Are passkeys support in the roadmap?

Tech companies from the FIDO alliance will deploy passkeys in the following months. Passkeys are a new authentication method that aims to avoid passwords. It is more secure and also easier to use.

I would like to use this new method soon, but I would like to avoid proprietary cloud solutions to manage my future passkeys. Bitwarden committed to support this method, but I would like to know if this will be the case for Vaultwarden. I would like to have a self-hosted passkey manager without any call to any external server.

I’m pretty sure under the hood that is just WebAuthn, which we do support: Enabling U2F (and FIDO2 WebAuthn) authentication · dani-garcia/vaultwarden Wiki · GitHub. This was mostly for external USB tokens.

Not sure if the new Passkeys require any changes from our side, but if they aren’t compatible as it is, I’m definitely interested in adding support for them eventually.

2 Likes

Passkeys are multi-device FIDO credentials. For example if I register to a web site from my phone, FIDO credentials are created on this phone.
If later I want to sign-in in the same account from my laptop without my phone, I need my FIDO credentials to be synced on my laptop.

From the white paper here page 6: White Paper: Multi-Device FIDO Credentials - FIDO Alliance

Just like password managers do with passwords, the underlying OS platform will “sync”
the cryptographic keys that belong to a FIDO credential from device to device.

So if this is already possible then this is great! In my understanding this syncing of cryptographic keys was the new feature of passkeys and would need some work from existing password managers like Vaultwarden.

Passkeys implementation would require each record to allow a new field, FIDO (similar to TOTP), which, in theory, would allow you to store the required certificates. (Note: when you scan a “Passkey QR code”, it generates an URL in the form of FIDO:0123456789abcdef…)

The current WebAuthn implementation protects the main Vaultwarden account (like the 2nd step after Master password input). Still, Passkeys would allow you to “store the private certificates” for any website instead of a password and use that certificate for the WebAuthn handshake, which is a different kind of feature.

1 Like

The big bosses just announced part of the money of the latest round of funding will go to the development of passkeys.

Dashlane supports it already and 1Password just completed an acquisition and announced support in early 2023. It’s the next big thing because Apple now supports it. In theory, passkeys should be easy to transfer between vendors but I just wait until the money did his work and it is properly implemented in Bitwarden.

1 Like

Just a side note. That doesn’t mean Vaultwarden will or can support this also. Mostly because it’s using there notifications infra as far as i can tell.