Thanks, but when I try to set up WebAuthn on my Mac in Safari, and press the Read Key buttom, it gives me a choice of the Safari Passwords page or a Hardware key - no mention of BitWarden Vault. Am I doing something wrong?
I understand having a backup method in case you lose your device, or your yubikey. However, couldn't a hacker also say "I lost my device", etc and use the "less secure" MFA?
Really nice video. I just had a couple of questions. Which authenticator app would you recommend? I am currently using Authy. Secondly, how safe are passkeys? If they are device-bound, wouldn't it be possible for someone to gain access if the device gets compromised?. Also is it safe to use it in iphone ? Again, this might be a really dumb questions, but I just wanted to know.
How do I use my fingerprint? I don't have any wy on my Mac keyboard. I alo keep my iMac camera covered. Also I want to set this up onmy iPhone 14 as well.
Thank you for the info. Do you have two Yubikeys, one as primary and one as a back up when login into sites that don't support passkeys but do support Yubikeys?
Excellent, thanks. Is it possible to use a Yubikey on one device (e.g. on my iMac which doesn't have biometrics) and a passkey on another (e.g. on my tablet)?
Hello. You could make a short explainer video on how to store passkeys in Bitwarden (if this option is already enabled); something similar to the video from a few days ago where you explained how to do it with 1Password. Greetings and blessings from Cuba, learning many from your videos 🙏🏼 Hola. Puede hacer un breve video explicativo sobre cómo almacenar claves de acceso en Bitwarden (si esta opción ya está habilitada); algo similar al vídeo de hace unos días donde explicabas cómo hacerlo con 1Password. Saludos y bendiciones desde Cuba, aprendiendo muchas de sus videos 🙏🏼
Great tutorial, I just subscribed but I am very puzzled by this. It sounds great but when I try to do it on my Win11 PC it seems the Bitwarden setup requires me to use a security key such as Yubikey which I don't have and which doesn't appear to have happened for you.
Do you have any hints why I can't get the key on Linux Ubuntu? Firefox forces me to touch my security key which i don't have, chromium wants me to use my android's phone key or other mobile device. Windows and Android phone worked flawlessly, and I don't know how to overcome this obstacle under Linux... :(
This is quite frustrating. I've tried to add passkeys managed by my Google account, as well as Hello Windows, and when it asks for my device PIN it always rejects it.
If a passkey is linked to a specific domain, won't that cause a lot of hassle in setting up new passkeys whenever a site decides to change their domain? I've had it happen rarely, but every time it happens, it's a pain in the backside. Also, device-bound passkeys are a pain when you get a new phone and have to set up new keys for all the sites that had a key linked to your old phone...
I would say the domain change is so rare that it's almost not a concern. For device bound Passkeys, it will be a pain when you get a new device. It's the more secure way. There are synced passkeys that can alleviate this but a trade off of security
The passkey in this example is associated with Chrome and no other device, right? Only from that device can I use it until I add another one. So it doesn't support multi device passkey? If I saved that passkey to a password manager like 1password I wouldn't be able to use it from all the devices that have the 1 password vault synced. There is a bit of confusion about these new passkeys and they seem promising but they should become the only way to log in because if they are an alternative the risks are the same. Sorry for the novel 😆
Watching your latest video, "Hackers targeting your vault", you created a passkey for your Bitwarden vault, was that a password or phrase or something else that you input as your passkey? I'm new to this, so I don't completely understand some of it.
Ah okay! The passkey is different from a password or passphrase. It's a more secure way to log into applications. It uses cryptography to do this (check out my video on passkeys that goes deeper into what that is). For Bitwarden, you will first need to create a master password (this will be a password or passphrase, just make sure it's long and complex!). After that, you can create a passkey which you can then use to login.
Already have bitwarden installed and master password created, just trying to understand this additional security. So Is the passkey something I can see and do I need to remember it, or will Bitwarden remember it automatically? thanks for the patience.
