This is an important issue IMO that needs to be addressed and the official response by Bitwardens CTO fails to do so.

There is not even a reason provided why such a proprietary license is deemed necessary for the SDK. Furthermore this wasn’t proactively communicated but noticed by users. The locking of the Github Issue indicates that discussion isn’t desired and further communication is not to be expected.

It is a step in the wrong direction after having accepted Venture Capital funding, which already put Bitwardens opensource future in doubt for many users.

This is another step in the wrong direction for a company that proudly uses the opensource slogan.

Great news!

I think its a recent addition (08/2024) on Linux.

Add support for biometric unlock on Linux

According to the device support page i should be ok, but yeah there might be something weird going on.

You could use your

• fingerprint
• a pin

to unlock the app instead of the password

I hope I am not misunderstanding you. What you are worried about is passkeys in the password manager not syncing to new devices? They are though, with password managers that support passkeys like Bitwarden, ProtonPass, 1Password etc…

Currently using it on Bitwarden, if I log in to a new device, the passkeys are there.

Could you elaborate? I am assuming that everbody would have the password manager on their mobile phone with them, which is used to scan the qr code. I think that’s a reasonable assumption.

I agree that if you wanted the pc to act as the authenticator (device that has the passkey) it wouldn’t work with qr codes. But is that a usecase that happens at all for average people? Does anyone login to a mobile device that you don’t own, and you only have your pc nearby and not your own mobile phone?

The problem with passkeys is that they’re essentially a halfway house to a password manager, but tied to a specific platform in ways that aren’t obvious to a user at all, and liable to easily leave them unable to access of their accounts.

Agreed, in its current state I wouldn‘t teach someone less technically inclined to solely rely on passkeys saved by the default platform if you plan on using different devices, it just leads to trouble.

If you’re going to teach someone how to deal with all of this, and all the potential pitfalls that might lock them out of your service, you almost might as well teach them how to use a cross-platform password manager

Using a password manager is still the solution. Pick one where your passkeys can be safed and most of the authors problems are solved.

The only thing that remains is how to log in if you are not on a device you own (and don’t have the password manager). The author mentions it: the QR code approach for cross device sign in. I don’t think it’s cumbersome, i think it’s actually a great and foolproof way to sign in. I have yet to find a website which implements it though.

The problem with passkeys is that they’re essentially a halfway house to a password manager, but tied to a specific platform in ways that aren’t obvious to a user at all, and liable to easily leave them unable to access of their accounts.

Agreed, in its current state I wouldn‘t teach someone less technically inclined to solely rely on passkeys saved by the default platform if you plan on using different devices, it just leads to trouble.

If you’re going to teach someone how to deal with all of this, and all the potential pitfalls that might lock them out of your service, you almost might as well teach them how to use a cross-platform password manager

Using a password manager is still the solution. Pick one where your passkeys can be safed and most of the authors problems are solved.

The only thing that remains is how to log in if you are not on a device you own (and don’t have the password manager). The author mentions it: the QR code approach for cross device sign in. I don’t think it’s cumbersome, i think it’s actually a great and foolproof way to sign in. I have yet to find a website which implements it though (Edit: Might be my specific setup‘s fault).

I think it‘s fair to remain skeptical but the big organizations were part of the development, so there seems to be some interest. And it‘s not always in their interest to lock users in, when it also prevents users from switching to their platform.

Development of technical standards can often be a fraught bureaucratic process, but the creation of CXP seems to have been positive and collaborative. Researchers from the password managers 1Password, Bitwarden, Dashlane, NordPass, and Enpass all worked on CXP, as did those from the identity providers Okta as well as Apple, Google, Microsoft, Samsung, and SK Telecom.

The author of your blog post comes to this conclusion:

So do yourself a favour. Get something like bitwarden or if you like self hosting get vaultwarden. Let it generate your passwords and manage them. If you really want passkeys, put them in a password manager you control. But don’t use a platform controlled passkey store, and be very careful with security keys.

The protocol (CXP) which the article is about, would allow you to export the passkeys from the “platform controlled passkey store” and import them into e.g. Bitwarden. So i would imagine the author being in favor of the protocol.

The lock-in effect of passkeys is something that this protocol aims to solve though. The “only managed by your device” is what keeps us locked in, if there is no solution to export and import it on another device.

The protocol aims to make it easy to import and export passkeys so you can switch to a different provider. This way you won’t be stuck if you create passkeys e.g. on an Apple device and want to switch to e.g. Bitwarden or an offline password manager like KeyPassXC

The specifications are significant for a few reasons. CXP was created for passkeys and is meant to address a longstanding criticism that passkeys could contribute to user lock-in by making it prohibitively difficult for people to move between operating system vendors and types of devices. […] CXP aims to standardize the technical process for securely transferring them between platforms so users are free […].

Thank you for the detailed response! Yes, the what data and how to not create conflicts has been troubling me the most.

I think I might first narrow it down with test VMs first, to skip the transfer part, before I actually use it “in production“.

It has been asked on the forum. Idk if they will consider implementing some type of notification for critical issues on the OS itself. Edit: they are working on a solution

If you dont want to miss future announcements:

• With an Account on the forums you can get notifications if you turn them on for the “Announcement“ tag
• You can add https://universal-blue.discourse.group/tag/announcements.rss to your RSS reader

Saying that I dont trust a homophobe is not “sharing my political opinions”. The lives of gay people may be affected by politics (just as we all are), but that doesn’t mean homophobia (or being against homophobia) is a political opinion.

I couldn’t agree more with you👍🏼

I find it rather repulsive, that people would label “being against gay marriage” as “only holding an opinion”. It makes it seem so harmless. It is depriving people of the same rights that heterosexuals have. And that is why it might matter to people. It’s not just “any” opinion, like a view on how the economy should be regulated, where one could definitely argue about. But a view, which would deprive people of the same rights that others have, is not a valid opinion to have. There is no way that it can be respected. It’s the paradox of tolerance

In a comment further down you write the following: (Edit: the comment has since been removed by a mod)

You have the right to have a liberal opinion so why not let people have their own? It’s like discrimination of black people at this point.

Which is quite ironic. You try to defend holding an opinion, which would discriminate against a certain group by not giving them the same rights. You argue that it’s discrimination to not respect their discrimination. In essence you ask the tolerant to respect the views of intolerant.

The setup process isn’t really much different from other distros, quite easy. It’s documented here. If it’s still too intimidating for you, you could always do a test run in a virtual machine first, there is even an image that you can select at the bottom of the download menu on the website for virtual machines.

The nice thing is that, if you have some kind of special hardware (e.g. certain laptops, nvidia gpu…) you only need to select it the downloading menu and then you are all set with the special tweaks that the hardware requires provided by the community.

After the initial installation it’s an even better experience than other distros I have used. It gives you a first time portal, where you can choose additional applications that you would like installed. If you get your application via flatpak then you are all setup. If you need other applications not available in flathub, you will have to do some further reading in the documentation, it’s all explained there.