PRF extension support for Bitwarden extension #13838

Mysak0CZ · 2025-03-14T01:49:19Z

Mysak0CZ
Mar 14, 2025

Code Contribution Proposal

PRF extension is currently described in the WebAuthn W3C editor draft and many browsers already support it natively.
The Bitwarden browser extension handles passkeys by replacing native functions, but at the moment it lacks support for the PRF extension.

As Bitwarden's website supports logging in through Passkeys using this extension, this actually means that Bitwarden cannot be used to sign into its own website.

I would like to attempt implementing the PRF extension based on the above-mentioned specification into the Bitwarden browser extension.
The underlying hmac-secret FIDO extension behavior is specified in CTAP specification.

Most of the specified behavior can be done using simple operations and SubtleCrypto's HMAC sign API using SHA-256.

The only problem I foresee with the implementation is, that CTAP specification defines, that the secret value for the HMAC should be CredRandom:

The authenticator generates a random 32-byte value (called CredRandom) and associates it with the credential.

This is currently not part of existing passkey's data.
I believe the cleanest approach to this is generating this value only when the prf extension was requested at credential create time and storing it next to the currently stored secret value.

As far as I am aware, this extension shouldn't affect rest of the response in any way.

MOHAMED9267 · 2025-03-28T22:28:45Z

MOHAMED9267
Mar 28, 2025

#14049

0 replies

MOHAMED9267 · 2025-03-28T22:29:19Z

MOHAMED9267
Mar 28, 2025

#11484

0 replies

elyosemite · 2025-03-30T17:46:09Z

elyosemite
Mar 30, 2025

@Mysak0CZ It's awesome your idea! I'm a new contributor to Bitwarden and still finishing reading the documentation and guidelines. However, I would like to know if this implementation would be done in the server project. Even though it is an extension for browers, would it somehow use the server project or not?

0 replies

Mysak0CZ · 2025-03-30T23:40:50Z

Mysak0CZ
Mar 30, 2025
Author

As I looked into possibilities of implementing this, I stumbled upon the fact that the library https://github.com/1Password/passkey-rs (which is used in Bitwarden's Android client) already added support for PRF. This severely limits freedom in implementing this extension, as implementation needs to exactly match the passkey-rs library.
As Bitwarden has its own fork of the above-mentioned library (https://github.com/bitwarden/passkey-rs), the only reasonable approach I see to this is first updating the fork with the PRF support, then letting that change propagate into the Android app and then test any possible web extension implementation against results from the android application.

CC @coroiu as from what I can see, you are the one maintaining the Bitwarden's passkey-rs fork. Any recommendations on how this could be approached? Thank you in advance for any response.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bitwarden

PRF extension support for Bitwarden extension #13838

{{title}}

Replies: 2 comments

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Bitwarden

PRF extension support for Bitwarden extension #13838

Mysak0CZ Mar 14, 2025

Code Contribution Proposal

Replies: 2 comments

MOHAMED9267 Mar 28, 2025

MOHAMED9267 Mar 28, 2025

elyosemite Mar 30, 2025

Mysak0CZ Mar 30, 2025 Author

Mysak0CZ
Mar 14, 2025

MOHAMED9267
Mar 28, 2025

MOHAMED9267
Mar 28, 2025

elyosemite
Mar 30, 2025

Mysak0CZ
Mar 30, 2025
Author