2FA - Chrome Extension , NO Two-Step login after lock or web browser close

Hello everybody.

I start to use Bitwarden and enabled the Two Step Login but, this work only when i use directly thr website.
There is no two step login with Chrome BitWarden extension when we close the web brower or after xx minutes of inactivity ?

Can you add this with everyapp please ?
Thanks

2FA is only used when logging in, not when unlocking your vault. For convenience, the apps and extensions lock your vault after some period of inactivity but they donā€™t log you off.

I am using Authy here for 2FA and Firefox extension on FFox 72.0.2 and Chrome extension and neither prompts me for the 2FA if in the extension I select logout. Only when I logout of the web interface am I prompted for the 2FA code.

Discovered that in my case I had clicked on remember me. I had to deauthorize all sessions in order to remove that one computer from remembering 2FA.

I find that Lastpass is a bit more user friendly when it comes to 2FA. If you do not click on Trust this Device for 30 days then upon closing the browser (if you have enabled log me out on browser close in their extension) then your 2FA session is ended and you will have to re enter your 2FA code should you login again. As well you will be automatically logged out of LP as well. With BW one has to remember to actually do the logout via the extension in order to end the 2FA session and force the re entering of the 2FA code next session.

So over the weekend I set up my bit warden vault. I am now a Firefox user, and set up the extension for that with a pin code. I also bought a yobiky to lock down my PC when I go away on holiday should I get broken into at home.

I was quite disappointed when I was able to log into my Firefox extension without the yobikey in place just by typing in my pin code.

Am I missing something here or is this definitely a weak link for bit warden to plug as soon as possible?

New user here facing the same problem.
And as someone else has already stated " Manual logout is not the same as vault time-out logout"
Neither lock or Log out options will require a 2FA.
We need a 3rd option for a real logout that requires a 2FA after Timeout (or notā€¦)

Thank you,

Manual logout is not the same as vault time-out logout

Thanks, @gatofelix! Iā€™ve made this thread a ā€˜supportā€™ thread so your post can be the main feature request thread.

Hi There, thanks for the posts. I have a similar issue that I would like to share and hear from anyone in the community.

Problem: I have my bitwarden extension on Chrome browser and no matter if I set it on log-out after 1min or browser close etc or manually log out or shut down my computer, it never asks for the 2FA.

The only way I can get 2FA to trigger on the chrome extension is if I delete the extension and reinstall it. Then it works for the first login and thereafter never again triggers 2FA.

I have not clicked ā€œremember meā€ and have also logged out of all sessions using the Webvault.

Is there a known bug where Bitwarden Chrome extension does not prompt 2FA on LOGOUT (as I am aware lockout is not supposed to prompt 2FA)

What I would like to achieve is Bitwarden Chrome extension to ask for my 2FA each time I close my browser (as per the option selected)

Happy to hear from the community, thank you

Actually this is happening with me now.
The extension no longer asks for the 2FA.
I had to disable itā€¦
Any ideas?

Tks,

Clients will only ask for 2FA in the following cases:

  1. Vault is logged out and not just locked
  2. Device did not have ā€˜remember meā€™ checked when 2FA was initially given

To reset the ā€˜remember meā€™ option, youā€™ll need to deauthorize sessions in your web vault.

Iā€™ve written to bitwarden about it but nothing happens, Browser Extensions I canā€™t use Two-Step when Iā€™m logged out on the bitwarden web can I use Two-Step

Did you deauthorize all sessions?

UX is not the best but it is possible to require 2-step at every vault opening. It will unfortunately require several clicks instead of just asking for master password and 2nd step.

  1. Setup your 2-step

  2. reinstall extension

  3. login in the extension, but when you open the webpage, donā€™t tick remember me

  4. set Vault timeout action to logout

Thanks for the instructions, they were quite helpful. I would add that you need to clear cookies prior to re-installing the extension.

@seekinch Welcome to the forum!

There is actually no need to reinstall the extension to get 2FA back.

As I noted above, and as previously mentioned by tgreer and frustrated, you can simply deauthorize your active sessions to restore the 2FA requirement and ā€œun-rememberā€ any devices for which youā€™ve checked the ā€œRemember meā€ option (an option that tells Bitwarden the device is trusted and therefore exempt from further 2FA challenges).

To deauthorize sessions, simply log in to the Web Vault, click on your avatar (circled initials) in the upper right corner and select Account Settings:

image

On the Account Settings page, scroll down to the Danger Zone section, and click Deauthorize sessions:

You will now be presented with a prompt to enter your Master Password and confirm your decision to deauthorize all sessions:

After you enter the Master Password and click the Deauthorize sessions button, you will immediately be logged out, and you should see the login screen with the following confirmation message:

At this point, every device will require 2FA to login (until you enable the ā€œRemember meā€ option again).

2 Likes

That worked very well for me! Thanks

1 Like