My wife is a non computer person and she was watching this with me and was asking how passkeys work. After a few minutes of her listening to me and not understanding what I was talking about she finally came up with an analogy that I think actually describes past keys very well. She said it's kind of like a lock and a key. And I think that's a very good analogy. In this case Bitwarden creates both the lock and key which is unique in the whole universe and it gives the lock to the web site. Bitwarden keeps the only key available to that lock.
Another excellent tutorial, thanks for staying on top of this tech, I have learned a great deal from your videos. Could you make a bitwarden tutorial for mobile use.
I'll look into it! I had some challenges on a prior video with recording due to privacy features (which is great) on some password managers. Let me see what I can do!
How do you get Bitwarden to take over using passkeys in Windows 10? Whenever I attempt to do anything with passkeys, whether logging in or creating one, WIndows prompts me to insert a security key.
Sorry but saving the passkeys on Bitwarden in my opinion is less secure than saving them on your device, this is because correct me if I'm wrong, by saving them on Bitwarden if they ever enter my vault, with the passkeys they could access the sites they want, whereas if they are saved on the device (like a phone) to then use a passkey you also need biometric authentication, so it's an additional security check in addition, don't you think?
Yes, you're correct. It's the trade-off between security and convenience, but it's the same risk of using a password manager with just passwords. You can still take steps to secure access to the vault to minimize the likelihood of someone gaining access.
Great video, thank you! I've decided to give passkeys a try after being nagged a few times and now seeing your video... So I've done 2 of them and it seems seamless as you show. BUT how do I list my user accounts in Bitwarden where I've enabled a passkey? I don't want to lose track of which ones I've enabled it on. Also, if a website allows BOTH passwords and passkeys, isn't that less secure? Thanks!
This is the one downside with Bitwarden right now, it requires a separate entry. Given your username would be stored with the password entry, it's not a big issue. Every website now will have both. You just want to default to passkeys as it is phishing resistant.
@@teachmecyber Hi, I don't really understand your answer as I see the passkey in the same entry. Still I don't know how to search for entries where a passkey was set. Also, I don't understand how passkeys as you describe are 'phishing resistant' if passwords are also allowed. Mabe another video? 🙂
Thank you for this explanation, Jason. Is this something you can do only for new accounts? For example, if I wanted to use passkeys on an existing social media account, is it a similar process? Sorry if I missed something in the video :)
I tried this on Windows, with both Bitwarden and Windows Hello. The latter does not sync to other devices, but it could use other devices (Android) to store the Passkey. Assuming Bitwarden allows syncing across devices (did not try, but this is the point, otherwise, it's next to useless).
Yesterday I installed Bitwarden to my Android phone to my Windows computer, add extension to Firefox and even downloaded desktop application. Watch your video and some more, try to do something and can say. I don;t understand anything 😭 and why I needed and how to use it
Great video. Remeber one thing till we get ride of less secure pwd recovery processes like via email recovery etc or we eliminate the pwd on the site( options that sites need to start providing) this will not be more secure.
Passkeys are the same technology as Yubikey. The main difference is that instead of the private key being stored on the yubikey, it's securely stored your laptop or mobile device. This implementation with Bitwarden (synchronized passkeys) allows for more flexibility to log in from different devices. Yubikey, is a device-bound passkey that you can only log in with the yubikey, so you have to have it with you. It's more secure but less flexible.
But sites that also allow user/password authentication negates the security that passkeys offer unless you can delete these credentials once you have a passkey setup for the site
Potentially. But if you don't use them after setting them up and only use passkeys it is still more secure, especially against phishing attacks as long as you default to using passkeys
Ok but if you generate passkey for google account -> it can set passkeys on all or your devices with one click. The question is who you trust more to store your passkeys ....
Is the passkey device Specific? - or if I have a computer and phone will it merge across devices? Also does the passkey eliminate or delete my PASSWORD? AND what if you have 2-3 Google accounts like I do? I have a job gmail, a Google gmail, and another Goog gmail?
You can set it up for multiple accounts, no issues there! You can have both the password and the passkey at the same time. You can set it up just for a specific device or use a password manager like 1Password and it will work across devices.
Does the private passkey have to be remembered, or is it encrypted on the device? Does anything have to be remembered? It seems that if it's stored on the device, the the weak link is the device login... not the website login.
