2FA when 'unlocking'


#42

Agree 100% here. I was very confused when I set up my 2FA key and this wasn’t happening by default! I now finally understand the whole difference between locking and logging out but this would still be very useful to have as a modifiable option, especially for those who often use their device in social settings.


#43

Also noticed the same behavior. There is a thoughtful debate on the merits here; I can mostly see both sides, but feel that its a feature that makes sense to add (especially for web browsers).


#44

Still nothing on this? My premium account and DUO account are literally useless.


#45

Guys,

Can we get an idea if this is going to be implemented please? We need to move to a different platform if this is not on the radar. We need it to lock and ask for 2fa each and every time.


#46

Another vote for implementing this. I’m a recent convert from LastPass and was shocked to see after getting a premium account that 2FA is rendered “useless”. Great, so it works when initially logging into your vault, but from that point on it’s never used again.

There absolutely needs to be an option (which can be set to off by default to retain “user friendliness”) that lets you log out of your vault when you close the browser instead of just locking the vault.

Seems to me that’s a no-brainer and would be straightforward to develop. I’m not sure why that was never offered as an option.

What might be more complicated is to force the use of 2FA on unlocking the vault. But if we can just get some sort of auto-logout option on browser close (as well as auto-logout after X time), I think a large security gap would be closed.


#47

Auto-logout setting would be the ONLY way to implement this.

When in a locked state, there is enough information on your computer to brute force your password without talking to the server. Logging out wipes that data.

Having a “2FA for Unlock” is security theater and someone will think they’re safe when they’re not.


#48

Does anyone know an alternative system which simply provides “auto logout” as an option for those of us who need it?


#49

Agreed. Still waiting on this functionality but can’t wait forever. At some point I will have to look at other PMs if we don’t even have an indication of a roadmap.


#50

Thoughts on 2FA for sync with a TTL? You can still operate with a “read-only” local copy. But if a Delta is found between the local copy and remote you must 2FA. Being able to update / pull a new DB copy after simply unlocking seems like an elevated privilege and IMO is where 2FA can be impactful.

Either way I don’t see much benefit with premium 2FA given the current 2FA approach.

(The manual workaround could be to log into the vault and stop all sessions from the settings page. Definitely not ideal, I did not see that setting for an organization either. Which is what I’d really want)