A few questions after using Premium for a bit

Hello again everyone,

After using premium for a bit, I’ve come up with a few questions. They’re in order of interest :slight_smile: Any help is greatly appreciated, Thank you!

  1. Does Bitwarden have a file reader/viewer? I have a CSV file attached to a vault item and want to open it securely as it contains sensitive data, rather than downloading the file or opening in an app that may sync or cache data to a server

  2. Does anyone know if any of the two-step login providers listed under Account settings/Security save or sync? The LastPass authenticator app automatically saves entries after each is added, or you can save manually. Last I checked Google Authenticator does not save anything

  3. “Unlock with biometrics” under the app Settings/Security seems to get turned off every time I log out of the app, and I need to turn it on again each time I log back in to the app. Just wondering if this is expected behavior/by design?

  4. I’ve noticed some apps don’t autofill - I get the prompt from Bitwarden, but it doesn’t fill the username and/or password. This used to happen with Lastpass and eventually the affected apps would fill both, so I’m assuming it’s the same situation with Bitwarden, hopefully just a matter of time before the autofill works, or maybe it’s an issue with the app itself?

  1. No, but there is a feature request here. PDF files can be viewed without downloading (at least in some of the browsers), using a “sandboxed” PDF viewer.

  2. Not sure what you are asking exactly. The 2FA options available under Account Settings/Security are for logging in to your Bitwarden account (which is required to download the encrypted vault to your device). Once you enable one (or more) of the options there, you will be required to provide that 2FA factor when logging in from any other device or any other Bitwarden client app (browser extension, desktop app, etc.).

  3. I’m guessing this is in the web vault. I’m not familiar with that particular setting, but I know that in the web vault, many of the preferences are not retained. If you set the equivalent setting in the Desktop app or in a mobile app, it should be retained.

  4. This could be a number of things. Since you mentioned apps, I’m guessing this is a mobile device. Some mobile devices (e.g., Android) sometimes need troubleshooting to get autofill to work. Alternatively, this type of problem can be caused by websites/apps that use non-standard identifiers for the login form fields, so that Bitwarden is unable to recognize which of the fields correspond to the username and password. Such problems can often be solved by defining custom fields.

Hope this helped!

I’ve seen (3) also multiple times as a new BW user coming from LP.

There seems to be some difference between ‘locking’ the vault on the mobile device after some timeout period vs. ‘logging out’ from within the app. I’ve seen the 2FA in the mobile app toggle off more than once on me.

Uncertain if it’s bad practice, but never logging out within the app seems to work as expected.

On the iPad with fingerprint recognition, fingerprint for BW unlocking of the vault works fine and stays enabled. On the iPhone with no buttons, face recognition unlocks the BW vault fine and stays enabled also. Both are set to a few minutes auto-lock with timeout-action set to ‘lock’.

(update - https://bitwarden.com/help/biometrics/ is nicely written)

If this observation is reproducible, please file a bug report (“New issue”) on GitHub.

Staying logged in is not considered bad practice, if one sets a timeout for locking the vault. Setting the option to “Never Lock” is considered risky, as it will cause your account encryption key to be stored on your device.

Thanks, any recommendations or suggestions for a standalone CSV app?

Apologies, maybe I misunderstood. I thought these were apps for generating TOTP codes (like Google Authenticator). Since I’m leaving Lastpass I’m also searching for an authenticator app to replace theirs, which had a convenient automatic backup feature. Any recommendations or suggestions?

The setting is in the Android mobile app, should it be retained when logging out?

Yes, I’m using the Android mobile app. I did get a prompt from Bitwarden indicating there wasn’t an exact match for the autofill, do I want to save the URI and fill, which I did, but only filled the username. Any recommendations on troubleshooting?

Can custom fields be used in the Android app?

If you just want to see the contents as comma-separated text, any text editor will do (e.g., Notepad, emacs, etc.) If you want the contents displayed as a table of columns and rows, then you can open these in Excel, Libre Calc, or any other spreadsheet app.

Since I’m leaving Lastpass I’m also searching for an authenticator app to replace theirs, which had a convenient automatic backup feature. Any recommendations or suggestions?

