[itake]

I'm confused how this works. I tried the demo and Bitwarden asked me if I wanted to save the passkey. From a UX experience, this felt weird.. Why do I need to create an account, and save that account? Why is passkey storage prevent bots? Just that bots haven't added that automation yet?

[dboreham]

Passkey can be thought of as software emulation of a smartcard (aka hard token aka Yubikey). When it asks you to save it, that's when it creates the virtual smartcard in some reasonably secure local storage (possibly TPM-secured or at least kernel-secured).

The benefit of this approach is that a bot doesn't have the private key.

Of course you want to be sure that webauthn on boarding can't be botted.

[itake]

I'm still confused... Why can't headless Chrome with Bitwarden easily by-pass this? What private key?

[herghost]

Totally agree with this - when it popped up asking me if I wanted to use my fingerprint to do ..._something_... I felt like I was at risk and noped out.