You don't have to remember anything new! The passkey is stored encrypted in the vault. The only thing you need to do is unlock Bitwarden to securely access the private key. You should set up Bitwarden to require strong MFA (you can also set this up with passkeys to your local device).
If a passkey is stored on the device, e.g., my laptop, and I get a new laptop, how does it migrate to the new device? I'm sure it's really simple, but I am not sure. Thanks.
Wouldn't you want the username to be stored if you've got multiple accounts on a site? How are you going to login to a site if you can't remember what username you used when you registered?
For passkeys in Bitwarden, you will need a new entry for each unique account on a website. The passkey stores the username in it, so you'll just have to manage the item in Bitwarden accordingly (e.g. just put it in the name of the item).
Q: so If I have a password previously set in a website and later I set a passkey, I'll be able to use both or just the passkey ? and don't forget Nordpass tutorial for future videos
It depends on the website. Some websites will let you sign in with a password or a passkey, which means you can lose your passkey but still sign in with your password, or lose your password and still sign in with your passkey. Others will use your passkey as a form of 2-factor authentication, meaning you'll need your password and your passkey to log in. Others will replace your password with the new passkey, meaning you can only sign in with your passkey. I don't know if I've covered every scenario, but I hope passkeys become the thing that replaces passwords.
@bigjoegamer covered most of the scenarios you'll run into! The website may autodetect it (e.g. Gmail does this), others may ask you which method you want to sign in with (passwordless or password).
Here is the scenario - passwords no longer used and a person now has 200 device-bound passkeys on a Windows laptop or Android (Apple may vary I don't know). You now get a new laptop - how do all these passkeys get reset on the new laptop? Cannot be manually. I guess the same question applies to a password manager - how to link a new device to use existing passkeys.
This is the key difference between device-bound and synced passkeys. Device-bound passkeys are stuck to that device. With Bitwarden's synced passkey solution (similar to what 1Password does), you can access it from any device as long as you have Bitwarden installed.
when i create a passkey like you in your video the public key will be saved in bitwarden. What about the private key which usually is saved on the local authenticator? what does sync of passkey mean? Sync the private key from one device to another? How will they be stored there? does this happen automatically`?
When you create a passkey with Bitwarden, the private key is saved into your Bitwarden vault. The websites you configure passkeys with will get a copy of your public key. With Bitwarden's passkey implementation, the passkey stays in your vault which you can access from different devices.
@@teachmecyber that also means that my passkey is not stored on a secure enclave (yubikey, tpm,....) and ist not more secure than just saving a password in the password manager? I´m losing my second factor (passwort and owner). Is this correct? It seems iCloud Keychain offers you the possibility to sync the highly encrypted key and store them in your secure enclave on your device. Does Bitwarden also provides that?
Thanks for the info. Good video. I'm looking forward to device-bound passkey management on Linux, and the ability to use passkeys to sign in to Linux apps and websites without downloading a password manager or using a browser's built-in password manager. Also, the ability to import and export passkeys across all of my devices and password managers would be awesome. For example, exporting my Bitwarden passkeys to a file (encrypted or unencrypted) and then importing them into an Android phone or iPhone or Linux/Windows/macOS computer or another password manager. Or just skipping the "file" part and letting me choose from a menu which device or password manager I want to send my exported passkeys to.
The export feature scares me a bit because it will get abused by attackers, so I'm keen to see how they do that securely. Google is lagging behind on support in Android, but is working on APIs that will unlock the ability for Bitwarden to use passkeys on Android. It's slow but progress is being made!
Nice work Jason. I wish somebody who knows about computer stuff will at some point design an app to get a non computer user to be able to set up and use passkeys and indeed password managers. Nobody seems to understand that what seems like a "simple setup" to a computer user makes no sense at all to a non computer user. Until somebody designs a system to get this done the people who stand to gain the most from passkeys/password managers are the people who will continue to be the ones that are unable to access the service...just saying.
I've been thinking about doing a written tutorial to help in situations like this. While not perfect (e.g. I can't make the program easier), it may help with learning the new tool. Would that be useful?
Sir, I am fully new in Bitwarden, Today i am trying to login Bitwarden using password key using mobile phone but only shows pin option, but after that when i am going to login it always shows wrong key. Please help me how to use it properly. using Mobile Phone.
You cite Okta, but you fail to mention that they're a biased party... I can only be thankful that passkeys are still not working on my copy of Bitwarden. It appears that is by design. Passkeys only work with the online vault, which is a million times less secure than my locally installed vault. No thanks. Got any alternative password managers I can try that didn't dilute their product security with passkey implementation?
Passkeys are the future. They are more secure than traditional passwords. I imagine most password managers are going to expand support for them as more websites adopt the technology. If you're an offline password vault person, KeePass, Bitwarden's offline version, or Passbolt are good options.
@@teachmecyber "They are more secure than traditional passwords." How so? When biometrics fail, the fallback is a simple PIN. Anyone close to you with bad intentions who has seen you unlock your phone can get access to your accounts as well when passkeys are enabled. Passkeys are basically 1FA when the bad actor has access to the device.
My wife is a non computer person and she was watching this with me and was asking how passkeys work. After a few minutes of her listening to me and not understanding what I was talking about she finally came up with an analogy that I think actually describes past keys very well.
She said it's kind of like a lock and a key.
And I think that's a very good analogy. In this case Bitwarden creates both the lock and key which is unique in the whole universe and it gives the lock to the web site. Bitwarden keeps the only key available to that lock.
Great analogy!
A passKEY is like a lock and key!? Wow thanks genius 😱
I really hope that, overtime, more webpages use Passkey as as sign-in method and not as a MFA.
You and me both! There are some already but still a very long way to go.
Another excellent tutorial, thanks for staying on top of this tech, I have learned a great deal from your videos. Could you make a bitwarden tutorial for mobile use.
I'll look into it! I had some challenges on a prior video with recording due to privacy features (which is great) on some password managers. Let me see what I can do!
Thanks Jason that would be awesome 👍
Wish it would at least have some indicator that a passkey is associated with a login. Great feature regardless.
How do you get Bitwarden to take over using passkeys in Windows 10? Whenever I attempt to do anything with passkeys, whether logging in or creating one, WIndows prompts me to insert a security key.
Thanks for the video - very useful!
On a sidenote - what is your Chrome theme called? Love that dark blue gradient!
I'm not sure what the theme is. It's one of the default ones that is available.
Sorry but saving the passkeys on Bitwarden in my opinion is less secure than saving them on your device, this is because correct me if I'm wrong, by saving them on Bitwarden if they ever enter my vault, with the passkeys they could access the sites they want, whereas if they are saved on the device (like a phone) to then use a passkey you also need biometric authentication, so it's an additional security check in addition, don't you think?
Yes, you're correct. It's the trade-off between security and convenience, but it's the same risk of using a password manager with just passwords. You can still take steps to secure access to the vault to minimize the likelihood of someone gaining access.
Great video, thank you! I've decided to give passkeys a try after being nagged a few times and now seeing your video... So I've done 2 of them and it seems seamless as you show. BUT how do I list my user accounts in Bitwarden where I've enabled a passkey? I don't want to lose track of which ones I've enabled it on. Also, if a website allows BOTH passwords and passkeys, isn't that less secure? Thanks!
This is the one downside with Bitwarden right now, it requires a separate entry. Given your username would be stored with the password entry, it's not a big issue.
Every website now will have both. You just want to default to passkeys as it is phishing resistant.
@@teachmecyber Hi, I don't really understand your answer as I see the passkey in the same entry. Still I don't know how to search for entries where a passkey was set. Also, I don't understand how passkeys as you describe are 'phishing resistant' if passwords are also allowed. Mabe another video? 🙂
Thank you for this explanation, Jason. Is this something you can do only for new accounts?
For example, if I wanted to use passkeys on an existing social media account, is it a similar process? Sorry if I missed something in the video :)
Yes, you can do this for existing accounts as long as they support it. You should see it under security settings in the particular app
I tried this on Windows, with both Bitwarden and Windows Hello.
The latter does not sync to other devices, but it could use other devices (Android) to store the Passkey. Assuming Bitwarden allows syncing across devices (did not try, but this is the point, otherwise, it's next to useless).
Thanks quickest explanation I've seen.
Yesterday I installed Bitwarden to my Android phone to my Windows computer, add extension to Firefox and even downloaded desktop application. Watch your video and some more, try to do something and can say. I don;t understand anything 😭 and why I needed and how to use it
Great video. Remeber one thing till we get ride of less secure pwd recovery processes like via email recovery etc or we eliminate the pwd on the site( options that sites need to start providing) this will not be more secure.
Yes, it will still be a fall back. But the more you use passkeys and stay consistent the better off you will be.
Will passkeys replace hardware authentication like Yubikey? what are the advantages of each?
Passkeys are the same technology as Yubikey. The main difference is that instead of the private key being stored on the yubikey, it's securely stored your laptop or mobile device. This implementation with Bitwarden (synchronized passkeys) allows for more flexibility to log in from different devices. Yubikey, is a device-bound passkey that you can only log in with the yubikey, so you have to have it with you. It's more secure but less flexible.
@@teachmecyber Thanks a lot for your answer! :)
But sites that also allow user/password authentication negates the security that passkeys offer unless you can delete these credentials once you have a passkey setup for the site
Potentially. But if you don't use them after setting them up and only use passkeys it is still more secure, especially against phishing attacks as long as you default to using passkeys
Ok but if you generate passkey for google account -> it can set passkeys on all or your devices with one click.
The question is who you trust more to store your passkeys ....
So, if I had to login on a computer where Bitwarden isn't installed, the passkey stored in Bitwarden cannot be used, right?
Correct, in the current implementation. Future iterations with mobile support may change this if it allows you to point to your mobile app.
@@teachmecyber Wow. this, and the frankly amateurish UI for desktop was enough to make me switch to 1P
Is the passkey device Specific? - or if I have a computer and phone will it merge across devices? Also does the passkey eliminate or delete my PASSWORD? AND what if you have 2-3 Google accounts like I do? I have a job gmail, a Google gmail, and another Goog gmail?
You can set it up for multiple accounts, no issues there! You can have both the password and the passkey at the same time. You can set it up just for a specific device or use a password manager like 1Password and it will work across devices.
i created bitwarden access using passkey, but still prompt to key in password.. not sure why, probably this is still in beta
what does Bitwarden save to manage the passkey? The private key or what?
That's right, BItwarden is saving and securely storing the private key.
Does the private passkey have to be remembered, or is it encrypted on the device? Does anything have to be remembered? It seems that if it's stored on the device, the the weak link is the device login... not the website login.
You don't have to remember anything new! The passkey is stored encrypted in the vault. The only thing you need to do is unlock Bitwarden to securely access the private key. You should set up Bitwarden to require strong MFA (you can also set this up with passkeys to your local device).
If a passkey is stored on the device, e.g., my laptop, and I get a new laptop, how does it migrate to the new device? I'm sure it's really simple, but I am not sure. Thanks.
Wouldn't you want the username to be stored if you've got multiple accounts on a site? How are you going to login to a site if you can't remember what username you used when you registered?
For passkeys in Bitwarden, you will need a new entry for each unique account on a website. The passkey stores the username in it, so you'll just have to manage the item in Bitwarden accordingly (e.g. just put it in the name of the item).
Q: so If I have a password previously set in a website and later I set a passkey, I'll be able to use both or just the passkey ? and don't forget Nordpass tutorial for future videos
Websites usually let you choose your preferred way of signing in
It depends on the website. Some websites will let you sign in with a password or a passkey, which means you can lose your passkey but still sign in with your password, or lose your password and still sign in with your passkey. Others will use your passkey as a form of 2-factor authentication, meaning you'll need your password and your passkey to log in. Others will replace your password with the new passkey, meaning you can only sign in with your passkey. I don't know if I've covered every scenario, but I hope passkeys become the thing that replaces passwords.
@bigjoegamer covered most of the scenarios you'll run into! The website may autodetect it (e.g. Gmail does this), others may ask you which method you want to sign in with (passwordless or password).
Here is the scenario - passwords no longer used and a person now has 200 device-bound passkeys on a Windows laptop or Android (Apple may vary I don't know). You now get a new laptop - how do all these passkeys get reset on the new laptop? Cannot be manually.
I guess the same question applies to a password manager - how to link a new device to use existing passkeys.
This is the key difference between device-bound and synced passkeys. Device-bound passkeys are stuck to that device. With Bitwarden's synced passkey solution (similar to what 1Password does), you can access it from any device as long as you have Bitwarden installed.
when i create a passkey like you in your video the public key will be saved in bitwarden.
What about the private key which usually is saved on the local authenticator?
what does sync of passkey mean?
