2FA when 'unlocking'


#22

Maybe I am not explaining it clearly.

I want the ability to selectively require 2FA when unlocking, in the exact same way that would be required when logging in. The method chosen would contact the same servers or perform the same operations that would have otherwise been performed when logging in. The only difference whatsoever is the fact that the vault has already been downloaded and unlocked in memory in the case of a logged in but locked scenario, versus a not logged in yet scenario.

This choice could be selectively turned on and off.

Without such a feature, someone who has stored their (strong and hard to type) pass phrase on a phone via FaceID/TouchID (not sure if there’s an android equivalent but probably is), could have their Bitwarden data compromised by someone who is in a position to just touch the owner’s finger to their phone (touch id) or get them to look at their phone (face id), perhaps either of which could occur without their consent / intent. Auto logout would provide some level of safety there, if they were lucky enough to have had the logout occur before the attempt, as a new login would require 2fa again, but any user who travels or works in data centers / buildings where internet is not possible, would never use auto logout because it may occur at a time which would cause substantial problems from not being able to log back in.

So, the solution to any of those scenarios is allowing 2fa to be set on/off on the device side, and not only that, perhaps even require 2fa to switch it from on to off. Then, when you’re online, your locked Bitwarden data is nearly as safe as a not logged in Bitwarden. When you’re anticipating going offline but will need your data, you 2fa to turn 2fa unlock off. When you’re back online, you simply set it back to on.

Or hey, yet another feature suggestion, allow for a turn off for X minutes feature. Then, if I’m boarding a plane, I’ll set 2fa unlock off for five hours, still have my data while on the plane, and not even have to think about turning 2fa unlock back on when I land.


#23

This would be a great addition to Bitwarden, and help achieve feature parity with other password managers like LastPass, etc.


#24

I’m patiently awaiting this feature, too.


#25

I would prefer the auto logout feature too.


#26

I would love to have the 2fa every time that i unlock my Firefox extension in particular. As a High School and College student I am forced to use public computers. My high school cyber security class is the worst because everyone is trying to hack into each other accounts and a physical attack is the easiest attack that everyone can do. The school also has a keylogger installed (lanschool) and adding a 2fa to every time I unlock my vault would be fantastic. I love how this project focuses so much on external security and adding this feature would strengthen the physical security.


#27

If your adversary is a competent hacker with physical access to the device, 2FA won’t help. They will capture your encrypted vault on the way down from your browser, and the decryption key is just your master password, hashed a lot.

2FA is just a barrier between someone who knows your password and downloading your encrypted vault.

If you open your vault once, your pc downloads the encrypted vault, and the attacker has it too.

Currently no password manager besides Trezor Password Manager has protection against physical attacks… but tbh, any password you use will be capured by the attacker once you insert it into the DOM.


#28

Thankfully the hackers in that class are not competent. There is no good way to stop physical attacks especially like the one described above. The 2fa to unlock just slows everyone down to hopefully discourage the physical attack in the first place. It would be interesting to see if someone could find a practical way to encrypt the vault and use the 2fa number algorithm as salt. I cant think of any way to add a rotating number or the algorithm for that number into the encryption algorithm but this is an extremely intelligent community and I am sure someone will figure it out eventually. None the less I like bitwarden a lot more than lastpass but bitwarden can always be better.


#29

Just switched from Lastpass, and this is the main thing I really miss

Having to type in my full master password to unlock seems unnecessarily tedious as a single factor unlock when I have a hardware 2FA key available. Being able to select 2FA only or 2FA + Master on unlock would be fantastic.


#30

I think this feature would also address the concerns leading to Mobile: fingerprint AND pin to log in. As stated above, the use case is that the strong password is necessary for good protection of the vault - but is a pain especially on mobile devices. Thus the local lock/unlock really helps, but currently has no 2FA options. In my head 2FA can be using what you have/who you are/what you know - and it might be a burden for requiring extra “what you have”, but a 2FA for who you are/what you know should provide extra security.

