Hello! I love BitWarden, but there is one important security feature lacking from all versions of the app which I am going to refer to as “2SV Recheck.” I use a FIDO2 key for 2SV, with TOTP as a backup method. My goal with “2SV Recheck” is that any time I view, edit, or auto-fill any item in my Vault, BitWarden would require that I perform a “2SV Recheck” and force me to either tap my FIDO2 security key, or enter a TOTP code.
I am aware of the “Master password re-prompt” option, which I have enabled for most items in my Vault, but if my endpoint is compromised then the “Master password re-prompt” is useless, as the malicious actor would likely have a keylogger installed on my system. Implementing a Vault-wide “2SV Recheck” feature would drastically increase security.
Thanks for hearing my idea!
1 Like
For mobile apps, “2SV Recheck” could include biometric authentication.
Sounds like you are asking that your vault generally remained locked. This can be largely accomplished by setting your timeout to lock after one minute and to allow biometric unlock.
Close! I want a “2SV Recheck” to force me to use biometrics for mobile [or 2SV for web/extension] if I try to view/edit/fill any item in Vault.
The problem is that when you are able to view/edit/fill, it is too late to protect your vault. Reprompt is little more than security theater. It protects against the opportunistic thief that goes around rattling doorknobs, but does little to defend against someone with “inside access”.
Bitwarden’s primary defense is to encrypt your entire vault. When the vault is encrypted (locked), it is impossible to display non-sensitive data, such as the “vault tab” or the list of entries that match the autofill. Unlocking (decrypting) the vault makes it both of these possible, but it also means there is an in-memory copy of your unencrypted vault. It is this in-memory copy you need to defend. The non-solvable problem is that a bad actor with sufficient permissions to install a key logger is likely also able to dump the memory from the Bitwarden process and learn everything that Bitwarden knows.
Incidentally, it is good that Bitwarden encrypts the entire vault, even though it makes things less convenient. Lastpass historically encrypted only the “sensitive” fields, resulting in a significant compromise that is still hurting their users.
