Thanks, but when I try to set up WebAuthn on my Mac in Safari, and press the Read Key buttom, it gives me a choice of the Safari Passwords page or a Hardware key - no mention of BitWarden Vault. Am I doing something wrong?
Really nice video. I just had a couple of questions. Which authenticator app would you recommend? I am currently using Authy. Secondly, how safe are passkeys? If they are device-bound, wouldn't it be possible for someone to gain access if the device gets compromised?. Also is it safe to use it in iphone ? Again, this might be a really dumb questions, but I just wanted to know.
Thank you for the info. Do you have two Yubikeys, one as primary and one as a back up when login into sites that don't support passkeys but do support Yubikeys?
This is quite frustrating. I've tried to add passkeys managed by my Google account, as well as Hello Windows, and when it asks for my device PIN it always rejects it.
Great tutorial, I just subscribed but I am very puzzled by this. It sounds great but when I try to do it on my Win11 PC it seems the Bitwarden setup requires me to use a security key such as Yubikey which I don't have and which doesn't appear to have happened for you.
Excellent, thanks. Is it possible to use a Yubikey on one device (e.g. on my iMac which doesn't have biometrics) and a passkey on another (e.g. on my tablet)?
The passkey in this example is associated with Chrome and no other device, right? Only from that device can I use it until I add another one. So it doesn't support multi device passkey? If I saved that passkey to a password manager like 1password I wouldn't be able to use it from all the devices that have the 1 password vault synced. There is a bit of confusion about these new passkeys and they seem promising but they should become the only way to log in because if they are an alternative the risks are the same. Sorry for the novel 😆
Watching your latest video, "Hackers targeting your vault", you created a passkey for your Bitwarden vault, was that a password or phrase or something else that you input as your passkey? I'm new to this, so I don't completely understand some of it.
Ah okay! The passkey is different from a password or passphrase. It's a more secure way to log into applications. It uses cryptography to do this (check out my video on passkeys that goes deeper into what that is). For Bitwarden, you will first need to create a master password (this will be a password or passphrase, just make sure it's long and complex!). After that, you can create a passkey which you can then use to login.
Already have bitwarden installed and master password created, just trying to understand this additional security. So Is the passkey something I can see and do I need to remember it, or will Bitwarden remember it automatically? thanks for the patience.
You can't see the passkey nor do you need to! It all happens behind the scene. When you go to log into Bitwarden and get prompted for your fingerprint, it unlocks the passkey and does all the work for you. Nothing for your to remember or type it. That's what makes it so fast!
If a passkey is linked to a specific domain, won't that cause a lot of hassle in setting up new passkeys whenever a site decides to change their domain? I've had it happen rarely, but every time it happens, it's a pain in the backside. Also, device-bound passkeys are a pain when you get a new phone and have to set up new keys for all the sites that had a key linked to your old phone...
I would say the domain change is so rare that it's almost not a concern. For device bound Passkeys, it will be a pain when you get a new device. It's the more secure way. There are synced passkeys that can alleviate this but a trade off of security
Hello. You could make a short explainer video on how to store passkeys in Bitwarden (if this option is already enabled); something similar to the video from a few days ago where you explained how to do it with 1Password. Greetings and blessings from Cuba, learning many from your videos 🙏🏼 Hola. Puede hacer un breve video explicativo sobre cómo almacenar claves de acceso en Bitwarden (si esta opción ya está habilitada); algo similar al vídeo de hace unos días donde explicabas cómo hacerlo con 1Password. Saludos y bendiciones desde Cuba, aprendiendo muchas de sus videos 🙏🏼
I have several gmail accounts for personnel, business and two organizations. I use MacBook (10 years old, iPad Pro (4 years old) desktop PC (1 year) and android phone (less than 6 months). Do I need separate accounts for each gmail account?
You can use a single Bitwarden account and just create different vaults for each use case (e.g. one for personal, business, and for each of your organizations). It's an easier way to logically separate them out.
Thanks for the great video. I have Bitwarden Premium. I have two YubiKeys. A master key and a backup key. Is the premium version worth it if Fido is also available in the free version?
Currently the hardware keys are still a premium feature. This update is for FIDO2 WebAuthN, which is passkeys. Given your current configuration, you'll want to keep the paid version.
if you did have 3 mfa pathways setup for backup, then what happens if you do lose your mfa on a lost or stolen phone? wouldn't that defeat your stronger mfa when the hacker now has your phone? Would it be better not to have mfa on your phone now?
My desktop has no Bio-metric capabilities. The WebAuthN is asking for a USB to continue. Is a Yubi Key required to setup? I don't see an option to just enter a password to authorize the public key.
You are going to have to have a device that can securely store your passkey. Are you using a Windows system? If it supports Windows Hello, you should be able to use a PIN or even face recognition for it to work.
Hello Bitwarden won't recognize a login page that only asks for the username (once the username is entered, the NEXT page asks for the password). How to get Bitwarden to recognize this situation? It works ok if the page asks for both the username and password.
but what if your email was already has malwer and that email has already the bait of phishing and you go get passkeys and the person or owner dosent know anthing that the email has virus,hacker,scammers...got all info that will be game over to the owner of the gadgets? like me i dont know if my email has virus and my facebook got hacked...
The passkey is still tied to the bitwarden and the device you own. Even if an attacker had access to your email, it wouldn't degrade the security of this.
The Passkeys are stored on your device, so even if you delete the browser you'll still be able to use the passkeys (assuming your browser supports it).
It's still okay to use with the PIN, though even better if you use something like a finger print or face ID to unlock (depends on what your system supports)
In other words, they implemented a feature that does NOTHING to improve passwords. They abandoned their actual functionality in favor of supporting some new type of malware instead. It's time to abandon Bitwarden and choose a capable password manager instead, although I suspect there are very few of them left. Unfortunately, they are not the only one to promote nonsensical "passkey technology".
Bitwarden still stores password as before. Passkeys are an added feature if you want to use them. They are a type of public/private keys that have been used for almost 30 years. I've found no information that passkeys are malware, I don't know where you got that from.
@@teachmecyber... and you should write down your "2FA recovery code", so even losing "the one specific device" wouldn't be a disaster. You still can use the 2FA recovery code to log in - and set up 2FA again / new.