Bitwarden Moves Into Passwordless Security

Bitwarden, the popular open-source password management program, has launched Bitwarden Passwordless.dev, a developer toolkit for integrating FIDO2 WebAuthn-based passkeys into websites and applications. The New Stack reports: Bitwarden Passwordless.dev uses an easy-to-use application programming interface (API) to provide a simplified approach to implementing passkey-based authentication with your existing code. This enables developers to create seamless authentication experiences swiftly and efficiently. For example, you can use it to integrate with FIDO2 WebAuthn applications such as Face ID, fingerprint, and Windows Hello. Enterprises also face challenges in integrating passkey-based authentication into their existing applications. Another way Bitwarden Passwordless.dev addresses this issue is by including an admin console. This enables programmers to configure applications, manage user attributes, monitor passkey usage, deploy code, and get started instantly.

"Passwordless authentication is rapidly gaining popularity due to its enhanced security and streamlined user login experience," said Michael Crandell, CEO of Bitwarden. "Bitwarden equips developers with the necessary tools and flexibility to implement passkey-based authentication swiftly and effortlessly, thereby improving user experiences while maintaining optimal security levels."

Cause for concern?

[Gavino]

It's not too much trouble to unlock my Bitwarden browser extension, then have it populate user/pass on mouse click. I like to have myself inserted between website and password manager so I know what's going on. Once automation is enabled, I fear that the bad guys might find a way to automate their way into my password manager of choice without my knowledge.

Re: Cause for concern?

[Anonymouse Cowtard]

Don't be too concerned. We'll be using password managers for a few years yet. Maybe Meta/Apple/Google/Amazon (MAGA, get it!?) will produce a universal fob that uses a satellite to generate a passkey every 15 seconds.

Re:

[Gavino]

Poor Microsoft don't even get a guernsey in your MAGA acronym, even though there's an "M" out front just teasing them! What you're describing is even more concerning, but I guess that's sarcasm. I think the "fob" would be some Elon Musk neural implant and the satellite system is StarLink.... and it definitely won't be used by Mugato Inc to program us all to kill the Malaysian Prime Minister (that's a movie reference for those who don't know the classics).

Re:

[divide overflow]

and it definitely won't be used by Mugato Inc to program us all to kill the Malaysian Prime Minister

That's Mugatu, not Mugato.
You betray your respect for the classics.

Re:

[Applehu Akbar]

Fear not. The push for "passwordless authentication" is ultimately coming from advertisers so that they can track you, not just between web sites, but now also web-authenticated applications on the desktop. You've already lost.

Actually the push for better authentication comes from IT people like me, who have so often had to wait an extra two hours on a job while some poor old lady thrashes through every cranny in her house looking for that list of scrawled passwords to recall the vital one she has forgotten.

I have a dream

[Pinky's Brain]

I'd like there to be an open source standard for passkey syncing (or less politically correct, cloning) with a level 2 certified reference implementation (would need a hypervisor on CPU). The Fido Alliance is hands off on the mechanics of syncing because a lot of the old timers are ideologically opposed, W3C is only concerned with the intersection with the web. If there is to be a standard from syncing it will have to come from a different direction.

Microsoft, Google and Apple will have syncing, but only inside their ecosystem. Without syncing passkeys still have the same problem as U2F always had, with the need to register multiple dongles with one website to have a backup, so the end result will be chasing people into ecosystem lock in to avoid that.

Re:

[ctilsie242]

This is what a TPM, Pluton, or other security chip should do. Allow storage of passkeys in some manner, but allow syncing/cloning across devices, perhaps with one device's public key, so the passkey never leaves the device unencrypted. Of course, there is MITM and ensuring machine Bob is known to machine Alice, but that is a solved problem, and comparing passphrase based fingerprints could allow a secure transfer from secure enclave to secure enclave.

Re:

[Pinky's Brain]

TPM doesn't have enough storage for passkeys, also doesn't have enough programmability to communicate with an attested fingerprint sensor, nor to encrypt/decrypt the passkeys so they can be synced.

Pluton can do it, but plebs won't be allowed to program Pluton. It's only useful to the Microsoft ecosystem.

Re:

[ras]

I'd like there to be an open source standard for passkey syncing (or less politically correct, cloning)

This will probably come to pass, sadly. The "sadly" isn't about open source. The sadly is you, the user, can't be trusted to manage a passkey, so opening up the standard so random Joe Citizen can see them and copy them is not a step forward.

A passkey is at it's heart just secret private, managed by a few clever protocols. A private key at it's heart is just a secret string, which when it's all said and

Lamenting passwords

[NotEmmanuelGoldstein]

The bCrypt Retires article lamented the continuing use of passwords. There's a reason passwords still exist: Passwords allow authentication from any device. The alternative is the device as a password: This makes identity theft easier, although it must be a physical theft also. Making authentication dependent on something you have, increases the difficulty of replacing the authentication tokens when that hardware is lost, broken, or stolen.

Law enforcement loves authentication as a device, because seizing your hardware (or just your bio-metrics, such as fingerprint/retinal-print/face image) is seizing your online footprint which is identity theft.

Re:

[Pinky's Brain]

When a website requires user verification you will still have to locally authenticate. Generally with password, pin or biometric.

Also generally people will authenticate on the device to get past the lockscreen. Just don't unlock your phone within 2 meter of the popo.

Gibson solved this already: SQRL

[Plugh]

https://en.m.wikipedia.org/wik... [wikipedia.org]

The Big Lie

[Retired ICS]

I doubt it is passwordless.

That will be buzz-shit just like the kiddies calling shit serverless even though there is obviously a server.

It is like Zero-Trust, which has nothing to do with Zero-Trust. It still requires trust. It is just kiddie shite.

seems to work, with caveats

[ZipNada]

I signed up for their free tier and cloned their node.js example. Appears to work just fine.

What it does require is that you have passkey support installed in your browser or phone or whatever you are using to access the resource. Then to authenticate you use your passkey. On your phone it would be fingerprint, face, or screen lock. On Windows it is your PIN or a USB security device. That's arguably more convenient than a different password for everything, but if you don't have passkey support installed it won't work.

At present many people won't have it installed so you will need a password-based fallback. Their code does let you check to see if passkey is supported so that you could switch to the fallback. I guess the expectation is that eventually everyone will be using passkey.