Log In With Passkeys

Passkeys can be used to log in to Bitwarden as an alternative to using your master password and email. Passkeys used to log in to Bitwarden:

• Can be used on the web app and chromium-based browser extensions. Support for other client apps is planned for a future release.

• Require user verification, meaning you'll need to use something like a biometric factor or security key to successfully establish access to your passkey.

• Can only decrypt your vault if both the authenticator (e.g. YubiKey 5) and browser (e.g. Google Chrome) are PRF-capable. Non-PRF setups will require that you enter your master password to decrypt your vault after logging in.

• Cannot be used by members of an organization that uses the Require SSO policy, SSO with trusted devices, or Key Connector.

• Bypass Bitwarden two-step login.

To learn more about the basics of passkeys, check out this blog from Bitwarden.

You can have up to five passkeys to log in with at any given time. To create a passkey to use to log in to Bitwarden:

1. In the web app, select the Settings → Security from the navigation.

2. Select the Master password tab.

3. Within the Log in with passkey section, select Turn on or, if you've already setup a passkey, New passkey. You will be prompted to enter your master password.

4. Follow prompts from your browser to create a FIDO2 passkey. You can complete user verification using a factor like a biometric or by creating a PIN.

   

   tip

   You may need to cancel out of a default authenticator your browser will want you to use, for example if you want to use a hardware security key on a macOS device that will prioritize Touch ID.

5. Give your passkey a name.

6. If you don't want to use your passkey for vault encryption and decryption, uncheck the Use for vault encryption checkbox:
   

   

   This option will only appear if your browser (e.g. Google Chrome) and authenticator (e.g. YubiKey 5) are PRF-capable.

7. Select Turn on.

Both your browser (e.g. Google Chrome) and authenticator (e.g. YubiKey 5) must be PRF-capable in order to support using the passkey for vault encryption and decryption.

Your passkeys list will show whether each passkey is used for encryption, supported but not active, or not supported:

If you didn't check the Use for vault encryption checkbox when you initially set up the passkey, or if for example the browser you were using at the time was not PRF-capable, navigate to this menu and select the Set up encryption button.

You can remove an existing passkey from Bitwarden using the Remove button on the same screen. Removing a passkey from Bitwarden will not delete the private key stored in your FIDO2 authenticator, but you’ll no longer be able to use it to log into Bitwarden.

Once your passkey is created, you can use it to log in to the Bitwarden web app and chromium-based browser extension:



warning

Due to a known defect, if you're using Linux you will need to pop out your browser extension before attempting to log in with a passkey.

1. On the Bitwarden login screen, select Log in with passkey where you'd usually enter your email address.

2. Follow prompts from your browser to read the passkey, this will authenticate you with Bitwarden.

3. If your passkey is setup for vault encryption, you're done! Otherwise, enter your master password and select Unlock to decrypt your vault data.

The following describes the mechanics of logging in with passkeys. Which tab is relevant to you depends on whether your passkeys was set up with encryption.