Safari extension fails bitwarden_biometric keychain login

[hkluis]

Steps To Reproduce

1. Ensure you can use Touch ID to login to MacOS
2. Ensure Bitwarden desktop app and Safari's Bitwarden extension are configured to use biometric login
3. Quit any instance of Bitwarden Desktop app and Safari
4. Open 'Keychain Access.app'
5. Select 'login' keychain
6. Delete the 'bitwarden_biometric' entry
7. Open Bitwarden desktop app and use Touch ID to login
8. Open Safari
9. Click Bitwarden extension icon
10. MacOS should prompts: "Bitwarden wants to use your confidential information stored in "Bitwarden_biometric" in your keychain
11. Enter password and click "Allow"
12. The MacOS Touch ID prompt pops up
13. Touch the computer's fingerprint sensor.
14. Bitwarden extension should login successfully.
15. Quit Safari
16. Repeat steps 9 to 15

Expected Result

Step 14 should be successful on each try.

Actual Result

Step 12 does not pop up the Touch ID prompt. Instead, the MacOS keychain password prompt dialog box pops up again. The Bitwarden extension is not logged in successfully.

Screenshots or Videos

No response

Additional Context

The above test steps work with Brave and Chrome browsers repetitively.

Operating System

macOS

Operating System Version

Sequoia 15.5 (MacBook Air M3)

Web Browser

Safari

Browser Version

18.5 (20621.2.5.11.8)

Environment Versions

Version 2025.5.1 SDK 'main (c6835e5)' Shell 34.0.0 Renderer 132.0.6834.83 Node 20.18.1 Architecture arm64

Issue Tracking Info

• [x] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

[bitwarden-bot]

Thank you for reporting this issue! We've added this to our internal tracking system. ID: PM-22555

[Zurichified]

They don't fix the Safari Biotmetric login. I switched in the start of this year to Bitwarden, I'm totally happy with their product but they don't fix the Safari Extension's Biometric login.

See: https://github.com/bitwarden/clients/issues/12822

They closed it immediately and I have been writing with Support and telling them what's wrong, they mentioned it's a sync bug in Apple's way of handling the biometric keychain login, and that they are in contact with Apple for that.

But see, after almost 5 months of waiting and several App Store updates, it still isn't working.

I just can't understand how it works in Desktop app installed by App Store, but they can't fix it in the browser extension. It just does the same thing, prompts for fingerprint and should unlock the list of passwords, just as in the desktop app. I wonder what's the problem that they cannot fix it in 5 months...

[hkluis]

This has worked before, and seems to be broken in the last week or two.

[Zurichified]

This has worked before, and seems to be broken in the last week or two.

I use Bitwarden since beginning of 2025. This never worked for me from day 1. It worked on Brave Browser for example, given Bitwarden MacOS App from App Store is running.

However, in Safari, neither with App in the background nor without the app, and even with the given commands from Bitwarden Support Team to reset my Bitwarden keychain token, it never worked. I tried it in multiple Macbooks already, even on a brand new set-up Macbook it didn't work.

In my opinion the steps to make it work shouldn't be so complicated anyways. It should work once it's installed. This is Mac, not Linux or Windows. It's designed to work out of box.

But since Bitwarden's Safari Extension users are not many, they don't prioritise this issue...

[rmcdowell-bitwarden]

Hi there,

I am unable to reproduce this issue, it has been escalated for further investigation. If you have more information that can help us, please add it below.

Thanks!

[hkluis]

When I have time, I’ll produce a video screenshot.On Jun 24, 2025, at 12:59 AM, rmcdowell-bitwarden @.***> wrote:rmcdowell-bitwarden left a comment (bitwarden/clients#15129) Hi there, I am unable to reproduce this issue, it has been escalated for further investigation. If you have more information that can help us, please add it below. Thanks!

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.***>

[hkluis]

Any news? This is a wider spread problem than a few individuals. See another complaint on https://www.reddit.com/r/Bitwarden/comments/1l7x96x/problem_with_bitwarden_extension_for_safari_on_mac/. If you can't reproduce it, please try it on some other machines. My system is always updated to the latest everything already.

I'm not going to produce a video after all because I don't know what the point is.

[Zurichified]

Still no fix to the Safari Biometric Unlock not working problem. I wrote up there on Jun 18, they don't consider fixing this problem. At some point they will close this issue and tell it's not reproducible and go on.

https://github.com/user-attachments/assets/402e7224-3805-425e-a214-d625ef7a0b44

[userrand6]

Same issue here

Workaround

• Open Keychain
• chose "Open Keychain Access"
• Go to Login - Passwords
• Find Bitwarden_biometric
• Double click it
• Access Control
• Tick Allow all applications, save (confirm with normal os login password)
• restart safari

Probably not a great idea, but works

[hkluis]

Thanks so much for the workarounds. I was debating whether to switch from BitWarden to Apple Password.

[Zurichified]

Same issue here

Workaround

• Open Keychain
• chose "Open Keychain Access"
• Go to Login - Passwords
• Find Bitwarden_biometric
• Double click it
• Access Control
• Tick Allow all applications, save (confirm with normal os login password)
• restart safari

Probably not a great idea, but works

This still doesn't work on my machine. I did it, restarted Safari completely, even restarted Bitwarden completely, disabled and reenabled the biometric unlock, in Desktop App it works. In Safari it still gives the same "Action was cancelled by the desktop application" error.

[userrand6]

I think I also ran into that, but i am not fully certain. I remember playing around with these settings:

As well as trying to set other Bitwarden entries in keychain to Allow all apps. Somewhere along the way that went away IIRC, but the main issue i was trying to solve was that the Password for login kechain prompt wouldnt go away as long as safari was open.

[omsoft]

I was able to get rid of that tedious password modal by playing around with Keychain Password Manager.

• Close Safari
• Open Keychain Manager
• Go to login>password>Bitwarden_biometric
• Access control
• Tick Ask for Keychain password and remove everything from allowed applications
• Open Safari again, click on bitwarden icon, unlock it, go to Settings>Account security, tick "unlock with biometrics" and "ask for biometrics on launch" and type the password when asked again and finally press "Always allow"
• Repeat the process in Chrome or whatever else
• You're Keychain now should look like this

[truresma]

It doesn't work for me either.

[Vercety87]

Same for me. For more than 1 year and still not able to use safarie extension with biometrics. Please do something before Apple came with a masterkey option for their password app ....

[bas-d]

Running into the same issue. Did some debugging and found out that error (at least in my case) is caused by crypto.subtle.exportKey("jwk", impPrivateKey) does not set n and e in the result (at least in Safari, because running the same code in Chrome with the same private key does work).

Events leading up this error are as follows:

1. trySetupBiometrics() is called when clicking on the button in settings to enable unlocking with biometrics. Key is correctly retrieved from the Keychain, so communication with Swift code works correctly.
2. unlockWithBiometricsForUser() is called in the background context, caused by a message sent from the popup when it hits this.biometricsService.unlockWithBiometricsForUser.
3. That function calls validateUserKey, which:
4. Extracts an encrypted 2048-bit RSA private key from the state (succeeds)
5. Decrypts the private key with the key it got from the keychain (succeeds)
6. Tries to derive the public key from the private key using cryptoFunctionService.rsaExtractPublicKey(privateKey). As mentioned earlier, crypto.subtle.exportKey("jwk", impPrivateKey) there then does not set n and e in the result, causing the next importKey to fail with a DataError: Data provided to an operation does not meet requirements error. This error is not logged and silently dropped in try/catch block of the calling validateUserKey function.

When creating another account in the same browser I do not get an error, so I'm guessing it maybe is a WebKit bug where crypto.subtle.exportKey only fails on some private keys? I noticed some code related to rotating the keypair, but it relies on some (server-side?) feature flag, so wasn't able to get it to work.

When skipping the code that validates if the public key can be derived from the private key, both enabling and unlocking with biometrics works fine. Don't know if this will cause issues with another future operation though, because I don't know for what the keypair is used.

Hope this helps in fixing this issue!

[hkluis]

Thank you Bas. I hope this gets the attention of the bitwarden team.

Also, the workaround provided by userrand6 (to set Keychain Access’s Bitwarden_biometric Access Control to “Allow all applications to access this item”) had worked for me until recently. Then I found that the setting reverted to “Confirm before allowing access.” Switching back to “Allow all…” works again. It’s still a workaround of course.

On Oct 13, 2025, at 1:48 PM, Bas Doorn @.***> wrote:

bas-d left a comment (bitwarden/clients#15129) https://github.com/bitwarden/clients/issues/15129#issuecomment-3399029824 Running into the same issue. Did some debugging and found out that error (at least in my case) is caused by crypto.subtle.exportKey("jwk", impPrivateKey) https://github.com/bitwarden/clients/blob/8a76b28e08653fbbd366ff2cbf3eacf2cf06a114/libs/common/src/key-management/crypto/services/web-crypto-function.service.ts#L301does not set n and e in the result (at least in Safari, because running the same code in Chrome with the same private key does work).

Events leading up this error are as follows:

trySetupBiometrics() https://github.com/bitwarden/clients/blob/8a76b28e08653fbbd366ff2cbf3eacf2cf06a114/apps/browser/src/auth/popup/settings/account-security.component.ts#L553 is called when clicking on the button in settings to enable unlocking with biometrics. Key is correctly retrieved from the Keychain, so communication with Swift code works correctly. unlockWithBiometricsForUser() https://github.com/bitwarden/clients/blob/8a76b28e08653fbbd366ff2cbf3eacf2cf06a114/apps/browser/src/key-management/biometrics/background-browser-biometrics.service.ts#L89 is called in the background context, caused by a message sent from the popup when it hits this.biometricsService.unlockWithBiometricsForUser https://github.com/bitwarden/clients/blob/8a76b28e08653fbbd366ff2cbf3eacf2cf06a114/apps/browser/src/auth/popup/settings/account-security.component.ts#L581. That function calls validateUserKey https://github.com/bitwarden/clients/blob/8a76b28e08653fbbd366ff2cbf3eacf2cf06a114/libs/key-management/src/key.service.ts#L589, which: Extracts an encrypted 2048-bit RSA private key from the state (succeeds) Decrypts the private key with the key it got from the keychain (succeeds) Tries to derive the public key from the private key using cryptoFunctionService.rsaExtractPublicKey(privateKey) https://github.com/bitwarden/clients/blob/8a76b28e08653fbbd366ff2cbf3eacf2cf06a114/libs/common/src/key-management/crypto/services/web-crypto-function.service.ts#L292. As mentioned earlier, crypto.subtle.exportKey("jwk", impPrivateKey) https://github.com/bitwarden/clients/blob/8a76b28e08653fbbd366ff2cbf3eacf2cf06a114/libs/common/src/key-management/crypto/services/web-crypto-function.service.ts#L301there then does not set n and e in the result, causing the next importKey https://github.com/bitwarden/clients/blob/8a76b28e08653fbbd366ff2cbf3eacf2cf06a114/libs/common/src/key-management/crypto/services/web-crypto-function.service.ts#L309 to fail with a DataError: Data provided to an operation does not meet requirements error. This error is not logged and silently dropped in try/catch block of the calling validateUserKey function. When creating another account in the same browser I do not get an error, so I'm guessing it maybe is a WebKit bug where crypto.subtle.exportKey only fails on some private keys? I noticed some code related to rotating the keypair https://github.com/bitwarden/clients/blob/main/libs/key-management/src/user-asymmetric-key-regeneration/abstractions/user-asymmetric-key-regeneration.service.ts, but it relies on some (server-side?) feature flag, so wasn't able to get it to work.

When skipping the code that validates if the public key can be derived from the private key, both enabling and unlocking with biometrics works fine. Don't know if this will cause issues with another future operation though, because I don't know for what the keypair is used.

Hope this helps in fixing this issue!

— Reply to this email directly, view it on GitHub https://github.com/bitwarden/clients/issues/15129#issuecomment-3399029824, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAKUNBPFSU32DRC7K7U74Q33XQF2LAVCNFSM6AAAAAB66PD3N2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGOJZGAZDSOBSGQ. You are receiving this because you authored the thread.

[bas-d]

Hmm, if that workaround helped, I think the root cause in your case might be different than in mine. Since the errors are not really handled or logged, they all lead to the same error message in the UI, so it's definitely possible that there are various different issues causing this behaviour.

[unnerving-sprinkler]

Adding to this...

I was able to make it work with the answer from @userrand6 (Although this is obviously a work-around and not a good long-term solution)

I was not able to replicate the steps from @omsoft