The password manager Bitwarden, which is open source, announced that all users can now log in to their online repositories using passkeys instead of the usual credentials username and password.
See also: Bitwarden: Serious vulnerability allows password theft via iframes
Passkeys are the most secure alternative to the passwords most people use and are resistant to attacks phishing. In the case of Bitwarden, they allow users to decrypt their repository without the need for the master password, an email address or double verification (2FA). Bitwarden's implementation of passkeys is currently in beta and relies on the PRF WebAuthn extension to authenticate users and receive an encryption key and decrypt data.
Ο Ryan Luibrand, senior product manager at Bitwarden, explains that end-to-end encryption applications, such as Bitwarden, need to authenticate users and encrypt and decrypt data with Security.
The encryption process requires a static key, which can be derived from a password. A passkey, which is not shared with the application, will produce a different value for each authentication.
To make it more convenient the Accessed at without sacrificing security, Bitwarden used the extension PRF WebAuthn, η οποία είναι μια μέθοδος που επιτρέπει “generating a unique, fixed value from a passkey.“
The extension is an emerging standard that allows symmetric encryption keys to be generated by an authenticator, such as a security key, when used with a compatible browser.
See also: Google ads phishing attack targets Bitwarden users
When a User εγγράφεται με ένα passkey χρησιμοποιώντας ένα κλειδί ασφαλείας υλικού, επιτρέπει στο Bitwarden να κρυπτογραφήσει τα δεδομένα αποθήκης του χρήστη χρησιμοποιώντας τον συναφή κλειδί κρυπτογράφησης. Αντίθετα με τον τρόπο λειτουργίας των Hardware Security Modules – HSMs, η επέκταση PRF δεν αποθηκεύει κλειδιά στο υλικό, αλλά δημιουργεί κλειδιά χρησιμοποιώντας εισροή δεδομένων από τον εξαρτώμενο φορέα (την ιστοσελίδα).
Because key generation is a predefined process, the same input will always produce the same output, and therefore, access keys can be used reliably for the same online platform ή service.
In an article published last summer, Bitwarden provides more details about the implementation of the PRF extension and how it works.
During the beta phase, Bitwarden will allow users of all packages to create a maximum of five passkeys for the web application. This feature is currently available on browser-based Chromium and support PRF WebAuthn, but there are plans to extend it to more customers in the future.
For passkeys that do not support the PRF WebAuthn extension, users can still authenticate without email or 2FA, using the Bitwarden password for decryption.
See also: ZenRAT malware detected on a fake Bitwarden page
Passkeys are becoming a popular method for securing access to personal and confidential information in computers, smartphone and various internet devices. Using biometric data such as fingerprints, facial recognition or iris scans that create unique passwords for each individual user, passkeys have the potential to replace traditional password-based security.
This method not only provides greater security, but also allows faster and easier access to devices, as you do not have to manually enter passwords.
Source: bleepingcomputer