You can't see the passkey nor do you need to! It all happens behind the scene. When you go to log into Bitwarden and get prompted for your fingerprint, it unlocks the passkey and does all the work for you. Nothing for your to remember or type it. That's what makes it so fast!
I have several gmail accounts for personnel, business and two organizations. I use MacBook (10 years old, iPad Pro (4 years old) desktop PC (1 year) and android phone (less than 6 months). Do I need separate accounts for each gmail account?
You can use a single Bitwarden account and just create different vaults for each use case (e.g. one for personal, business, and for each of your organizations). It's an easier way to logically separate them out.
if you did have 3 mfa pathways setup for backup, then what happens if you do lose your mfa on a lost or stolen phone? wouldn't that defeat your stronger mfa when the hacker now has your phone? Would it be better not to have mfa on your phone now?
My desktop has no Bio-metric capabilities. The WebAuthN is asking for a USB to continue. Is a Yubi Key required to setup? I don't see an option to just enter a password to authorize the public key.
You are going to have to have a device that can securely store your passkey. Are you using a Windows system? If it supports Windows Hello, you should be able to use a PIN or even face recognition for it to work.
Hello Bitwarden won't recognize a login page that only asks for the username (once the username is entered, the NEXT page asks for the password). How to get Bitwarden to recognize this situation? It works ok if the page asks for both the username and password.
The Passkeys are stored on your device, so even if you delete the browser you'll still be able to use the passkeys (assuming your browser supports it).
It's still okay to use with the PIN, though even better if you use something like a finger print or face ID to unlock (depends on what your system supports)
but what if your email was already has malwer and that email has already the bait of phishing and you go get passkeys and the person or owner dosent know anthing that the email has virus,hacker,scammers...got all info that will be game over to the owner of the gadgets? like me i dont know if my email has virus and my facebook got hacked...
The passkey is still tied to the bitwarden and the device you own. Even if an attacker had access to your email, it wouldn't degrade the security of this.
@@teachmecyber What if email is used as one of the backup methods? Could a hacker say "I lost my device, yubikey, authenticator app, etc", and get a code via email?
Thanks for the great video. I have Bitwarden Premium. I have two YubiKeys. A master key and a backup key. Is the premium version worth it if Fido is also available in the free version?
Currently the hardware keys are still a premium feature. This update is for FIDO2 WebAuthN, which is passkeys. Given your current configuration, you'll want to keep the paid version.
@@teachmecyber... and you should write down your "2FA recovery code", so even losing "the one specific device" wouldn't be a disaster. You still can use the 2FA recovery code to log in - and set up 2FA again / new.
In other words, they implemented a feature that does NOTHING to improve passwords. They abandoned their actual functionality in favor of supporting some new type of malware instead. It's time to abandon Bitwarden and choose a capable password manager instead, although I suspect there are very few of them left. Unfortunately, they are not the only one to promote nonsensical "passkey technology".
Bitwarden still stores password as before. Passkeys are an added feature if you want to use them. They are a type of public/private keys that have been used for almost 30 years. I've found no information that passkeys are malware, I don't know where you got that from.
Thanks, but when I try to set up WebAuthn on my Mac in Safari, and press the Read Key buttom, it gives me a choice of the Safari Passwords page or a Hardware key - no mention of BitWarden Vault. Am I doing something wrong?
I understand having a backup method in case you lose your device, or your yubikey. However, couldn't a hacker also say "I lost my device", etc and use the "less secure" MFA?
Really nice video. I just had a couple of questions. Which authenticator app would you recommend? I am currently using Authy. Secondly, how safe are passkeys? If they are device-bound, wouldn't it be possible for someone to gain access if the device gets compromised?. Also is it safe to use it in iphone ? Again, this might be a really dumb questions, but I just wanted to know.
Can you elaborate on your position of WebAuthN is the most secure solution, and a hardware token should only be used as a backup?
How do I use my fingerprint? I don't have any wy on my Mac keyboard. I alo keep my iMac camera covered. Also I want to set this up onmy iPhone 14 as well.
