2FA (yubikey) not required after reboot

I have a Ubuntu 20.04 system and if I shut it down, then power it up, I’d expect to be required for the full login requirements for Bitwarden; Master password and 2FA. The only way it challenges me for my 2FA is if I manually logout from Bitwarden.

At least on my Android phone if asked for the fingerprint which is more convenient than the Master Password, but the 2FA a hacker won’t have.

Why is the 2FA not required is these situations?

What is the vault action and timeout setting?

Lock
On System Lock

A little background. I’ve been using Lastpass Premium since before Yubico invented the Yukikey and lived thru the growing pains of that. Having to enter a Master Password all the time will make you tend to change that password to something more simple and that’s bad. LP will have you always enter the Master password and 2FA coming out of reboot and logging out. However, if you just close the browser it ask you to press the 2FA button (Yubikey).

Just entering the Master Password on Lock should be use the 2FA on unlock. This would be convenient and more secure than shortening a MP because you’re tired of entering it 100 times a day.

I haven’t use the Linux version, but does it exists as a extension on the browser or its own app? If it does, it may behave the same way as windows. What I have notice with the extension on is that when you close the browser, the vault is deleted from the machine unless you have the vault time-out set to never. If you set time-out to never, it writes the encypting key to disk, so you don’t need to login, otherwise you have to log back into the system using master password, though you can also set it up to use a PIN.

The system is bahaving like vault setting is never. Does the system require you to unlock if you lock linux and unlock? Have you try toggling the settings to something else and back? If that does not work, have you try reinstalling?

On linux I’m using the Google Chrome extension for Bitwarden. If I close the browser I have to enter my Master password next time, but not the 2FA.

If I logout explicitly in the Bitwarden extension then I have to use the MP and 2FA to get back in as expected.

Ah, then we are getting somewhere. There are two possibilities.

1. Bitwarden only requires 2FA when you login and not when you unlock. You may want to change the behavior for the vault to logout and see if it will prompt for the 2FA. One issue I have notice, logging out means you have to login again using master password.
2. There is a checkbox that said “Remember Me”. If you check it while authorizing the 2FA, it will remember the device. This is what happens when you use TOTP, but I don’t know if this is the same for Yubikey. In any case, if #1 dosn’t resolve the issue, you may able to able to deauthrized sessions. The problem is that it will deauthorized all of your devices, so you would need to authenticate the devices again.