Here is one possible 4-step implementation (note that this would be completely separate from the initial vault decrypt via master password, it would only apply to the local client):

  1. In the settings, provide the user with check boxes for allowable unlock methods with supported methods for their platform. So maybe there’d be a “unlock methods >” entry in the settings which opens to checkboxes next to “pin”, “password”, “biometric”, “yubi”, etc (which would be updated based on the hardware and whats available)
  2. In the settings, provide the user with a counter called number of unlock factors, which would be restricted to greater than or equal to 1 and less than the number of selected options in unlock methods
  3. Create a method with the following inputs and outputs:
/* An Enum which defines allowable methods for user authentication */
import AuthMethod;

/**
 * Make the user authenticate, using one of the supplied methods.
 * @param allowedMethods list of allowed methods
 * @return the method of authentication used by the user to successfully authenticate
 * @throws AuthenticationFailure if the user fails to authenticate via any of the allowed methods
 * @throws AuthenticationFailure if the user fails to authenticate before a tim of MAX_WAIT has passed
 */
public AuthMethod performAuthenticationStep(List<AuthMethod> allowedMethods);
  1. Use the following logic for unlocking the device:
/**
 * Unlock the local bitwarden vault.
 * @throws Exception if the vault has not previously been decrypted.
 * @throws AuthenticationFailure if the user fails to authenticate
 */
public void unlockLocalVault() {
    List<AuthMethod> allowableMethods = getUnlockMethodsFromSettings().copy();
    for (int succAuth=0; succAuth < getNumberUnlockFactorsFromSettings(); succAuth++) {
        AuthMethod used = performAuthenticationStep(allowableMethods);
        allowableMethods.remove(used);
    }

    // Unlock the vault. Note that authentication has succeeded at this point because if authentication
    // fails the performAuthenticationStep() will throw an exception so the code will never get here
}

Please note that I am not a web/mobile developer - so have no idea if the API’s will support the above type of logic. And its written in a pseudo-Java because I don’t know javascript - sorry.


#31

This is exactly what I am trying to get to. I want to use a Yubikey NFC and a PIN code (or thumb print on iphone) to unlock Bitwarden web, desktop, and mobile apps. I am setting it up for me and my wife to use and I can get by with typing in the master pass, but I need it more simple for the wife. So far, the web version asks for my DUO phone app 2FA after putting in my master password and I can’t even get the iphone to prompt for 2FA and the desktop app doesn’t either. And, they all still require the complex master password.


#32

For both the apps and browser I would also like to see a 2nd factor prompt when unlocking the vault. Using just the password feels relatively insecure. In our company everyone owns a Yubikey and the use-case for requiring the Yubikey next to the password would be a great extra mechanism for securing the vault in case the password leaks.

So accessing/unlocking vault = Entering master password + some 2nd factor authentication


#33

Auto logout as an option for my Chrome/FireFox linux desktop browsers would be something I would immediately enable on my Premium account. I leave a FIDO key inserted in my laptops at home while I am online. Simply touching the element key would add virtually nothing to my “task” of signing in. Since unlock after closing the browser requires my master password anyway, how hard is touching a U2F element? Answer not at all. At the current time I attempt to remember to logout before closing the browser but candidly its a pain in the butt.

I would not use this feature on my Androids. I feel that using a PIN where you get 5 tries and then you are logged out automatically is secure enough. Plus Android is much better at securing passwords. There are times I log out anyway because I carry a Yubi and validate the login with NFC as desired. On my Android Pie you can’t even get to my Bitwarden app unless you have my finger to open the phone first.

One thing I would recommend to BW users on desktop apps is to run a separate instance of Chrome or FF that will help to keep internet activities you perform outside of BW use away from the BW private instances. Also, something like click and clean can be used to one click all activity from cache, cookies, etc… so when you go from one website to the next the browser is CLEAN and no previous stuff is available to the next site. Just an opinon, but once setup it is one click between sites to always keep a fresh browser instance.


#34

Another vote for implementing this feature. New Premium subscriber and was sad to learn the differentiation between unlock and login. I use a YubiKey so it is a true second factor not on the same device.

I’d like to have the protection of 2FA regardless if the attacker is remote or has physical access to my logged in device. I can’t be around all my devices at the same time but I can keep my YubiKey secured on me at all times.


#35

I’d love to go premium as soon as this feature is available. I highly appreciate this feature :slight_smile: