[syncerr]

Passwordless is going to be great. Though, this is just for unlocking your bitwarden account.

Real cross-device passwordless is likely coming in the next year or so. WebAuthn/Passkey is in its 3rd public working draft[1] and once finalized, we'll likely start to see it across sites. Most devices, browsers and managers have added or are adding support for it: Apple, Microsoft, Google, Auth0, Duo, 1Password, etc. If you haven't seen it, Auth0's demo is helpful[2].

[1] https://www.w3.org/TR/webauthn-3/#sctn-api

[2] https://webauthn.me/

[cmdli]

Passkeys are definitely the future, and I think will eventually eliminate a lot of phishing attempts and other insecurity caused by passwords. I'm hoping that we will eventually see transferable, secure identities that you can use to log in anywhere, rather than having to constantly create account credentials for everything.

As a side note, if you want to try out passkeys now and don't want to tie it to your device, I would like to plug my solution, Bulwark Passkey (https://bulwark.id). It's open source, allows you to export your credentials if you want, and supports all browsers since it emulates a virtual USB device.

[wharfjumper]

That seems interesting. What's the license? I couldn't see that in the repo [1]

1. https://github.com/bulwarkid/bulwark-passkey

[cmdli]

My apologies; I open-sourced VirtualFIDO awhile ago but only open-sourced the actual frontend (Bulwark Passkey) about a week ago, and I forgot the license. It should be MIT licensed now.

[xanthine]

The actual 'brains' repo is [1], which is MIT licensed.

[1] https://github.com/bulwarkid/virtual-fido

[pabs3]

Apparently it is possible to make WebAuthn phishable:

https://mjg59.dreamwidth.org/62175.html https://news.ycombinator.com/item?id=33810984

[SahAssar]

That's only for sites acting as a oauth2 authorization server, right?

[postalrat]

IMO having devices that can be cloned will always be a weakness. Backup devices work fine.

[judge2020]

The threat vector for your passkeys being stolen is the same as current passwords, that's true (because they're just in some syncing database), but it solves many issues that are the leading cause of account compromise these days, mainly phishing and reused passwords.

[hedora]

So, for me, there is no real upside, other than not needing to click "generate password" in my password manager.

What downsides are there? E.g, will it work on rooted phones? Will apps start adding mandatory pin numbers on top (like they do for biometrics), or will Google/Apple's app stores disallow it? How do I "log out" to avoid tracking without being implicitly logged back in? What happens if I routinely wipe my browser settings? Can I use some other person's computer to login in a pinch? (Such as when my phone is off network?)

In principle, browser and os vendors could work through all these "niche" use cases, but I'll be pleasantly surprised if they actually did.

[lenova]

Heya! I just tried installing Bulwark on my Windows 10 machine. Install went fine, but when I try to run the app, I get the Admin privilege prompt, and then.... nothing. No sign of the program crashing, or any kind of error.

Any ideas? Thanks!

[cmdli]

Ah, that is odd. If you don't mind, could you go to %AppData%/Bulwark Passkey and taking a look at main.log or device.log and see if you see any errors in there? I would really appreciate it!

Edit: I was able to reproduce the issue; it looks like WebView2 (which Bulwark Passkey relies on) is already installed on Windows 11 but not on Windows 10. I released a new version on https://bulwark.id that has that WebView now embedded in the app itself, would you mind downloading that and seeing if that works? Thank you for the report!

[mawise]

Good on you for offering another passkey solution! I really want more non-Google/Apple options. I'll check it out.

[notlukesky]

When did you release it and how is it coming along? Is there any resistance from the physical usb crowd for FIDO?

[cmdli]

I released it a week ago. It's moving along pretty well! The USB emulation method works well, as it can support any browser. So far, I haven't gotten too much push back from the more hardcore security crowd, since I'm upfront about the fact that it is a software implementation.

Personally, I think that the main blocker for adoption of passkeys is ease of use, as if you can't transfer your credentials either off of your device or away from your Apple/Google/etc account, then I think it will be a hard sell to users.

[Narushia]

Sadly, the demo didn’t seem to work on my devices. Tried it on desktop Chrome and my Android phone (Galaxy S22); Chrome says that a "notification was sent" to the phone, but there’s nothing. Seems like it’s supposed to work wirelessly, but I didn’t have any success via a USB cable either. Android Chrome does react to it, and shows that it’s connected, but desktop Chrome’s dialog keeps just spinning until it times out.

[judge2020]

Wireless is over BLE, so your motherboard needs to be recent enough to have it, or if you have one of those Intel PCIe wi-fi adapters, the USB2 cable should be plugged in to a header on the motherboard (the wifi functionality is pure PCIe, but for some reason Bluetooth is over USB).

[Narushia]

It’s an Intel Wi-Fi 6 AX200, which should have BLE support; I use BLE game controllers with it all the time. But it’s weird that it doesn’t work with a USB cable either, even when using the motherboard headers. I’m on Linux (Fedora), not sure if that matters or not.