Today, all users can start logging into their Bitwarden web vaults with a passkey, without typing in a username or password. This beta implementation uses the emerging PRF WebAuthn extension for passkeys, which allows passkeys to be used as part of the encryption process, providing convenience and end-to-end encryption.
More security for everyone
Passkeys are stronger and more secure than passwords, cannot be guessed, and are resistant to phishing. Using a passkey to log into Bitwarden accounts combines the passkey security with the zero knowledge, end-to-end encryption protection that Bitwarden delivers for users’ sensitive information and credentials. Following the Bitwarden vision of bringing security to everyone, logging in with a passkey is included in every Bitwarden plan, including free.
Log in with a single step
This new innovative passkey technology allows Bitwarden users to authenticate and decrypt their accounts in a single step - all without using their Bitwarden password, 2FA, or even login email address. Simply present the PRF compatible passkey and activate its user verification challenge, and a user will be signed into their Bitwarden account. This significantly streamlines logging in while also adding security as the passkey is unguessable and will only work for the official Bitwarden web app, protecting against malicious phishing attempts.
Watch how it works with this short demo:
Bitwarden utilizes a new passkey technology to implement the passkey login feature, putting Bitwarden at the forefront of innovation with passkey authentication and encryption. This provides a proof-of-concept and an example for other end-to-end encrypted applications to follow.
Applications that are end-to-end encrypted, such as Bitwarden, have to both authenticate the user and securely encrypt and decrypt data. To do so, an encryption key, consisting of a long string of random characters, is needed and must be constant and unchanging, such as what is derived from a password. Passkeys, however, cannot be used for encryption on their own. For security reasons the passkey login process generates different values with each authentication, and the passkey itself is not shared with the application.
Enter the PRF WebAuthn extension, an emerging method for deriving a unique, fixed value from a passkey. This technology sources an encryption key from a passkey in relation to a particular site, which can then be used to reliably encrypt and decrypt data.
PRF WebAuthn extension allows the Bitwarden client to use a passkey for dual purposes: to authenticate the user, and to retrieve an encryption key and decrypt the data, granting access to the user’s Bitwarden account. The result is a fast, convenient, and secure login that maintains zero knowledge, end-to-end encryption and distinguishes Bitwarden as a passwordless security leader.
In this beta release, users on any Bitwarden plan with compatible passkeys and browsers will be able to set up to five passkeys for logging into the Bitwarden web app. Currently, browsers based on Chromium, such as Google Chrome and Microsoft Edge, support PRF WebAuthn. This functionality will come to other Bitwarden clients in future releases.
For passkeys that do not support the PRF WebAuthn extension, such as those created in other passkey providers, the passkey can still authenticate the user without the email address and 2FA, while the Bitwarden password would be used for decryption.
If you are interested in learning more, visit the Passkeys and Passwordless page on the Bitwarden website or read the blogs: How do passkeys work? and What are passkeys? Two webcasts, Bitwarden and Passkeys and Passkeys & You tackle most common questions.
Ready to begin your passwordless journey with Bitwarden? Get started with a free personal account or a 7-day business trial and discover how easy it is to use passkeys for logging into Bitwarden, manage passkeys for other sites, and protect your digital life.