Storing Passkeys

Passkeys can be stored and used by Bitwarden Password Manager. Using browser extensions and mobile apps, users can log in to their favorite apps and websites that have passkey login capability. Passkeys are a safe, passwordless alternative for users to log into services across their devices.

Developed with the standards set by the FIDO Alliance, passkeys allow a user to secure their accounts and bypass the vulnerabilities that come with standard password authentication, such as phishing. Stored passkeys are protected with Bitwarden's trusted end-to-end encryption.

Passkeys are a replacement for passwords that provide fast, easy, and secure sign-ins to websites and apps across a user's devices. More precisely, "passkey" is a consumer-friendly term for a discoverable FIDO credential that can be synced to allow secure passwordless sign-ins across devices, or dedicated to a single piece of hardware as a device-bound passkey.

Apps and services can request that passkeys created with them are verified with a PIN, password, pattern, or biometric factor when you save or access them. For more general information about passkeys, see Passkey FAQs.

Passkeys are stored and invoked via Bitwarden browser extensions and mobile apps. This means that both discoverable passkeys and non-discoverable FIDO2 credentials can be stored in Bitwarden and used to log in to websites with passkey capabilities.

• Browser extensions
• iOS
• Android

note

When a domain is in the Excluded Domains list, Bitwarden browser extensions won't issue passkey prompts.

Ask to save and use passkeys

To use the functionality described below, make sure that the Ask to save and use passkeys option, located in the browser extensions Settings → Notifications menu, is toggled on.

You can set excluded domains if there are specific sites you do not wish to use Bitwarden for passkeys with.

Create a passkey

When creating a new passkey on a website or app, the browser extension will prompt you to store the passkey:

note

Select Use your device or hardware key if you do not wish to store the passkey in Bitwarden.

If a passkey already exists for this service, Bitwarden will allow you to save a new passkey by selecting the  icon to create a new item, or by overwriting an existing passkey:

note

Only one passkey can be saved per login item. If a credential is saved in multiple places, for instance as two separate login items in the individual vault and organization vault respectively, a different passkey can be be stored with each login item.

Sign in using a passkey stored in Bitwarden

To use a passkey stored in Bitwarden, initiate the passkey login on the website. When the Ask to save and use passkeys option is on, the browser extension will provide an option to login using the passkey stored in your Bitwarden vault:

tip

The inline autofill menu can also be used to easily authenticate with passkeys.

Select the passkey you would like to use and press Confirm.

note

Select Use your device or hardware key if you do not wish to store the passkey in Bitwarden, or to use an existing passkey that is not stored in Bitwarden.

Setup Bitwarden for use with passkeys

To use the functionality described below, open your iOS Settings app and navigate to Passwords → Password Options. Toggle the following options on:

• Toggle AutoFill Passwords and Passkeys on.

• Toggle Bitwarden on in the Use passwords and passkeys from: list.

Create a passkey

When creating a new passkey on a website or app, the iOS application will prompt you to store the passkey:

Select Continue.

note

Select Other Options if you do not wish to store the passkey in Bitwarden or Other Sign In Options to sign in with a passkey not stored in Bitwarden.

If a passkey already exists for this service, Bitwarden will allow you to save a new passkey by selecting the  icon to create a new item, or by overwriting an existing passkey:

note

Only one passkey can be saved per login item. If a credential is saved in multiple places, for instance as two separate login items in the individual vault and organization vault respectively, a different passkey can be be stored with each login item.

Sign in using a passkey stored in Bitwarden

To use a passkey stored in Bitwarden, initiate the passkey login on the website. The mobile app will provide an option to login using the passkey stored in your Bitwarden vault:

Select Continue.

note

Select Other Options if you do not wish to store the passkey in Bitwarden or Other Sign In Options to sign in with a passkey not stored in Bitwarden.

Setup Bitwarden for use with passkeys

Once the Bitwarden application is updated to the latest version, go to Settings → Auto-fill and tap Passkey management to access the Android settings to configure Bitwarden as your passkey provider.

warning

In order to activate Bitwarden as your preferred passkey provider it may be necessary to:

• For Chrome users:

  • Navigate to chrome://flags and select Enabled for 3rd party passkey providers under Android Credential Management for passkeys. If this option is not shown, your browser may need to be updated.

• Disable and re-enable Bitwarden as your autofill provider once updated to the latest version.

• Reboot your phone after changing the above settings.

• Remove any passkeys stored in Google Password Manager, as Android will preference this provider (be sure not to delete any important passkeys that will result in lockout from an account).

Please also note that Android does not allow 3rd party passkey providers like Bitwarden to support passkey-based 2FA (a.k.a. "non-discoverable credentials"); Bitwarden-stored passkeys can only be used as a primary login credential.

Additionally, while passkeys for web browsers are supported, support for apps is coming soon in a future build.

Create a passkey

When creating a new passkey on a website or app, the Android application will prompt you to store the passkey:

Select Create.

note

Select Save another way if you do not wish to store the passkey in Bitwarden or More saved sign-ins to sign in with a passkey not stored in Bitwarden.

If a passkey already exists for this service, Bitwarden will allow you to save a new passkey by selecting the  icon to create a new item, or by overwriting an existing passkey:

note

Only one passkey can be saved per login item. If a credential is saved in multiple places, for instance as two separate login items in the individual vault and organization vault respectively, a different passkey can be be stored with each login item.

Sign in using a passkey stored in Bitwarden

To use a passkey stored in Bitwarden, initiate the passkey login on the website. The mobile app will provide an option to login using the passkey stored in your Bitwarden vault:

Select Sign in to use your passkey.

note

Select Save another way if you do not wish to store the passkey in Bitwarden or More saved sign-ins to sign in with a passkey not stored in Bitwarden.

Once a passkey has been saved, it can be viewed from any Bitwarden app and is located in the Passkey field:

To delete a passkey from a vault item:

1. Open the item Edit screen from the Password Manager web app, browser extension or desktop app.

2. Select the  delete icon for the Passkey field.
   

   

The following FAQ items are in reference to Bitwarden passkey storage. For general passkey information, see Passkey FAQs.

Q: Will passkeys be included if you clone a vault item?

A: Bitwarden will not copy a passkey when completing a clone action.

Q: Are stored passkeys included in Bitwarden imports and exports?

A: Passkeys are included in .json exports from Bitwarden. The ability to transfer your passkeys to or from another passkey provider is planned for a future release.

Q: Can I store passkeys in the mobile app?

A: Passkeys support for mobile applications is available for iOS (learn more) and for Android (learn more).