This topic has been around for quite some time now and no activity is visible. IMHO, it doesn’t matter how many of the users prefer lock only, how many want logout. A simple option/preference toggle can make everyone happy and allow me to use my Yubikey and be safe while another person prefers convenience and password only… Obviously, other password managers have done this long ago. Let’s create an AUTOMATIC LOGOFF based on optional and settable criteria!
Let us concentrate on using Yubikey (and possibly other similar devices) as a OTP key which is a lot more secure than the other methods. Just ask Google (sigh).
Here as well! Actually, i understand that Locking would only require the master password (In case internet connection is lost), but there should be an option for the Logout (Just like for the locking). You could either disable it or put a timer on it. This way it would require 2FA authentication every time it times out. I also like the idea of having only the 2FA password as a required input. It makes it simpler, and remains very secure.
This has been a really great spirited discussion! I thought I would throw in my 2 cents as a premium user who just left lastpass. At my workplace they use keyloggers. As such, unless I actively log out of bitwarden at the end of the day, my workplace could access my bitwarden vault at any time.
So, even if the solution is implemented in a way that requires a constant connection to the BW servers, I am okay with that because it prevents work from being able to access my vault.
EDIT: As a workaround, maybe we can get a global logout except this device on the phone button in the bitwarden app? That way if I am away from my machine and left it logged in, I can automagically make it log out when connected to the internet.
Add me to the list of people that are premium users with Duo and think the unlock without 2FA is scary. At the very least, there should be server level options to disallow short PINs or disable PIN/FaceID entirely. I want 2FA or a complex password EVERY time someone accesses bitwarden. Don’t know that I would have gone premium and installed onprem if I had known about this serious limitation.
I’d like to see this feature added. “Locking” the browser extension so that only a password is needed after restarting the browser doesn’t feel as safe as LastPass makes me feel. I want the app to have the option to sign me out every time the browser closes, not just lock it. I don’t see why this isn’t an option, if someone gains access to my work account someone then could just launch my browser on my work laptop and enter my password, without that 2FA for getting into my “locked” Bitwarden app they would have the keys to my castle.
Would like to bring to everybody’s attention that FIDO2 (The standard that is used for 2FA) actually supports offline mode, and almost all authenticators implement it.
+1 to this feature.
If Bitwarden is used to contain TOTP keys as a premium user, there should at least be the option to require 2FA when opening the vault. Not just when logging in.
Add me to the list here. Just contacted support to see what I was doing wrong, and found it was nothing!
I’ve just switched my personal password manager to Bitwarden, after a year with Dashlane and several years with LastPass. I’d really like BW to work in the browser like LP.
When I open the browser in the morning I get a prompt from LP for my 2FA only, as I have the extension save the master password. If I don’t have my phone then I can’t provide this and I don’t get in. For BW I have to pull up my master password and copy & paste it. Which one of these is more secure?
I’ll echo earlier comments regarding online versus offline use. While I can definitely make a case for needing access to certain passwords even if there’s no internet access (accessing network devices at work, for instance) I’d still be willing to lose offline ability if it gave me the option to be prompted for 2FA (but not 2FA & master password) every time I open the browser.
That would only be necessary IF you don’t know your master password. In order to copy you would have to store the master password on your device, which is too much of a compromise for me. You can also employ unlock with PIN instead. On my Android I use a 6-8 digit PIN. After 5 incorrect attempts you are completely logged out. For me this means an extended PIN is as safe as using LP and retaining the master password in some memory somewhere. Takes almost no time to key a 7 digit unique PIN code.
Wait - isn’t this already an option? Just don’t allow BW to remember your 2FA when you login, and logout when you are done your session so that you are always prompted for 2FA when you re-open BW.
Or are you asking for a fingerprint (instead of master password) + 2FA?
I’ve opened a forum account for this reason alone, to express my views and say it will be a great idea to have 2FA unlock or auto unlog when closing browser.
By the way great product, so much so I upgraded to the premium, and i’m tight with what I upgrade too!
New premium user here, I found this thread by searching for an answer why bitwarden did not request 2FA when unlocking. I’m a little surprised to see it doesn’t have such a basic feature, nonetheless I’m really hoping this gets added soon as I’m not sure how long I can be bothered manually logging out of bitwarden.
Me too. There’s no logical reason that this isn’t implemented. They could popup a warning along the lines of “using this feature means there will be no offline mode”, and then the user decides. Come on Bitwarden - there are plenty of your users who want this, and anyone who doesn’t wouldn’t need to use it.
+1 on this issue - it’s quite disappointing that this hasn’t been implemented, as this is exactly the point of having 2FA. I should have to re-verify using my 2nd factors after every timeout/browser close/phone app close/etc. As a premium user it’s unacceptable that I only have to authenticate once and then the device is trusted even after locking.
I would be willing to contribute in code if pointed to the right part of the project.
