Log in with Passkeys beta

Passkeys can be used to log in to Bitwarden as an alternative to using your master password and email. Passkeys used to log in to Bitwarden require user verification, meaning you'll need to use something like a biometric factor or security key to successfully establish access to your passkey.

Logging in with a passkey will bypass Bitwarden two-step login, however only PRF-capable browser (e.g. Google Chrome) and authenticator (e.g. YubiKey 5) combinations can be used to setup log in with passkeys for vault decryption. Passkeys that don't use PRF will require that you enter your master password after logging in to decrypt your vault.

Passkeys can currently be used to log in to the Bitwarden web app, and support for other client applications is planned for a future release.

You can have up to 5 passkeys to log in with at any given time. To create a passkey to use to log in to Bitwarden:

1. In the web app, select the Settings → My account from the navigation:

2. From the Settings menu, select the Security page and the Master password tab.

3. In the Log in with passkey section, select Turn on or, if you've already setup a passkey, New passkey. You will be prompted to enter your master password:

   

4. Follow prompts from your browser to create a FIDO2 passkey. You can complete user verification using a factor like a biometric or by creating a PIN.
   
   You may, during this procedure, need to cancel out of a default authenticator your browser will want you to use, for example if you want to use a hardware security key on a macOS device that will prioritize Touch ID.

5. Give your passkey a name.

6. If you don't want to use your passkey for vault encryption and decryption, uncheck the Use for vault encryption checkbox:

   

   This option will only appear if your browser (e.g. Google Chrome) and authenticator (e.g. YubiKey 5) are PRF-capable. Learn more.

7. Select Turn on.

Both your browser (e.g. Google Chrome) and authenticator (e.g. YubiKey 5) must be PRF-capable in order to support using the passkey for vault encryption and decryption.

Your passkeys list will show whether each passkey is used for encryption, supported but not enabled, or not supported:

If you didn't check the Use for vault encryption checkbox when you initially set up the passkey, or if for example the browser you were using at the time was not PRF-capable, navigate to this menu and select the Set up encryption button.

You can remove an existing passkey from Bitwarden using the Remove button on the same screen. Removing a passkey from Bitwarden will not delete the private key stored in your FIDO2 authenticator, but you’ll no longer be able to use it to log into Bitwarden.

Once your passkey is created, you can use it to log in to the Bitwarden web app:

1. On the Bitwarden login screen, select Log in with passkey where you'd usually enter your email address.

2. Follow prompts from your browser to read the passkey, this will authenticate you with Bitwarden.

3. If your passkey is setup for vault encryption, you're done! Otherwise, enter your master password and select Unlock to decrypt your vault data.

The following describes the mechanics of logging in with passkeys. Which tab is relevant to you depends on whether your passkeys was set up with encryption.

Rotating your account encryption key will invalidate the encryption and decryption functionality of any passkey set up to use for vault encryption. The ability for that passkey to be used for authentication when logging in to Bitwarden will not be affected when you rotate your account encryption key.