✅ 2FA when 'unlocking'

I would like to see the option to enable the 2FA function on unlock, not just ‘login’. If I was close my browser I am only prompted for a password upon loading it back up and accessing the plugin not the 2FA function.

1 Like

Similar Auto-logout after X minutes

2 Likes

I would like to expand on this request to add the “Unlock with 2FA” option. At least for mobile apps. Mobile already has existing “Unlock with Touch ID”, and “Unlock with PIN code” security options. Ideally allowing a combination of security e.g. PIN + 2FA without enforcing use of a long password to unlock.

The Auto-logout after X minutes is not a similar solution to this feature request in regards to mobile, since a long password is more cumbersome in mobile, than it is with browser access when using a full size keyboard.

13 Likes

Not for mobile apps only. it is important for plugins too.
you can’t shorten master password without ability to set up 2FA on all devices/apps at every big (for example start browser or app) login…

5 Likes

tom.wolf, you should have a long (enough) master password no matter what. Having two-factor authentication when unlocking wouldn’t be a reason to use a short master password. The master password is how your vault data is encrypted. You need that as a layer of defense in case someone is able to access the encrypted vault data on your device or in the Bitwarden cloud. A short password would make it easy to crack the vault.

2 Likes

This needs to happen for Organization adoption to happen. Right now, people like us can’t move to Bitwarden Organizations from LastPass Enterprise because things like a distinction in browser plugins between “logging in” and “unlocking”. We need the ability to set a policy in bitwarden that matches our infosec policies, where any access to secrets is protected by a second factor if we define it to be as such. Right now, it’s second factor…but only when setting up a browser extension for the first time, but single-factor when you actually want to get at those secrets from that browser in the future. As it stands, browser extensions won’t be accepted by any Information Security Office, and since you can’t block use of the browser extensions, prevents Bitwarden from being approved at all.

14 Likes

I would love to see this feature. A second factor on every time you unlock to access your secret would be great. But actually I don’t know what this means from a technical point of view. Would this require the device to be online every time the user tries to unlock?

Just purchased premium in hope that this will be implemented. There is no Auto-logout ability and 2FA is only required when signing in leaving the responsibility on the user to remember to logout after every session if they require more security. This feature should really be implemented in order for Enterprises to pick up bitwarden. Looking forward to this feature!

5 Likes

I switched over to Bitwarden after using another password manager for over eight years because I like the way Bitwarden currently functions and the way it is being efficiently maintained. All of us have varying opinions on what we like and don’t like, and what features we think should be in a product. The product’s developer will never please everyone because of those differing opinions. That is why having options is so important, and those options allow individual users to make their own choices after weighing how they want to interact with the product. Keep up the good work Kyle.

1 Like

“Lock” and “logout” ? As a user:
(1) I don’t need “offline” access to something for which the contents are only relevant “online”.
(2) “lock” makes my FIDO2 security (for which I paid good money!) useless as it doesn’t require it.

I’d remove “lock” completely.

If I use my computer normally I’m not going to either “lock” or “logout” of the Bitwarden browser extension when I shut it down… it needs to automatically require both factors when I restart that browser.

I need “logout on restart” to achieve this.

3 Likes

I think this feature request is not realistic, people don’t understand the role of 2FA, whether it’s OTP or U2F it’s only usable for Authentication, it allows the Bitwarden server to authenticate users more strongly but “unlocking” the vault is an operation that is performed locally on the device.
An encryption key is derived from the master password and only from the master password. Allowing the user to unlock the vault with 2FA only would mean that the encryption key is stored somewhere which is really insecure. Allowing to unlock the vault with password and 2FA is just pointless as the device already has an encrypted copy of the database and 2FA doesn’t add any security (as an attacker could just use the password to decrypt the locally available DB).

5 Likes

In your threat model the threat actor seems to have “ability to access your computer when you’re not around” AND “knows your master password” BUT “does not have your second factor” (which is what you seem to be trying to protect)

From this threat model we know that the threat actor has “physical access to your device while you are not around” so he can install a program to record the encrypted data as it enters your computer, then use the master password to decrypt it on his own time, whenever he wants.

The 2FA only is there to prevent Bitwarden from sending your ENCRYPTED passwords to the client.

Since the encrypted data has already been sent to your computer once, and the threat actor could be recording all the encrypted data, and the threat actor already knows your master password, he has all he needs. 2FA will not stop him.

So 2FA is there to prevent a remote attacker that tries to log in to bitwarden using a master password, by making sure that he can’t even get your encrypted passwords.

Since the decryption key is your master password. All they need is the encrypted data, and 2FA blocks that.

Sorry if I’m repeating myself, I just wanted to repeat because it’s important.

If you are worried about security, prevent others from physical access to your machine.

4 Likes

Leaving a complete copy of a user’s entire password set on a machine when the user doesn’t want it reduces the overall security of the system as follows.

