PRF support for passkeys stored in Vaultwarden?

[glowingkitty]

Hello everyone,

since Bitwarden even wrote a blog post in February this year about PRF support, I strongly assume that they do support it since around that time. However, existing PRF testing sites show that using Bitwarden via my Vaultwarden server doesn't support PRF (tested on both MacOS 15.1 and iOS 18.5 (both should support PRF since a while). Vaultwarden (web) version is 2025.7.0 by the way.
So, whats the current state of PRF support in Vaultwarden?

Would love of implement Passkey and PRF support into my web app, but don't want to switch to a hosted password manager for that reason and would prefer to stay with my Vaultwarden instance.

[Axelwickm]

If I run the test suite, Create with PRF, against bitwarden.com (through chome extension), I get "No PRF".

My understanding is that “Bitwarden does support PRF. In order for it to work, though, the passkey must be registered in an authenticator that supports PRF, and using a browser that supports PRF,” but that it does not support PRF fully standalone, since needs to emulate a full CTAP2 (with hmac-secret support) stack.

That might be on their long-term roadmap, but as far as I can tell, it’s not implemented yet.

I don’t have a PRF-capable setup (macOS/iOS with supported browser or a YubiKey) to test against vaultwarden directly, but if Vaultwarden isn’t currently storing or returning PRF-enabled credentials, I completely agree this would be an important feature to add.

[huwd]

Bitwarden are now blogging about PRF Passkeys

At a casual scan I'm finding it difficult to work out what the state of implementation is, but feels like something has shifted.

I suspect we'll see an uptick in demand here, the creator of Signal has just launched a new AI chat agent that keeps correspondence private by leveraging these keys.

Would have thought the constituency overlap for self hosting your password manager and privacy preserving tools is pretty high.

[BJReplay]

I have a bitwarden.eu account that I have set up to log in with a Yubikey into the Web vault - it is part of my recovery strategy if things go pear shaped with my self-hosted vaultwarden.

I haven't yet tested the browser based PRF flow, but the Web vault flow works - provided you set it up correctly.

From what I understand from the blog, the Web front end now allows you to upgrade a Yubikey from 2FA only to also allowing you to use it for login.

Previously, you had to enrol it for login right from the start, which is an improvement.

To the extent that the Vaultwarden Web vault is a port / patch of the Bitwarden Web vault, I can see that there is a path to enabling this, but it will require work on the Web vault port, and possibly the database.

From what I have seen of the Vaultwarden support of features like this, they do tend to support them - often in the testing builds first - but this one might require more work than many.

Watching with interest.