only the individual (technical questions, help buying/selling, rants, self-promotion, etc.) which will be removed if it's in violation of the rules.
Support, technical, or app related questions belong in: !askandroid@lemdro.id
For fresh communities, lemmy apps, and instance updates: !lemdroid@lemdro.id
📰Our communities below
Rules
-
Stay on topic: All posts should be related to the Android OS or ecosystem.
-
No support questions, recommendation requests, rants, or bug reports: Posts must benefit the community rather than the individual. Please post to !askandroid@lemdro.id.
-
Describe images/videos, no memes: Please include a text description when sharing images or videos. Post memes to !androidmemes@lemdro.id.
-
No self-promotion spam: Active community members can post their apps if they answer any questions in the comments. Please do not post links to your own website, YouTube, blog content, or communities.
-
No reposts or rehosted content: Share only the original source of an article, unless it's not available in English or requires logging in (like Twitter). Avoid reposting the same topic from other sources.
-
No editorializing titles: You can add the author or website's name if helpful, but keep article titles unchanged.
-
No piracy or unverified APKs: Do not share links or direct people to pirated content or unverified APKs, which may contain malicious code.
-
No unauthorized polls, bots, or giveaways: Do not create polls, use bots, or organize giveaways without first contacting mods for approval.
-
No offensive or low-effort content: Don't post offensive or unhelpful content. Keep it civil and friendly!
-
No affiliate links: Posting affiliate links is not allowed.
Quick Links
Our Communities
- !askandroid@lemdro.id
- !androidmemes@lemdro.id
- !techkit@lemdro.id
- !google@lemdro.id
- !nothing@lemdro.id
- !googlepixel@lemdro.id
- !xiaomi@lemdro.id
- !sony@lemdro.id
- !samsung@lemdro.id
- !galaxywatch@lemdro.id
- !oneplus@lemdro.id
- !motorola@lemdro.id
- !meta@lemdro.id
- !apple@lemdro.id
- !microsoft@lemdro.id
- !chatgpt@lemdro.id
- !bing@lemdro.id
- !reddit@lemdro.id
Lemmy App List
Chat and More
founded 1 year ago
MODERATORS
I am still a little unclear on what this means. Isn't the idea of passkeys that they're stored on your PC's TPM? What does Bitwarden "supporting passkeys" mean in that case? Are they not stored on the device if you use Bitwarden?
You're thinking about "device-bound passkeys". Bitwarden and any other third-party credential manager leverages "synced passkeys" because they don't control the hardware.
Synced passkeys are actually called out in the FIDO Alliance's FAQs as preferred since they more closely align with the desired replacement of traditional passwords.
So it's just one half of a key pair stored in Bitwarden, then? And you authenticate to Bitwarden as usual?
Well, it's a full keypair being stored: Authenticators like Bitwarden need to first provide the public key to the relying party (RP) so the RP can issue the encrypted auth challenge. The challenge then is handed back to the authenticator, user verification happens, then the challenge is signed by the private key and sent back to the RP for verification to complete the auth ceremony.
They'll probably interface the key exchange from TPM, pulling and storing keys as needed from the TPM to applications you use BW with.
No, TPM isn't involved here. There's a few kinds of passkeys.
Hardware bound keys are locked up in a physical device like a TPM or a YubiKey. That physical device has its own security to unlock it- TPMs often work with fingerprints, or a YubiKey usually has a PIN (aka password).
A passkey can also be done in software, and that's what's happening here. BitWarden stores the encryption key within the BitWarden vault, so it can (eventually) be accessed by any device signed into your BitWarden account. Thus the same passkey works on your computer, laptop, phone, tablet, etc.
It's worth noting that Google and Apple both do it this way- the passkey is stored in their password manager, and you use Face ID or fingerprint ID to unlock that.
THat would make sense given that you'd want to be able to use it across other logged in devices.
Appreciate the explanation.
Most welcome :)
I like to think of it this way in my little bubble. :) I have a Yubkey 5 with NFC. I use passkeylogin into Authentik so all I have to do is plug in my key, unlock it with my master password for the key and touch the disk and I'm logged into my site. If I view the contents of my key with the ykman software, then I can see that I have two logins, one for mobile and one for my site. Each has is different so it knows which one is mobile and which is desktop.
The same principle may apply with the PC's TPM. Your credentials may apply the same way there. I'm not 100% familiar with the TPM process but think as long as it works with Fido2 , you should be fine.