When LastPass got hacked I switched to bitwarden and never looked back. Simple and effective interface, works on all platforms, I love it!
It's awesome. After using it free for years, I recently became a paid subscriber as a show of support.
$10/yr is not a big price for what you get. I don't think I even use the extra features you get with the subscription, but supporting the maintenance and development of a product I would like to use for years to come is important.
Agreed. I like that the free version works well. The lack of pressure or nagging toward paying is what gets me to want to pay. I usually avoid subscriptions.
I usually self host but the fact that the option is there and I can use it any time in the future is the main reason i use BW and kick them a bit of money. And not bring nagged or forced to subscribe is a major factor for me as well.
I'm a paying user of Proton "unlimited" and they still shove ads down my throat.
Protonmail? Never seen an ad even on the free plan. Of course, I have UBO so I don't see ads anywhere.
There's an ad at the upper right of my inbox right now. And UBO won't block it because it's from Proton. I also have to go and disable the "sent from Proton" ad every time I log in with a new device.
10 bucks per year is a small price to pay to support good business
Honestly, I have been thinking of doing the same.
I really don't require any of their premium features and am getting it to show my support.
$10/yr is dirt cheap for something so important in our online life.
I switched to bitwarden when last pass announced they were changing there free model so you can only use your passwords on browser or mobile but not both. Liked bitwarden way better and immediately did the yearly sub to support them.
Same after dashlane just announced they're limiting the number of passwords you can use on the free account, migrating was painless
Their desktop app isn’t as nice as LastPass, but I’ll put up with a minor inconvenience to keep my passwords secure.
Same here. Bitwarden has been good to me so far!
That's pretty good, I still wonder how long will it take for companies to actually implement them in practice though. Steam still uses its frustrating steamguard instead of just letting us use any generic 2FA provider like aegis for example, I doubt they'll implement this any time soon.
Same about Aegis, it supports Steam's proprietary format.
I am not that desperate to get it working there, it was just an example, but still good to know thanks! Hopefully they add proper psaswordless support eventually.
I am still a little unclear on what this means. Isn't the idea of passkeys that they're stored on your PC's TPM? What does Bitwarden "supporting passkeys" mean in that case? Are they not stored on the device if you use Bitwarden?
You're thinking about "device-bound passkeys". Bitwarden and any other third-party credential manager leverages "synced passkeys" because they don't control the hardware.
Synced passkeys are actually called out in the FIDO Alliance's FAQs as preferred since they more closely align with the desired replacement of traditional passwords.
So it's just one half of a key pair stored in Bitwarden, then? And you authenticate to Bitwarden as usual?
Well, it's a full keypair being stored: Authenticators like Bitwarden need to first provide the public key to the relying party (RP) so the RP can issue the encrypted auth challenge. The challenge then is handed back to the authenticator, user verification happens, then the challenge is signed by the private key and sent back to the RP for verification to complete the auth ceremony.
They'll probably interface the key exchange from TPM, pulling and storing keys as needed from the TPM to applications you use BW with.
No, TPM isn't involved here. There's a few kinds of passkeys.
Hardware bound keys are locked up in a physical device like a TPM or a YubiKey. That physical device has its own security to unlock it- TPMs often work with fingerprints, or a YubiKey usually has a PIN (aka password).
A passkey can also be done in software, and that's what's happening here. BitWarden stores the encryption key within the BitWarden vault, so it can (eventually) be accessed by any device signed into your BitWarden account. Thus the same passkey works on your computer, laptop, phone, tablet, etc.
It's worth noting that Google and Apple both do it this way- the passkey is stored in their password manager, and you use Face ID or fingerprint ID to unlock that.
THat would make sense given that you'd want to be able to use it across other logged in devices.
Appreciate the explanation.
Most welcome :)
I like to think of it this way in my little bubble. :) I have a Yubkey 5 with NFC. I use passkeylogin into Authentik so all I have to do is plug in my key, unlock it with my master password for the key and touch the disk and I'm logged into my site. If I view the contents of my key with the ykman software, then I can see that I have two logins, one for mobile and one for my site. Each has is different so it knows which one is mobile and which is desktop.
The same principle may apply with the PC's TPM. Your credentials may apply the same way there. I'm not 100% familiar with the TPM process but think as long as it works with Fido2 , you should be fine.
Hopefully more services support this soon - any idea of sites/apps that support this now?
Just hoping Vaultwarden will get an update soon to also support this
Anyone seen any commits to suggest when it's coming to Android?
Have been looking forward to seeing your they implement this. Once it gels a bit I'll likely dive in.
Is this “webauthn” that Proxmox recently added support for?
Am I missing something? Bitwarden already has support for authentication via biometrics or Windows Hello. How is this different from that?
My naive understanding would be: a passkey replaces a password for an individual login; a biometric authentication replaces a password for the vault that stores individual login passwords.
so basically: right now, I have a master password, and I can set up Bitwarden to bypass the master password with biometrics. With passkey set up, I will no longer have a master password, and biometric will be the only login method?
How does this work when I want to log in from a device that doesn't have bitwarden, for example my android phone (for now at least) or my TV or otherwise? Can you manually type in a passkey?
When LastPass got hacked I switched to bitwarden and never looked back. Simple and effective interface, works on all platforms, I love it!
