Passkey handling broken when vault is locked (beta extension)

[bwbug]

Steps To Reproduce

1. Lock browser extension.
2. Log in on website that uses passkey for passwordless login or as 2FA.

Expected Result

• Expect browser extension to launch a floating pop-out to verify identity and unlock the vault, including an option to Use your device or hardware key.

• Further, if the extension is unlocked at the prompt, expected the browser extension's floating pop-out to offer any matching passkeys that are stored in the vault, while additionally offering the option to Use your device or hardware key.

• Finally, whether the user elects to use a passkey stored on a device or hardware key, or confirms the selection of a passkey stored in the vault, the floating pop-out window is expected to automatically close.

Actual Result

None of the three expected results occur in version 2024.11.999 of the browser extension:

1. The extension pop-out does not display any option to Use your device or hardware key.

2. If the extension is unlocked at the prompt, then no matching passkeys are made available for selection (only a static "Vault" page is displayed).

3. The floating pop-out window is not closed automatically — the user must manually close it. If the user instead returns to the login form to re-attempt the login (not realizing that the pop-out has not automatically closed as normally expected), then the pop-out window remains open in the background (preventing the extension's vault timeout settings from working).

Screenshots or Videos

Expected behavior:

 

Actual behavior: Note that the bottom of the UI is cut off in the pop-out window, but even if one uses the scroll bar (or resizes the pop-out window) to reveal the full contents of the UI, there is no option to Use your device or hardware key.

 

Actual behavior: After the vault is unlocked, the pop-out only displays the "Vault" page. The pop-out does not automatically close after unlocking has been completed (with no option to use a stored passkey).

 

Actual behavior: Only after the user has manually closed the pop-out window does the operating system have an opportunity to offer the use of passkeys stored outside Bitwarden.

Additional Context

The behavior is especially problematic when the site does not have a button or link to manually initiate the passkey ceremony ("Use Passkey", etc.) for authentication or 2FA, as the user now has to repeat the login process from the beginning.

Operating System

Windows

Operating System Version

No response

Web Browser

Chrome

Browser Version

No response

Build Version

Version: 2024.11.999 (beta release)

Issue Tracking Info

• [X] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

[bitwarden-bot]

Thank you for reporting this issue! We've added this to our internal tracking system. ID: PM-15129

[daniellbw]

Hi @bwbug ,

Thank you for taking the time to try out the browser client beta!

Bitwarden is collecting feedback directly via the following form. We encourage sharing all feedback there, where our Product and Engineering teams will receive it directly.

Browser Client Beta Feedback Form: https://forms.bitwarden.com/to/HsQ8IHOJ

Please keep in mind that the extension refresh is in beta. If there are behaviors which block regular use of Bitwarden, we recommend sticking with the production version of the browser client while parity is achieved.