✅ 2FA when 'unlocking'

Please, please, please implement this! Without this feature, my premium account is a waste of money. Yubikey adds value to the waste pile… 2FA is a must for lock/unlocking!

Any updates on this? 723 days past… 7… 2… 3… DAYS!!!

+1 missing this feature too, I want to believe that BW has this request on the radar. I also think that any update from the team on this matter would be greatly appreciated.

YES PLEASE!!!
This should be mandatory in now. Due to several breaches and information leaks. This should be a must have!!
This is a big failed. Please a solution ASAP

Auto logout is definitely on the roadmap, but we haven’t scoped out what options there would be for 2FA unlock specifically. As you all have noted, the need for online/offline function is clear, and this would need to work across platforms. Keep the ideas and votes going!

In the meantime, you can always logout.

This is not true. U2F and FIDO2 most definitely do not require a remote trusted server. See OpenSSH v8.2 which just deployed both FIDO U2F and FIDO2 support as a perfect example. It simply needs to be supported by the application.

Additionally, TOTP is based upon a standardized algorithm with a secret seed. No online connectivity is required, only the algorithm, secret 16-bit or 32-bit seed number, and an accurate system clock. No online connectivity is required – again here it simply needs to be supported as part of the application’s authentication functionality.

Technically it can look like it’s working but it has no point if used on the same machine since it doesn’t add more security to the database file itself in any way.

When using locally it could add that 2FA element to the application UI, but not to the actual storage. Any attacker with ability to execute code on that machine could just access the database file directly.
This “offline approach” could work only if the verification part and the database would be stored in some secure element/smartcard, but it requires additional hardware and it complicates things.

In SSH it is not used offline, there is a client and a server to verify against.

OpenSSH is a remote protocol. All 2FA uses a one-time calculated value. There is no way for a static blob of data, called the vault, to calculate anything. 2FA only adds security when interacting with something. If your vault was skimmed, 2FA can’t do crap.

The closest thing you could get to local 2FA enhancement would be to use HMAC-SHA challenge-response in a non-standard way, or some sort of public/private key setup, like Yubikey supporting OpenPGP.

At the end of the day, the only way to add addition protection is to add static data because the vault is itself static data.

I do have a random idea on how this might be implemented, but might require online access.

1. BitWarden application/extension could further encrypt the local vault with a randomly generated key, and then using 2FA could allow access to this key. Unless there is a safe way to save this key locally, it may require redownloading the vault every browser restart.
2. This key could potentially be saved on the BitWarden servers, which require 2FA access. The client could generate a random session guid, and the key would be tied to this unique identifier. Then whenever the user needs to decrypt the local vault and the key is not stored locally, sending a request to the server with the session identifier along with whatever 2FA in order to reacquire the key.
3. If the local system has some sort of secure storage available, the additional decryption key could be saved there. If browsers don’t offer this, maybe the should. Some sort of per extension secure storage of probably limited size. Just enough to save some small secrets. If you’re running as an app, I’m pretty sure Windows has this. Some sort of secure storage API that is per user, but the user can’t even get direct access to. Only the application can. Prevents malware running as the user being able to access the data.

@tgreer ^^

@Ben86 good stuff for the devs to review when the time comes!

Now that the keyboard shortcuts for copy/paste user/pass have been added in version 1.17 (rejoice!! ), this remains the key aspect to make me consider any other tools. The rest is really going great, but I do find this an important security gap.

Today I implemented static password at slot two - tomorrow I will kick that out. A child is able to sniff it and forwarding some characters manually doesnt make it really better. Yesterday I changed from KeepassXC to bitwarden. This point is the only big one KeepassXC is doing much better than bitwarden but important enough to roll back or change to another sollution if bitwarden will wait to long.

I signed up specifically to upvote this issue. My expectation of 2FA for the premium account was that it would be required for each login. I understand that 2FA does protect your account if someone compromises your login creds and wants to access on a remote device, however if someone compromises your machine or installs a keylogger you are toast. And given that this is your master password for all other passwords it seems like you should be able to protect it more thoroughly.

I understand the argument that you must be internet connected to login and use 2FA (via current implementation). However as a user I’d be happy to check that box and accept the risk that I may not be able to get into Bitwarden offline after having made that choice if it meant I’d have 2FA required for each time I opened the app to get a password.

Good news! We’ll be releasing our ‘auto logout’ feature shortly that will not give you the option to not just lock your vault, but completely log out at the end of your configured time - thus enforcing your two-step preference all the time.

Will this option be device specific, OR will my setting of this feature be across all my devices?

I would/will opt to use it on several laptops but I don’t want to have to grab my NFC “stick” on my Android every single time.

I feel my vault is very secure already but I do understand why some users want this feature.

Right now we don’t sync your timeout across devices, so it’ll be whatever you set that device to use

You could even set some devices to just lock and not logout and vica versa.

Thank you for the answer. This will be a handy feature!

Our new Vault timeout option is here! You can now set your vault to Log Out (and use 2FA) instead of just lock! - all clients (aside from iOS, which is in the Apple-queue) are in flight! More info on the blog post here:

I signed up specifically to upvote this issue. Please make possible to unlock with 2FA.
Thanks!