Using Bitwarden Passkey functionality with Token2 FIDO2 Security Keys

About Bitwarden
Bitwarden is a password management service that stores sensitive information, such as website credentials, in an encrypted vault. The Bitwarden platform offers a variety of client applications, including a web interface, desktop applications, browser extensions, mobile apps, and a CLI.

Passkeys, an umbrella term for FIDO2 security keys and FIDO2 platform authenticators, serve as an alternative means of logging into Bitwarden, bypassing the need for your master password and email. Bitwarden already supported FIDO2 security keys in the previous UI. However, in a recent upgrade, they have expanded functionality to support any type of passkey, including platform (device-bound) passkeys, alongside standalone (cross-platform) FIDO2 security keys. Utilizing passkeys for Bitwarden login necessitates user verification, requiring methods such as biometric factors or security keys to successfully authenticate access to your passkey.

Note for Windows Users
PRF functionality is available with the latest Windows 11 version only, currently 23H3. This note is added after unsuccessful tests with earlier versions.

Follow the steps below to add a Token2 FIDO2 security key as your passkey.

  • In the web app, select the profile icon and choose Account Settings from the dropdown menu.

  • From the Account Settings menu, select the Security page and the Master Password tab.

  • In the "Log in with passkey" section, select Turn on or, if you've already set up a passkey, New passkey.

    You will be prompted to enter your master password.
  • Follow prompts from your browser to create a FIDO2 passkey. You can complete user verification using a factor like biometric or by creating a PIN.
    You may, during this procedure, need to cancel out of a default authenticator your browser will want you to use, for example, if you want to use a hardware security key on a macOS device that will prioritize Touch ID.

    With some browsers, the PIN may be asked twice.

  • This will invoke the current browser to start the FIDO2 Security key registration process. The windows given below just as an example (Chrome under Windows) and may look differently with other browsers and/or operating systems.

    Please note that to use our FIDO2 keys, you have to select "External Security Keys" or "Security Key" options when prompted (and please note that this option is not always set as default, so please pay attention to that). Selecting a different option may lead to having your built-in authenticator (TPM on a PC motherboard or Touch ID on a macOS laptop) enrolled instead of the standalone security key.
    Also, note that the system may ask to choose the authenticator option more than once (in case multiple platform authenticators are present). Make sure you always select the "Security Key" option. On the next step, the browser will ask you to allow the website to create a new resident credential (passkey) on your FIDO2 key. Then, it will ask you to enter your security key's PIN code (if you don't have a PIN code set on the key, you will be prompted to create it). Finally, it will ask to press a button (or tap in the case of NFC or swipe a finger in the case of a biometric FIDO2 key) to complete the process.

  • Give your passkey a name. If you don't want to use your passkey for vault encryption and decryption, uncheck the Use for vault encryption checkbox:

  • Select Turn on.

Both your passkey and browser must be PRF-capable to support using the passkey for vault encryption and decryption. Your passkeys list will show whether each passkey is used for encryption, supported but not enabled, or not supported:

All Token2 FIDO2 Keys can be used for the vault encryption and decryption functionality.