Thank you for the info. Do you have two Yubikeys, one as primary and one as a back up when login into sites that don't support passkeys but do support Yubikeys?
Excellent, thanks. Is it possible to use a Yubikey on one device (e.g. on my iMac which doesn't have biometrics) and a passkey on another (e.g. on my tablet)?
Yes, you can set up multiple methods! What you outlined will work for you
Great advice, thanks.
Hello. You could make a short explainer video on how to store passkeys in Bitwarden (if this option is already enabled); something similar to the video from a few days ago where you explained how to do it with 1Password.
Greetings and blessings from Cuba, learning many from your videos 🙏🏼
Hola. Puede hacer un breve video explicativo sobre cómo almacenar claves de acceso en Bitwarden (si esta opción ya está habilitada); algo similar al vídeo de hace unos días donde explicabas cómo hacerlo con 1Password.
Saludos y bendiciones desde Cuba, aprendiendo muchas de sus videos 🙏🏼
Bitwarden hasn't released this functionality yet, but once they do I'll release a video for it! Thanks for following!
This is awesome!
Glad you like it!
Thanks for sharing!
Thanks for watching!
Great tutorial, I just subscribed but I am very puzzled by this. It sounds great but when I try to do it on my Win11 PC it seems the Bitwarden setup requires me to use a security key such as Yubikey which I don't have and which doesn't appear to have happened for you.
Do you have any hints why I can't get the key on Linux Ubuntu? Firefox forces me to touch my security key which i don't have, chromium wants me to use my android's phone key or other mobile device. Windows and Android phone worked flawlessly, and I don't know how to overcome this obstacle under Linux... :(
This is quite frustrating. I've tried to add passkeys managed by my Google account, as well as Hello Windows, and when it asks for my device PIN it always rejects it.
The GOAT
💪💪💪
Can you make a HOW to change all your passwords using bitwarden?
If a passkey is linked to a specific domain, won't that cause a lot of hassle in setting up new passkeys whenever a site decides to change their domain? I've had it happen rarely, but every time it happens, it's a pain in the backside.
Also, device-bound passkeys are a pain when you get a new phone and have to set up new keys for all the sites that had a key linked to your old phone...
I would say the domain change is so rare that it's almost not a concern. For device bound Passkeys, it will be a pain when you get a new device. It's the more secure way. There are synced passkeys that can alleviate this but a trade off of security
The passkey in this example is associated with Chrome and no other device, right? Only from that device can I use it until I add another one. So it doesn't support multi device passkey? If I saved that passkey to a password manager like 1password I wouldn't be able to use it from all the devices that have the 1 password vault synced. There is a bit of confusion about these new passkeys and they seem promising but they should become the only way to log in because if they are an alternative the risks are the same. Sorry for the novel 😆
Jason what is the naming convention of the passkey for the vault? Is it a password or phrase? Enjoy your videos, thanks
Can you expand on what you mean by naming convention? I'm not clear on what you're asking.
Watching your latest video, "Hackers targeting your vault", you created a passkey for your Bitwarden vault, was that a password or phrase or something else that you input as your passkey? I'm new to this, so I don't completely understand some of it.
Ah okay! The passkey is different from a password or passphrase. It's a more secure way to log into applications. It uses cryptography to do this (check out my video on passkeys that goes deeper into what that is).
For Bitwarden, you will first need to create a master password (this will be a password or passphrase, just make sure it's long and complex!). After that, you can create a passkey which you can then use to login.
Already have bitwarden installed and master password created, just trying to understand this additional security. So Is the passkey something I can see and do I need to remember it, or will Bitwarden remember it automatically? thanks for the patience.
You can't see the passkey nor do you need to! It all happens behind the scene. When you go to log into Bitwarden and get prompted for your fingerprint, it unlocks the passkey and does all the work for you. Nothing for your to remember or type it.
That's what makes it so fast!
I have several gmail accounts for personnel, business and two organizations. I use MacBook (10 years old, iPad Pro (4 years old) desktop PC (1 year) and android phone (less than 6 months). Do I need separate accounts for each gmail account?
