This has been a great year for Bitwarden in terms of new features for both their commercial and self-hosted customers. While the need for a password manager has never been greater, the competition in this niche is tough.
Some major players in this field have had some data breaches this past year and many have fled to alternative solutions like Bitwarden for example, and with good reason.
For anyone not familiar with the platform, BW is a commercial platform that also offers free services as well as a self-hosted solution for anyone not willing to keep their data in a public cloud.
Personally, I have been using this solution in a self-hosted scenario for the past 5y with zero issues.
While the official self-hosted version of Bitwarden is a complex one (with 11 containers), the upcoming two-container version is soon here. Under the name of Bitwarden Unified, it should provide a simple setup with all the features that this platform offers. Currently in beta, the Unified version should arrive soon.
Passwordless - the future login method
With the increased threat level nowadays, staying safe on the web can be a challenge, and using a password manager is a way forward in terms of using complex passwords for each service with the added protection of second-factor authentication (MFA).
Bitwarden Inc. is pushing its platform to secure the best possible security for its customers and with the recent acquisition of Passwordless.dev, we got a better product with much stronger protection and ease of use.
Passwordless is more than just a buzzword. Many major companies are working towards the implementation of this type of authentication as password management is becoming an issue, while again, the threat level is on the rise. Using anything other than highly complex passwords (lengthy and complex) exposes the client to brute force attacks and eventual hacks.
This is where new methods such as passkeys and biometric security can help by elevating security and lowering complexity for the end user.
One feature that Bitwarden implemented a while back was to allow the usage of trusted devices to log into the application without a master password.
This method allows login with no need to type in the password which greatly minimizes brute-force attacks, password stealing, and other potential exploits that are used when typing in a secure password. Log in with device feature will also streamline the user experience because using this method also allows for the use of biometrics that most modern mobile and desktop devices have. Fingerprint or face identification has almost become a standard not just on high-end models, so utilization of such secure options not just protects the individual, but also speeds up the authentication process when accessing sensitive data inside Bitwarden.
On top of these methods that elevate the login process, we can still use MFA options to even further protect all the materials that are part of the protected vault. This step is still not replaced by the use of passwordless options, but then again, security vs. convenience is always something that an individual must choose.
This is why passkeys have started to become so popular and their implementation into Bitwarden as well. As much as username/password usage to log into a service or a system has been a standard for decades, even with 2FA it is still open to various exploits (but much harder), and above all it's a multi-step process.
So what are passkeys?
Passkeys allow you to quickly create and sign into accounts – with no password needed. This single-step, secure login method replaces traditional authentication (typically, weak or reused usernames and passwords) as well as the cumbersome 2FA process. With passkeys, you’ll never create a weak password again, because you’ll never need to create a password again.
This means that we will use a single strong login that will replace the username, password, and 2FA while elevating security and making the login process faster and less complex.
Since November 7th, 2023, Bitwarden has rolled out support for passkeys for all clients, both free and commercial.
At the moment, passkeys are only implemented in the Bitwarden browser extension with mobile and desktop app support coming in the near future. What will also be possible is to log inside Bitwarden itself using this method. This will also significantly increase security while accessing Bitwarden Vault on less secure or foreign devices.
Why is passkey support in Bitwarden a big deal? Well while major companies behind some of the major mobile and desktop OS, like Apple, Google, or Microsoft, are rolling out their support for passkeys those will not be so cross-platform unlike when the keys are saved in a cross-platform password manager such as Bitwarden.
As a result, we have our private keys with us all the time on any BW-compatible OS or device with no worry about accessing them. Getting to them will also be possible soon using passkeys, or any existing method so far, like login with device, biometrics, and so forth.
Using mobile or desktop biometrics
Now that we have seen what Bitwarden can do in terms of ease of use as well as security, let's see it in action.
Starting with biometrics options inside the desktop app. We first need to activate the available option on the computer in question. For this demonstration, it will be a Mac computer with a TouchID feature.
In Bitwarden's preferences, under the security section, we will find the Unlock with Touch ID check box that needs to be activated. Once the computer password has been entered and confirmed, the functionality is in place.
Testing this is as simple as opening the app again which will in this case present us with an unlock screen. Offering us the option to enter the master password or the unlock with Touch ID solution.
Once a fingerprint scanner or the button is actually used, the app will invoke a security popup asking us to either place a finger on the Touch ID or in case a user has an Apple Watch configured and ready, authenticate with it instead.
So what is the actual process here? Clicking once on the unlock with Touch ID on the Bitwarden app followed by double-clicking the Apple Watch button to approve, thats it. No typing, no passwords, and we have unlocked the vault.
Now that example was unlocking the vault with an already logged-in user. Let's see now how we can actually log into Bitwarden's extension (the same goes for the desktop app) to get access to the vault.
Unlike the unlock process, the login process using biometrics will only save us from entering our master password. We will still have to enter the username (email) and optional 2FA challenge.
Opening the browser extension will ask us to enter our email account followed by the master password screen. On that same screen, we will have the Log in with device option visible that will initiate a challenge towards a verified device (computer or mobile) with a one-time phrase.
As we can see, the identical phrase will show up on desktop or mobile (or both if we have configured multiple devices) Bitwarden app asks us to confirm the login. After that, the vault will either open up or intercept us with an option MFA method if one is configured for that particular account.
Again, a few clicks and we have access to our vault without typing the master password manually. Both are fast and secure ways of getting access to our secure data by using verified devices and biometrics that provide a significant security level.
The new passkeys feature goes one step further.
"...As a cryptographic method to verify your identity, passkeys are naturally significantly stronger than passwords. Comprising both a public and private component, passkeys leverage WebAuthn cryptographic protocols developed by the FIDO Alliance..."
As mentioned before, passkeys eliminate the need to enter a username, password, and 2FA. Some might challenge this and say, isn't having a complex password and 2FA on a separate device/app more secure than having a passkey?
Before we see passkeys in action, let's see the main benefits:
Impossible to guess - passkeys are much longer than passwords and machine-generated. Trying to guess a passkey would literally take eons.
Resistant to phishing - they can only be used on the website that they’re made for, so a fake website can’t try to trick a user into giving it away.
Immune to data breaches - passkeys are made up of a public key and a private key that work together to log you in. If the public key that a website stores is leaked, your account is still safe because the private key is secure on your device.
Bitwarden now offers the option to save passkeys (private keys) as an entry in the vault so they can access it from anywhere.
Using the passkey feature is very easy.
In most cases registering onto a site that supports passkey authentication, we will need to enter a username or an email. This is just a usual initial registration process. Following that, we can then complete the process by using a passkey. In that moment Bitwarden extension will pop up with a question.
Now, in case we do not want to use Bitwarden as our passkey destination, but rather macOS Keychain for example, we can use the Use browser option in the lower left corner.
In case we do want Bitwarden to be our host for the passkey, we can choose Save passkey as new login and that is it. The new passkey is now part of the vault.
With the passkey safely inside the vault, visiting the website that has a unique passkey will invoke a Bitwarden extension question once we want to log in.
There we have it. Passkeys are a new, more secure, and more streamlined method of authentication. Again this feature is available to any free or paid customer of Bitwarden as well, as of version 1.30, in VaultWarden self-hosted fork. Be sure to give it a go, and further elevate your security, as well as the security of your most sensitive data.