2FA again (not asking for 2FA)

Hello,

I noticed that my FireFox add-on and my desktop app do not ask for 2FA after restart of Firefox or restart of the desktop app.

I have not checked the “remember me” box and I also tested that if I log out from the Firefox add-on or logout of the desktop app, then BW does ask for the 2FA.

So for some reason, BW considers Firefox restart, or the desktop app restart as “Locking” and not as “login out”.

How can I configure BW to consider my logged out when I close Firefox or when I Exit from the desktop?

Many thanks for your help.

Hi Zarzash,

Under Settings - - > Security → Vault Timeout Action, set to Logout.

That should fix it.

Yes, but I do not want to log out when it times out.
For me timeout is for inactivity.
In case of inactivity I am happy to not to have 2FA. In fact I use a pin.

But when I explicitly exit the desktop app or quit Firefox, it should consider this as a logout.
This is not really an inactivity timeout.

The typical scenario is a PC reboot: in that case neither the desktop app nor the plugin ask for 2FA, where in my opinion that should be the case.

You can find more info about vault timeout options on the Bitwarden help pages here:
https://bitwarden.com/help/article/vault-timeout/

If you find that the available options don’t suit your needs, feel free to put in a Feature Request or add your vote to an existing request for changes you would like to see in Bitwarden.

I’m having the same issue. The docs say:

Logging Out of your Vault completely removes all Vault data from your device, and will therefore require you to re-authenticate to access your Vault. You will be required to enter your Email Address, Master Password, and any enabled Two-step Login method in order to access your Vault.

I’m using a Web browser, manually logging-out and deselecting the “remember email” toggle, but when I login again, even after restarting the browser, I’m not prompted for a 2-step login.

Does 2-step only work on mobile devices (and not Web browsers)?

If you’ve selected the ‘remember me’ feature on the Web Vault, you may need to clear the cache or do a ‘hard refresh’ (SHIFT + Refresh) on the Web Vault in order to be prompted.

Ok, clearing the BitWarden entry from my browser’s cache worked; I was prompted for a 2FA code after entering the master password.

But that behavior is inconsistent with the documentation that says email address, master password, and two-step will be required after logging out. Is this a bug, or is a new feature request needed?

Thank you @tgreer , i ensured that this box in not checked.

If one has configured locking after timeout (without “remember me”), then on app exit or browser exit, BW does not logout and at the next access only asks for master password and no 2FA.

When using the web access, then the behavior is more “logical” as if one does not check the “remember me”, we are systematically asked for 2FA.

@saieva this "workaround is good for the addon. But the desktop app has the same issue and there we have no way to clear cash on W10.

To me there is a ground for a feature request or even a bug report.

We can clarify in the documentation as well, but to clear up this topic:

If you check ‘remember me’ - the client is saved and won’t be prompted for 2FA until:

  1. You reset the client (hard refresh on web, delete/reinstall on other clients)
  2. You Deauthorize Sessions in the web vault

Unchecking the box doesn’t un-remember you after you’re already remembered :wink:

Thank you @tgreer ,

In my case it is not because of “remember me”. I did not check it
And also I “deauthorized ass sessions”.

It is really a “feature” in the add-on or the desktop app which is not aligned with the web UI.

I can offer a zoom session for a demonstration of the issue.

I would double-check to ensure that you still have 2FA enabled. If you deauthorized all your trusted devices, there is no reason that you can bypass 2FA when you login.

Of course @dh024. This is not what I tried to explain.

This is the scenario i described with the add on:

  • I deauthorize all session
  • restart Firefox
  • login in BW: it asks for 2FA and I do not check “remember me”. So far so good.
  • I have timeout configured with a PIN to lock the session
  • i quite Firefox and restart it
  • login in BW
  • at this stage it does not ask or 2FA and I believe it should as this is a complete new session and the Firefox restart should be considered as a logout and not a timeout

The toggle on the login page is labeled “remember email.” Remembering the last email address used for a login in the browser is very different from remembering the last login’s behavior (2FA or not).

In regard to user experience, the two-step login configuration page says:

Secure your account by requiring an additional step when logging in.

Two-step is optional, but when it’s configured by the user the expectation is that the login behavior will always include a secondary verification; that expectation is independent of any other features of the login process (such as remembering an email address, or the influence of cookies, etc).

I guess there could be some bizarre bug that only you have encountered - but that seems unlikely.

My guess is that you are NOT logged out. You are unlocking your vault with your password, which means 2FA will not be encountered. This is expected behaviour for Bitwarden, and the details are in the help link I posted in a previous message.

Why don’t you post a screen capture of what login screen you encounter after restarting Firefox/Bitwarden - that would help tremendously for us to try and diagnose where the problem exists. Cheers!

I think some wires might be crossed here, Sal. This is the “Remember Me” option that we are talking about above:

Ok, that’s different. I’m not using WebAuthn. I’m using Google Authenticator and email verification codes. In those cases the login screen says “remember email.”

yes @dh024 I will try to share a video as the process can not be summarized in a screenshot.
What is the best practice here to share a video?
Can I share a link to dropbox or will external URLs be filtered out?

Sounds good - even better. I believe a link should be fine (you can always PM it to me if it doesn’t work and I can add it to the thread).

I’m definitely logging out by selecting “Log Out” from the user menu in the upper right hand corner of the page.

It had something to do with clearing (ie, deleting) the BitWarden cookie from my browser cache since when I deleted the cookie 2FA started working on login.

But it’s a bit concerning that 2FA behavior would be influenced by the settings of a cookie. I would think that if 2FA is configured the server-side would have total control in presenting the secondary verification step.

Hi again Sal. I use the web vault on my browser quite a bit, and I have never experienced this behaviour. Very strange. If you can replicate it again, it would be helpful to file a bug report on the BW Github: