Not sure if this is new information or not, but this post mentions that Bitwarden is planning to support passkeys starting in 2023.<p>That's great, since AFAIK all existing passkey implementations are tied to a specific browser or OS, and have no way to export the keys, which isn't great for a program designed to own the keys to your digital life. I'm hopeful Bitwarden will solve that problem, and that their example will encourage other popular password managers to do the same.<p>(...or at least, I <i>think</i> "passkey support" means they plan to support storing passkeys in Bitwarden itself. I hope it doesn't just mean they want to let you use a passkey to log in to Bitwarden. That'd be really disappointing, and probably a poor choice strategically given that passkeys aim to eventually render traditional password managers obsolete.)
I really dislike the idea of giving complete access to my digital life to any company, particularly one that needs to grow quickly.<p>The tech for password vaults is so simple, I use keepass + icloud syncing and get free end-to-end encrypted password syncing, without sharing any data with anyone.<p>Outlined in more detail here: <a href="https://magoop.substack.com/p/how-to-manage-500-passwords-securely" rel="nofollow">https://magoop.substack.com/p/how-to-manage-500-passwords-se...</a>
Slightly offtopic, but I really find the Bitwarden Clients to be lacking in the feature department. I switched to Bitwarden a few month ago and the client has evolved (for me) ever since.<p>There are a few basic features missing, such as that if I search for something I wrote in the notes of password, that the client shows the according password. I get that the open-source model implies that everyone can contribute and fix this issue, but if I look at the repo and see 108 open PRs, I don't even bother to check if that's a feature that would be easy to add.
And here is a link to the web site of this startup:<p><a href="https://www.passwordless.dev/" rel="nofollow">https://www.passwordless.dev/</a><p>Anders Åberg (@andersaberg) who is the founder behind this is a really enthusiastic and inspiring coder. I've always enjoyed his mashup hackathon ideas and meetup presentations. :-)
Could someone clarify what the relationship between passkeys and WebAuthn is? Is it that Passkey is the Apple, Google, Microsoft <i>implementation</i> (commercialization?) of WebAuthn? If so, does it add anything on top of WebAuthn that makes it differ in some fundamental way? Also, are passkeys how WebAuthn is most commonly actually used in practice? Apologies for the noob questions.
Would have preferred to see the cash used for this to be used for things like app QoL improvements, an actual code audit (not just the basic network security assessments they list), or offer actual bounties for their bug 'bounty' program.
Wow this is really cool. I just tried the example on the homepage, that's magic! No email, username or password. Can someone explain what is happening?
Anyone know how Bitwarden fits into the "passwordless" equation here? I tried to log in to Dogwarden (shown in the video demo on passwordless.dev), but the Bitwarden extension/app doesn't seem to do anything during sign-up.<p>Also wondering if anyone knows why this device [1] doesn't work during the "passwordless" sign-up/sign-in process on dogwarden1.passwordless.dev. Am I going to have to buy yet another hardware key if I want passwordless logins?<p>1. <a href="https://www.amazon.com/gp/product/B0773YLSY5/" rel="nofollow">https://www.amazon.com/gp/product/B0773YLSY5/</a>
One can easily self host a bitwarden server on digitalocean.
<a href="https://bitwarden.com/blog/digitalocean-marketplace/" rel="nofollow">https://bitwarden.com/blog/digitalocean-marketplace/</a><p>However, I'm curious what y'all think about the cost. A digitalocean droplet for the recommended specs (4 GiB memory) is $24/month. This is hard to stomach when you compare with Bitwarden Premium which is <$1/month. I guess it depends on how much you value your own data.
I’m highly skeptical of Passkeys/Webauthn as it would seem to not have the same legal protections that a password has in the US. Maybe this is me becoming a conspiracy theorist.
I like where passwordless.dev is going. However, I don't think I'd like to build a business on top of that. Is there a similar implementation that's open-source that doesn't depend on a third party?
The idea of FIDO2 with HW tokens is great, but not practical if you don't own atleast 2 pieces:
- one constantly inserted into main working machine
- second somewhere with the keys, ready to be used on other devices<p>You should be having third one - backup token stored securely in the safe or vault. That is $150 investment just to do it right.<p>And then - not all webapps allow to register more that one FIDO2 device, which totally cancels the above best practises.
Interesting demo. What happens though if the device holding the private key is lost? Or Apple decides to shut down your iCloud? Is there a backup option, similar to backup codes for OTP?
This seems a bit odd to me - is setting up WebAuthn in your main backend so hard that an external service like this for validating credentials is required?
Passwordless as a concept needs to die along with biometric auth.<p>You have really good newer methods of auth. Instead of selling them as good MFA alternatives security vendors decided to replace passwords because that differentiates them more. But in reality, the layer of defense "what you know" should be complemented not replaced. A reduction in security being sold as a feature is dishonest and harmful.
The demo on the homepage is available only on chrome. I tried both safari and firefox on macos and I can't see the " Experience Passwordless.dev in action" link there.
I still don't understand how it works.
I went into the website under authenticated using my phones API, where is my account now?
There is nothing in my Bitwarden vault.
I’ve been using the keepass ecosystem for years after switching from 1password. It’s open source, highly portable, and you don’t need a degree to set it up.
Sounds a bit worrisome to me…
Maybe I'm just overly cautious,
but i guess it's time to look around again.
Has anybody checked out APass yet?
<a href="https://github.com/balu-/a-pass">https://github.com/balu-/a-pass</a>
As a recent convert to Bitwarden from LastPass, I start to get a bit nervous when I see acquisitions happening. LastPass getting acquired was the beginning of the end for it, IMO, before stagnating into criminal negligence.<p>Granted this is Bitwarden <i>acquiring</i> rather than being acquired, but I still worry it leads to a trend of building "portfolio value" rather than focusing on the product. I sincerely hope I'm wrong.
Your passwords shouldn't leave your device.<p>Chrome's password manager is pushing it.<p>Everything else should be considered malware.<p>I don't understand how such a 'techy' crowd here on HN can be so belligerent with this security vs convenience trade off.<p>KeePass locally, gmail yourself an encrypted backup. That's it. FFS.