Bitwarden is now letting all its users - even those on a free plan - log in to their password manager without needing a master password, instead allowing them to use passkeys.
Passkeys are the new passwordless technology governed by the FIDO Alliance, who sets the technological standards. To maintain end-to-end encryption, Bitwarden is making used of FIDO's PRF WebAuthn extension, which is still in development. The use of passkeys to lock Bitwarden vaults is currently in beta.
In its blog announcing the news, Bitwarden noted passkeys are safer and more convenient than passwords, as they are resistant to phishing since they require nothing to be remembered or stored on the part of the user - the private cryptographic key that underlies them isn't known to anyone.
Encryption and passkeys
The firm also says that the security offered by passkeys combines with the "zero knowledge, end-to-end encryption protection that Bitwarden delivers for users’ sensitive information and credentials."
Once a user sets up their passkey with Bitwarden, no master password, username, or 2FA is required to login. All that is required to authenticate the use of the passkey is whatever they use to lock device, such as their fingerprint, face, or PIN. FIDO2-compliant security keys can also be used.
Bitwarden explains that in order to maintain the end-to-end encryption of users' vaults, an encryption key is needed that must always stay the same. Deriving this key from a master password works since the password never changes. However, with passkeys, different values are generated with each authentication, and the passkey itself cannot be shared with the Bitwarden application.
This is where the Pseudo Random Function (PRF) WebAuthn extension comes in. It allows an encryption key to be taken from a passkey as it relates to a particular site. So in addition to authenticating the user, the PRF WebAuthn extension also allows the retrieval of the encryption key to decrypt the vault for the user.
Up to five passkeys can be created to secure a vault, and the user can give them a name of their choosing. This is useful if users want to secure one passkey using a security key, and others using biometric data or a PIN, for instance.
Currently, passkeys can only be used to login to the Bitwarden web app, on chromium browsers such as Google Chrome and Microsoft Edge. Other Bitwarden clients, such as the mobile apps, will get the feature in future releases.
MORE FROM TECHRADAR PRO
