Free password manager Bitwarden is the latest to add passkey login support

Visual representation of a passkey on a computer chip
(Image credit: Shutterstock/ ArtemisDiana)

Bitwarden is now letting all its users - even those on a free plan - log in to their password manager without needing a master password, instead allowing them to use passkeys.

Passkeys are the new passwordless technology governed by the FIDO Alliance, who sets the technological standards. To maintain end-to-end encryption, Bitwarden is making used of FIDO's PRF WebAuthn extension, which is still in development. The use of passkeys to lock Bitwarden vaults is currently in beta.

In its blog announcing the news, Bitwarden noted passkeys are safer and more convenient than passwords, as they are resistant to phishing since they require nothing to be remembered or stored on the part of the user - the private cryptographic key that underlies them isn't known to anyone.

Encryption and passkeys

The firm also says that the security offered by passkeys combines with the "zero knowledge, end-to-end encryption protection that Bitwarden delivers for users’ sensitive information and credentials."

Once a user sets up their passkey with Bitwarden, no master password, username, or 2FA is required to login. All that is required to authenticate the use of the passkey is whatever they use to lock device, such as their fingerprint, face, or PIN. FIDO2-compliant security keys can also be used.

Bitwarden explains that in order to maintain the end-to-end encryption of users' vaults, an encryption key is needed that must always stay the same. Deriving this key from a master password works since the password never changes. However, with passkeys, different values are generated with each authentication, and the passkey itself cannot be shared with the Bitwarden application. 

This is where the Pseudo Random Function (PRF) WebAuthn extension comes in. It allows an encryption key to be taken from a passkey as it relates to a particular site. So in addition to authenticating the user, the PRF WebAuthn extension also allows the retrieval of the encryption key to decrypt the vault for the user.

Up to five passkeys can be created to secure a vault, and the user can give them a name of their choosing. This is useful if users want to secure one passkey using a security key, and others using biometric data or a PIN, for instance.

Currently, passkeys can only be used to login to the Bitwarden web app, on chromium browsers such as Google Chrome and Microsoft Edge. Other Bitwarden clients, such as the mobile apps, will get the feature in future releases. 



Lewis Maddison
Staff Writer

Lewis Maddison is a Staff Writer at TechRadar Pro. His area of expertise is online security and protection, which includes tools and software such as password managers. 

His coverage also focuses on the usage habits of technology in both personal and professional settings - particularly its relation to social and cultural issues - and revels in uncovering stories that might not otherwise see the light of day.

He has a BA in Philosophy from the University of London, with a year spent studying abroad in the sunny climes of Malta.