Sync the private key from one device to another? How will they be stored there? does this happen automatically`?
When you create a passkey with Bitwarden, the private key is saved into your Bitwarden vault. The websites you configure passkeys with will get a copy of your public key.
With Bitwarden's passkey implementation, the passkey stays in your vault which you can access from different devices.
@@teachmecyber that also means that my passkey is not stored on a secure enclave (yubikey, tpm,....) and ist not more secure than just saving a password in the password manager? I´m losing my second factor (passwort and owner). Is this correct?
It seems iCloud Keychain offers you the possibility to sync the highly encrypted key and store them in your secure enclave on your device.
Does Bitwarden also provides that?
I'm a newbie. It seems that Firefox does not support passkey except the hardware ones....what a shame
Yeah, hopefully they get an update to support it soon!
Thanks for the info. Good video. I'm looking forward to device-bound passkey management on Linux, and the ability to use passkeys to sign in to Linux apps and websites without downloading a password manager or using a browser's built-in password manager.
Also, the ability to import and export passkeys across all of my devices and password managers would be awesome. For example, exporting my Bitwarden passkeys to a file (encrypted or unencrypted) and then importing them into an Android phone or iPhone or Linux/Windows/macOS computer or another password manager. Or just skipping the "file" part and letting me choose from a menu which device or password manager I want to send my exported passkeys to.
The export feature scares me a bit because it will get abused by attackers, so I'm keen to see how they do that securely. Google is lagging behind on support in Android, but is working on APIs that will unlock the ability for Bitwarden to use passkeys on Android. It's slow but progress is being made!
125% faster what does that even mean? If i normally log in in 100 seconds using bitwarden makes me log in in negative 25 seconds?
Okta's analysis showed that logins with a password on average took ~13 seconds. With passkeys, 3 seconds.
Ok, so faster, but the number 125% makes no sense. @@teachmecyber
Just me getting my math wrong lol
Nice work Jason. I wish somebody who knows about computer stuff will at some point design an app to get a non computer user to be able to set up and use passkeys and indeed password managers. Nobody seems to understand that what seems like a "simple setup" to a computer user makes no sense at all to a non computer user. Until somebody designs a system to get this done the people who stand to gain the most from passkeys/password managers are the people who will continue to be the ones that are unable to access the service...just saying.
I've been thinking about doing a written tutorial to help in situations like this. While not perfect (e.g. I can't make the program easier), it may help with learning the new tool. Would that be useful?
Real short list of supported browsers and sites, sounds like wait a year then have another look.
There's no reason not to start now. Protect the accounts you can and then revisit it from time to time to see what you can add.
Sir, I am fully new in Bitwarden, Today i am trying to login Bitwarden using password key using mobile phone but only shows pin option, but after that when i am going to login it always shows wrong key. Please help me how to use it properly. using Mobile Phone.
Can you provide more information on what's happening?
It is so quick that I lack the confidant I did it right...🙄
Did you try to login with the passkey after you set it up?
You cite Okta, but you fail to mention that they're a biased party...
I can only be thankful that passkeys are still not working on my copy of Bitwarden.
It appears that is by design. Passkeys only work with the online vault, which is a million times less secure than my locally installed vault.
No thanks. Got any alternative password managers I can try that didn't dilute their product security with passkey implementation?
Passkeys are the future. They are more secure than traditional passwords. I imagine most password managers are going to expand support for them as more websites adopt the technology.
If you're an offline password vault person, KeePass, Bitwarden's offline version, or Passbolt are good options.
@@teachmecyber "They are more secure than traditional passwords." How so? When biometrics fail, the fallback is a simple PIN. Anyone close to you with bad intentions who has seen you unlock your phone can get access to your accounts as well when passkeys are enabled.
Passkeys are basically 1FA when the bad actor has access to the device.
I'm even more confused about passkeys now than I was before watching.
What can I help clear up? Have you seen the full video I posted on what passkeys are and how they work?
"Can log in 125% faster" - math does not work out. Negative time?
Heh yeah, I think I got my math wrong. Regardless, it's much faster and more secure!
No Firefox support?
I've heard mixed results with Firefox. Are you having issues with it?
@@teachmecyber I am works on chromium based browsers only it seems.
takes 6seconds to load the addon on i7+SSD+16GB RAM, unacceptable
That's odd, what OS are you using?