You can use a single Bitwarden account and just create different vaults for each use case (e.g. one for personal, business, and for each of your organizations). It's an easier way to logically separate them out.
No. Just one Bitwarden account.
What if I leave Bit warden Extension OFF, and then when I need to, Activate the extension when I need it?
if you did have 3 mfa pathways setup for backup, then what happens if you do lose your mfa on a lost or stolen phone? wouldn't that defeat your stronger mfa when the hacker now has your phone? Would it be better not to have mfa on your phone now?
If you're putting a password on your phone or using biometrics, that will help in this scenario.
My desktop has no Bio-metric capabilities. The WebAuthN is asking for a USB to continue. Is a Yubi Key required to setup? I don't see an option to just enter a password to authorize the public key.
You are going to have to have a device that can securely store your passkey. Are you using a Windows system? If it supports Windows Hello, you should be able to use a PIN or even face recognition for it to work.
I'm on Windows 11pro for my desktop. I'll have to do some more research on setting this up. Thanks, @@teachmecyber
What is the downside?
bitwaren firefox WebAuthn???
Hello Bitwarden won't recognize a login page that only asks for the username (once the username is entered, the NEXT page asks for the password). How to get Bitwarden to recognize this situation? It works ok if the page asks for both the username and password.
Make sure the URL for the website is present in Bitwarden
@@teachmecyber Thanks for the reply. What if it's not a website but an Android app?
If l will delete browser. what will happen cuz browser have MFA
The Passkeys are stored on your device, so even if you delete the browser you'll still be able to use the passkeys (assuming your browser supports it).
@@teachmecyber
Thanks sir 🙏
And where is it stored? Or is a hash algorithm that bitwarden does with my computer info?@@teachmecyber
I don't have security usb key, it asks me to enter win pin, it is 4 digits, is it ok to use it?
It's still okay to use with the PIN, though even better if you use something like a finger print or face ID to unlock (depends on what your system supports)
Why did you not show how to set your phone as a second webauth passkey?
Just because of challenges with recording on a mobile device.
but what if your email was already has malwer and that email has already the bait of phishing and you go get passkeys and the person or owner dosent know anthing that the email has virus,hacker,scammers...got all info that will be game over to the owner of the gadgets? like me i dont know if my email has virus and my facebook got hacked...
The passkey is still tied to the bitwarden and the device you own. Even if an attacker had access to your email, it wouldn't degrade the security of this.
@@teachmecyber What if email is used as one of the backup methods? Could a hacker say "I lost my device, yubikey, authenticator app, etc", and get a code via email?
Thanks for the great video. I have Bitwarden Premium. I have two YubiKeys. A master key and a backup key. Is the premium version worth it if Fido is also available in the free version?
Currently the hardware keys are still a premium feature. This update is for FIDO2 WebAuthN, which is passkeys.
Given your current configuration, you'll want to keep the paid version.
Too much Magic.
Locking a login to a specific device is horrifying. No thanks.
You can set up multiple devices so you have backups. It's the most secure way to protect your bitwarden vault.
@@teachmecyber... and you should write down your "2FA recovery code", so even losing "the one specific device" wouldn't be a disaster. You still can use the 2FA recovery code to log in - and set up 2FA again / new.
In other words, they implemented a feature that does NOTHING to improve passwords.
They abandoned their actual functionality in favor of supporting some new type of malware instead.
It's time to abandon Bitwarden and choose a capable password manager instead, although I suspect there are very few of them left.
Unfortunately, they are not the only one to promote nonsensical "passkey technology".
Passkeys are more secure and provide an easier login experience
@@teachmecyber but they're not passwords and thus not relevant to a password manager.
Bitwarden still stores password as before. Passkeys are an added feature if you want to use them. They are a type of public/private keys that have been used for almost 30 years. I've found no information that passkeys are malware, I don't know where you got that from.
What are you on about?
how not to loose YUBICO physical key..?🤔what if I do?