It's awesome. After using it free for years, I recently became a paid subscriber as a show of support.
$10/yr is not a big price for what you get. I don't think I even use the extra features you get with the subscription, but supporting the maintenance and development of a product I would like to use for years to come is important.
Agreed. I like that the free version works well. The lack of pressure or nagging toward paying is what gets me to want to pay. I usually avoid subscriptions.
I usually self host but the fact that the option is there and I can use it any time in the future is the main reason i use BW and kick them a bit of money. And not bring nagged or forced to subscribe is a major factor for me as well.
I'm a paying user of Proton "unlimited" and they still shove ads down my throat.
Protonmail? Never seen an ad even on the free plan. Of course, I have UBO so I don't see ads anywhere.
There's an ad at the upper right of my inbox right now. And UBO won't block it because it's from Proton. I also have to go and disable the "sent from Proton" ad every time I log in with a new device.
10 bucks per year is a small price to pay to support good business
Honestly, I have been thinking of doing the same. I really don't require any of their premium features and am getting it to show my support.
$10/yr is dirt cheap for something so important in our online life.
I switched to bitwarden when last pass announced they were changing there free model so you can only use your passwords on browser or mobile but not both. Liked bitwarden way better and immediately did the yearly sub to support them.
Same after dashlane just announced they're limiting the number of passwords you can use on the free account, migrating was painless
Their desktop app isn’t as nice as LastPass, but I’ll put up with a minor inconvenience to keep my passwords secure.
Same here. Bitwarden has been good to me so far!
That's pretty good, I still wonder how long will it take for companies to actually implement them in practice though. Steam still uses its frustrating steamguard instead of just letting us use any generic 2FA provider like aegis for example, I doubt they'll implement this any time soon.
FYI: You can use Bitwarden as a 2FA method for Steam if you're willing to put in the work.
Same about Aegis, it supports Steam's proprietary format.
I am not that desperate to get it working there, it was just an example, but still good to know thanks! Hopefully they add proper psaswordless support eventually.
I am still a little unclear on what this means. Isn't the idea of passkeys that they're stored on your PC's TPM? What does Bitwarden "supporting passkeys" mean in that case? Are they not stored on the device if you use Bitwarden?
You're thinking about "device-bound passkeys". Bitwarden and any other third-party credential manager leverages "synced passkeys" because they don't control the hardware.
Synced passkeys are actually called out in the FIDO Alliance's FAQs as preferred since they more closely align with the desired replacement of traditional passwords.
So it's just one half of a key pair stored in Bitwarden, then? And you authenticate to Bitwarden as usual?
Well, it's a full keypair being stored: Authenticators like Bitwarden need to first provide the public key to the relying party (RP) so the RP can issue the encrypted auth challenge. The challenge then is handed back to the authenticator, user verification happens, then the challenge is signed by the private key and sent back to the RP for verification to complete the auth ceremony.
They'll probably interface the key exchange from TPM, pulling and storing keys as needed from the TPM to applications you use BW with.
No, TPM isn't involved here. There's a few kinds of passkeys.
Hardware bound keys are locked up in a physical device like a TPM or a YubiKey. That physical device has its own security to unlock it- TPMs often work with fingerprints, or a YubiKey usually has a PIN (aka password).
A passkey can also be done in software, and that's what's happening here. BitWarden stores the encryption key within the BitWarden vault, so it can (eventually) be accessed by any device signed into your BitWarden account. Thus the same passkey works on your computer, laptop, phone, tablet, etc.
It's worth noting that Google and Apple both do it this way- the passkey is stored in their password manager, and you use Face ID or fingerprint ID to unlock that.
THat would make sense given that you'd want to be able to use it across other logged in devices.
Appreciate the explanation.
Most welcome :)
I like to think of it this way in my little bubble. :) I have a Yubkey 5 with NFC. I use passkeylogin into Authentik so all I have to do is plug in my key, unlock it with my master password for the key and touch the disk and I'm logged into my site. If I view the contents of my key with the ykman software, then I can see that I have two logins, one for mobile and one for my site. Each has is different so it knows which one is mobile and which is desktop.
The same principle may apply with the PC's TPM. Your credentials may apply the same way there. I'm not 100% familiar with the TPM process but think as long as it works with Fido2 , you should be fine.
Hopefully more services support this soon - any idea of sites/apps that support this now?
Article links to 1Password's directory of passkey supported sites/apps.
Just hoping Vaultwarden will get an update soon to also support this
Anyone seen any commits to suggest when it's coming to Android?
Have been looking forward to seeing your they implement this. Once it gels a bit I'll likely dive in.
Is this “webauthn” that Proxmox recently added support for?
Am I missing something? Bitwarden already has support for authentication via biometrics or Windows Hello. How is this different from that?
My naive understanding would be: a passkey replaces a password for an individual login; a biometric authentication replaces a password for the vault that stores individual login passwords.
so basically: right now, I have a master password, and I can set up Bitwarden to bypass the master password with biometrics. With passkey set up, I will no longer have a master password, and biometric will be the only login method?
This may help. https://monero.town/comment/2295151
How does this work when I want to log in from a device that doesn't have bitwarden, for example my android phone (for now at least) or my TV or otherwise? Can you manually type in a passkey?