Great to see progress! Why is it behind their official github releases though? Latest version is 2024.10.2 and not 2024.09.0. It is four releases meaning more than a month behind.

This is an important issue IMO that needs to be addressed and the official response by Bitwardens CTO fails to do so.

There is not even a reason provided why such a proprietary license is deemed necessary for the SDK. Furthermore this wasn’t proactively communicated but noticed by users. The locking of the Github Issue indicates that discussion isn’t desired and further communication is not to be expected.

It is a step in the wrong direction after having accepted Venture Capital funding, which already put Bitwardens opensource future in doubt for many users.

This is another step in the wrong direction for a company that proudly uses the opensource slogan.

Great news!

I think its a recent addition (08/2024) on Linux.

Add support for biometric unlock on Linux

According to the device support page i should be ok, but yeah there might be something weird going on.

You could use your

• fingerprint
• a pin

to unlock the app instead of the password

I hope I am not misunderstanding you. What you are worried about is passkeys in the password manager not syncing to new devices? They are though, with password managers that support passkeys like Bitwarden, ProtonPass, 1Password etc…

Currently using it on Bitwarden, if I log in to a new device, the passkeys are there.

Could you elaborate? I am assuming that everbody would have the password manager on their mobile phone with them, which is used to scan the qr code. I think that’s a reasonable assumption.

I agree that if you wanted the pc to act as the authenticator (device that has the passkey) it wouldn’t work with qr codes. But is that a usecase that happens at all for average people? Does anyone login to a mobile device that you don’t own, and you only have your pc nearby and not your own mobile phone?

The problem with passkeys is that they’re essentially a halfway house to a password manager, but tied to a specific platform in ways that aren’t obvious to a user at all, and liable to easily leave them unable to access of their accounts.

Agreed, in its current state I wouldn‘t teach someone less technically inclined to solely rely on passkeys saved by the default platform if you plan on using different devices, it just leads to trouble.

If you’re going to teach someone how to deal with all of this, and all the potential pitfalls that might lock them out of your service, you almost might as well teach them how to use a cross-platform password manager

Using a password manager is still the solution. Pick one where your passkeys can be safed and most of the authors problems are solved.

The only thing that remains is how to log in if you are not on a device you own (and don’t have the password manager). The author mentions it: the QR code approach for cross device sign in. I don’t think it’s cumbersome, i think it’s actually a great and foolproof way to sign in. I have yet to find a website which implements it though (Edit: Might be my specific setup‘s fault).

I think it‘s fair to remain skeptical but the big organizations were part of the development, so there seems to be some interest. And it‘s not always in their interest to lock users in, when it also prevents users from switching to their platform.

Development of technical standards can often be a fraught bureaucratic process, but the creation of CXP seems to have been positive and collaborative. Researchers from the password managers 1Password, Bitwarden, Dashlane, NordPass, and Enpass all worked on CXP, as did those from the identity providers Okta as well as Apple, Google, Microsoft, Samsung, and SK Telecom.

Thanks for the link! Learned something new today.

deleted by creator

The author of your blog post comes to this conclusion:

So do yourself a favour. Get something like bitwarden or if you like self hosting get vaultwarden. Let it generate your passwords and manage them. If you really want passkeys, put them in a password manager you control. But don’t use a platform controlled passkey store, and be very careful with security keys.

The protocol (CXP) which the article is about, would allow you to export the passkeys from the “platform controlled passkey store” and import them into e.g. Bitwarden. So i would imagine the author being in favor of the protocol.

The lock-in effect of passkeys is something that this protocol aims to solve though. The “only managed by your device” is what keeps us locked in, if there is no solution to export and import it on another device.

The protocol aims to make it easy to import and export passkeys so you can switch to a different provider. This way you won’t be stuck if you create passkeys e.g. on an Apple device and want to switch to e.g. Bitwarden or an offline password manager like KeyPassXC

The specifications are significant for a few reasons. CXP was created for passkeys and is meant to address a longstanding criticism that passkeys could contribute to user lock-in by making it prohibitively difficult for people to move between operating system vendors and types of devices. […] CXP aims to standardize the technical process for securely transferring them between platforms so users are free […].

I had the same idea a while back and was wondering why no one has implemented something like this yet. This seems like an actual useful application for LLMs.

I am using Zotero (Citation Management Software) to collect scientific Articles I have read. Sometimes I forget in which Article I read about something specific. A search, where you could describe what you are looking for in a sentence, which then returns the Article with the relevant part, would be a gamechanger.

What does Ente mean?

In Malayalam, Vishnu’s native language, “ente” means “mine”. Thus “Ente Photos” has the literal meaning “my photos”.

This was a good name, but still Vishnu looked around for better ones. But one day, he discovered that “ente” means “duck” in German. This unexpected connection sealed the deal. We should ask him why he likes ducks so much, but apparently he does, so this dual meaning (“mine” / “duck”) led him to finalize the name, and also led to the adoption of “Ducky”, Ente’s mascot Source

Sure thing, never claimed to know if it violates the law. Thats for judges to decide.

I will copypaste, because this feature has been discussed a lot already.

The companies will get some general data if their ads work, without a profile about you being created. I am fine with that. Just imagine what a boon it would be for the “normal“ less tech savvy, if advertisers switched to a more privacy respecting technology like this. If more privacy focused people don’t like it, they can simply disable it by ticking one box, without negative consequences (unlike content blockers and similar techniques where a website can penalize you, turned off PPA is not detectable). It has no downsides as far as I am concerned. It doesn’t give advertisers additional data that they wouldn’t already be able to get, it just creates the option of measuring their ads in a privacy respecting way.

Discussion about PPA from some time ago

Thank you for the detailed response! Yes, the what data and how to not create conflicts has been troubling me the most.

I think I might first narrow it down with test VMs first, to skip the transfer part, before I actually use it “in production“.

why would any corporation choose to sideline their current advertisement model by creating an extra solution that doesn’t even tap 3% of the market

In its current form, I concur, you might be correct. But:

The current implementation of PPA in Firefox is a prototype, designed to validate the concept and inform ongoing standards work at the World Wide Web Consortium (W3C).Source

So the point is to create a system that other browsers could adopt. The other thing that could drive this, is the GDPR compliance. PPA is compliant, while a lot of the other technologies aren’t, and businesses are feeling more pressure. There is a reason that Meta participated in parts of the development.

All I can say is: Dont let perfect be the enemy of good. This is so far only a test.

Edit: I found the time to look at your source article, I had actually read it before when it was posted a month back. I will comment on their views, some right, others which can be debated, and on other details were they are just wrong. In general privacyguides is a great resource but I find this particular opinion piece to be lacking.