2FA behavior on Android application is misleading

app:mobile

#1

I have a 2FA based on Yubico key. Here the case I have

  1. Start my phone
  2. Start Bitwarden app
  3. Enter Master PW
  4. Put my Yubico key close to my phone
  5. Now, I enjoy.

Up to step 5, this is expected behavior. Then…

  1. Press “Exit” using top right corner.
  2. Restart my phone completely
  3. Start Bitwarden app
  4. Enter Master PW
  5. Everything is available… (dawn it)

I re-started my phone and the bitwarden stuff is still AVAILABLE without 2FA???

The "exit"and “lock” do the same thing from my point of view: just single FA only. And the state remains even if I reboot my phone.

To re-enable 2FA on Android app, you need to press “Lock” than press “Log-out”. 2FA is for authentication… it is not for how many steps I need to do to re-enable it!

When you are using 2FA, log-off completely should NOT be difficult. That should be idiot proof. No matter if you press “exit” or you swipe out the window to kill the bitwarden application, 2FA should be required again

Ideally, it should have a auto log-off like discussed in another thread.

2FA should obviously required when your reboot your phone!

Strict minimum: Please add a “Log-off” button using the top right menu.


#2

Exactly 2FA is for authentication but it won’t help if your bitwarden data already on your device. Meaning if someone was to get a hold of your phone, get past the built in encryption, they can access your encrypted bitwarden files and attempt to crack it. They will not need 2FA to decrypt those files as only your master password is used to generate encryption keys. Thus to clear those cached encrypted files you need to hit log out.