Thanks for the GitHub reference. I’ll try to reproduce the issue.
The web vault cache stores the ‘ID’ of your client, and is what keeps you ‘remembered’ for your 2FA setting. Doing a hard refresh on the web vault is the same as ‘reinstalling’ it - and resets the 2FA prompt.
Thanks for the background. If a log out is forced (from the user icon in the upper right) shouldn’t that retrigger the 2FA prompt?
Hi Sal,
Not if you had previously checked “Remember me” on your 2FA prompt. That basically is the same as saying “trust this device/browser/client, etc.”.
You can go into your settings and deauthorize all trusted clients, and THEN if you logout, you should get a 2FA prompt.
Ok, I was able to reproduce the issue and I now see the master password prompt has a toggle for “remember email” and the 2FA prompt has a toggle for “remember me.”
I misunderstood BitWarden’s login behavior. I was expecting “log out” be similar to a deauthorizing event since there’s a separate “lock now” action that doesn’t ask for 2FA.
What I’m really trying to do is enforce 2FA for a Teams subscription without using Duo and that doesn’t seem possible. Maybe the feature request I need to make is to enhance Teams with some policy-type capabilities and reporting options?
Glad you got it sorted out, Sal. I did a quick search and didn’t find it, but I am pretty sure there is an existing feature request to allow admins to remove the “Remember Me” 2FA option.
And @zarzash - did you ever get your video created? Or did you figure out your issue in the meantime? Either way, let us know so that others might benefit from what you learned.
I tried to make the video but I realize that then some sensitive information will be displayed on the screen and I do not have the time to edit the video to remove them.
So I describe in details the process I do to illustrate the issue. Please follow me 
-
Unauthorize all sessions from the web UI
-
start the desktop app
-
enter email & password
-
Click “Login”
-
Enter 2FA & do not tick Remember me
-
Under setting choose:
6.1. Vault timeout 1 minute (I want my app to lock after 1 minute of inactivity)
6.2. Radio button Lock
6.3. tick Unlock with PIN
6.4. Choose a PIN
6.5. tick “Lock with master password on restart” (if not it only asks for PIN at restart) -
Now Quit BW
-
Restart the app
At this stage BW comes up and asks for the “Master Password” to “Unlock”. Contrary to step 3/4 above the action is not “Login” but “Unlock”.
So when one “Quits” BW it does not log us out, but locks the Vault.
I can choose a the step above:
6.1. restart
6.2. logout
That would solve the issue of asking for 2FA at restart, but then it would not lock my vault after 1 minute of inactivity.
The logic of this is that BW can be used even offline after a restart once authenticated with 2FA on a PC which can be a nice feature, but I would like for security reasons that at restart it enforces a 2FA.
So in my opinion:
- either a restart should be equivalent to a restart out of the box
- or the setting could allow for one more action besides the current action after timeout in order to choose what to do in case of restart : lock or logout
The same logic applies to the Firefox Addon.
Ok, thanks Zarzash. As I mentioned before, this behaviour is consistent with how Bitwarden says it will operate in the help pages (see my link above).
Since you would prefer that BW operate differently to better suit your needs, please consider adding a feature request to describe what you would like, or vote to support any existing requests that already ask for it.