Scenario
A machine with strong Bitlocker password and TPM is stolen. The machine was not cold shut-down for whatever reason. The attacker has to brute force only the BitWarden vault, protected by a single factor.

Possible Mitigations
Allow users the option to delete the BitWarden password vault once it’s not needed. Change the UI as described so users can be logged out without intervention on their part beyond closing the browser.


Preventing physical access to machines is indisputably a good idea, but in the real world the threat of theft of a machine remains significant. The use of two factors to access a resources as valuable as a users’ entire password history would appear to be a reasonable way to mitigate this risk.

BitWarden does not currently protect the password vault with two factors in this scenario.

Well, yes… if you are concerned of the case where the machine is stolen while in a booted unlocked state… then obviously the “install malware and return device” won’t work since stealing implies the victim is aware the device was stolen for a period of time.

However, I think the more likely scenario is you leave your PC unlocked for a moment to go to the bathroom and someone plugs in a rubber ducky and BAM, you have a keylogger / automated Bitwarden cache sender malware waiting for you to unlock/login to Bitwarden so it can steal your masterpassword via keylogger and encrypted DB via any sort of MITM or cache sniffer.

If you don’t notice, you will probably not clean wipe your machine.

… come to think of it though, Your scenario also requires that the thief knows your master password… which a targeted theft by the person who stole your master password is less likely than just a random person stealing your machine to sell it at a pawn store.

But yeah, in that very specific scenario, this would be the proper solution.

I don’t think you understand what locking does. It locks (forgets the key to) the local database. That’s all.
2FA is only usable against a remote service (or it is useless).
If you want to use your 2FA token (which ever it is) to unlock your local database it means that you need somehow to be able retrieve the key from somewhere safe locally.
“Fingerprint unlocking” is somewhat safe on a trusted platform like Android or iOS because the secret is made hard to extract by hardware & OS-level security measures, but in a browser on a PC that just impossible to do well. @kspearrin please correct me if I’m wrong…

2 Likes

I’d also like to see the support for a user-selectable 2fa when unlocking, and will expand on why auto logout won’t solve the problem. I have numerous business traveler users whom I’m working to push into Bitwarden self-hosted. This creates a few issues. If they need their password vault on a mobile device, particularly iOS, then this encourages them to use a short and/or easily-typed password. I try to get around that by having them use a strong password, type the password into mobile with a bluetooth keyboard, then enroll their iOS Bitwarden in Touch ID / Face ID; now they’re no longer encouraged to use a bad password, AND their Bitwarden pass phrase is not floating around in iCloud keychain.

These same users, given they are often on planes or otherwise traveling in an area with no internet access, cannot use auto logout, or their vaults would possibly get wiped off their devices when internet is not possible, but when they still need credentials. Or, for the sake of example, a contractor or employee at a data center or secure building may need credentials, but also has no internet access. So, auto logout is not going to be enabled on at least these two types of users, even if they’d prefer it as a way to force 2fa.

The fact that auto logout is not an option for these types of users leaves just 2fa as the only thing between perhaps an unintended Touch ID press and their vault. Touch ID works when you’re not awake or conscious, but the same person that can possibly press your phone to your finger while you’re asleep, may not also possess your 2fa hardware token. So regardless of whether the data is already on your phone, and whether or not 2fa is ‘really’ part of the opening of the vault or rather just an artificial step added by Bitwarden, it would provide additional protection. Unlock 2fa could just be turned off while flying, but otherwise flipped back on to supplement Touch/Face ID.

That is exactly what I said. Maybe I was using vague terms and was unclear, but my post was an argument against the viability of using 2FA to “lock” the client.

so… you want all those people to carry around two phones?

  1. With bitwarden on it and Touch-ID + 2FA is needed.
  2. With the 2FA token for bitwarden on #1

Seems like a PIN would be better. Most other apps have a 4-6 digit PIN to unlock the app which can be shortened with Touch-ID.

If you’re going to use 2FA in place of a PIN, and the 2FA is on the same device, there is no meaning to the 2FA at all.

No, the same 2fa used during login can just as easily be consulted during unlock, regardless of whether it’s actually required for decryption operations. For people who are going to be offline for a period of time, but need to get in bitwarden, they simply switch off unlock 2fa (not login 2fa) temporarily so they can still use their bitwarden, which would otherwise be impossible if they were logged out. When they’re back online, they turn 2fa for unlocking back on. 2fa remains on for the overall vault, but is user-selected on or off for the logged in device.

But in order to do this offline you would need to store the 2FA secret in the device unencrypted.

  1. So you’d definitely want a separate 2FA secret from your login 2FA.
  2. Anyone with a basic knowledge of how these apps store data would be able to recover the secret and generate the 6 digit codes.

Therefore, no matter what way you cut it, offline unlock 2FA is pointless.

you could do it for online unlock, though. As the secret stays on the server.

1 Like