For anything but the 2FA used to log in to Bitwarden itself, I recommend Bitwarden Authenticator, which is not a separate app, but integrated into Bitwarden itself. Once you’ve added a TOTP seed to any login item in your vault, Bitwarden will automatically generate the 6-digit TOTP code and place it in the clipboard whenever you auto-fill those login credentials. So the normal workflow to log in is to auto-fill the username & password using Ctrl+Shift+L, then paste the TOTP code using Ctrl+V. You should be backing up your vault contents regularly, which will include your TOTP seeds.

For 2FA to access Bitwarden, I recommend FIDO2/Webauthn authentication using a Yubikey or Yubico Security Key.

I would think so, but I personally don’t use Bitwarden on mobile devices, so I’m probably not the best person to help with your Android questions. If no one else steps in to assist, there are some troubleshooting instructions in the link I had shared above, and you can also use the forum search function ( :mag:) to look up relevant discussions about Android issues. You may get more responses if you create a new topic that has a more specific title (e.g., “Biometrics setting lost when logging out on Android”).

Again, I would think so, but I don’t have first-hand experience with this.

BitWarden has a built-in Authenticator feature. However, it is only available with the paid plans (Premium, Family, and Teams). Family enables it on anyone invited into your family plan even if they just have the free plan. i.e. there is no need for anyone other than the Family sponsor to pay for a plan.

On mobile, you can scan in the QR code with your camera (there’s a button in the app to launch it if you’re editing an entry) and it will load the token (most of the time - mine is a bit flakey on a Nokia X100 Android 12 device). Otherwise you can enter in the code manually into the TOTP field (most sites show it for desktops and when no QR code reader is available). Save the entry, and presto, you are now seeing the TOTP codes along with a timer so you can wait if it is about to change over.

Every device logged into your vault can now use the TOTP codes! That alone is worth the $10/year for the Premium plan. You don’t need to enroll each phone/device separately, because the secret/token is shared to the device that needs it through the BitWarden app or extension directly from your vault.

Bonus points for the kids: BitWarden has support for the SteamID TOTP scheme!

Because the TOTP secret is just another part of the entry in your vault, if/when you export your vault for a backup (e.g. onto a mounted encrypted drive such as a thumb drive and VeraCrypt), the TOTP secrets are backed up along with it.

If you ever reset your TOTP secret/authenticator token, you just edit the entry, enter the new secret in the vault entry on top of the old TOTP value and save.

2 Likes

I’m looking for an Android app that is truly standalone - no data leaving the app outside of a manual save due to the sensitive nature of the data. Ideally, I’d like to be able to select text in the app and copy/paste.

If I understand correctly with using Bitwarden for TOTP codes, in the unlikely event my vault was hacked, would this not also expose the codes? This is my biggest driver to search for an authenticator app outside Bitwarden. Plus, I need a separate app for Bitwarden’s 2FA.

Technically, this is true, but you can prevent your encrypted vault from being cracked by choosing a strong Master Password that is not used elsewhere (and by setting up 2FA for your vault). If you have done these common-sense things, then the TOTP seeds can only be stolen if your device has been compromised to the point where an attacker can read your decrypted vault contents from memory, page files, etc. Should you fall victim to such an attack against your local Bitwarden vault, then you can assume that any third-party TOTP app stored on the same device will also be compromised.

If you consider a breach of your device to be a plausible scenario, then you can only protect your TOTP secrets if you use an authenticator that does not store the seeds on the same device as your vault (e.g., Yubico Authenticator).

1 Like

For a good open-source TOTP authenticator the recommendations typically are either Aegis authenticator for Android, or Ravio OTP for iOS.

Though as stated, in the event if you possibly got malware on your device basically all bets are off.

@cksapp has already mentioned, but Aegis is a great choice for a stand-alone TOTP app on Android. It creates encrypted backups of your TOTP entries and works with local backups on Seedvault, if your Android OS supports this - currently, only GrapheneOS, CalyxOS, and LineageOS (and DivestOS, by extension) support Seedvault.

Another option to consider, if you want to use TOTP separately from your online Bitwarden vault, is to use a dedicated (local and offline) KeePassXC database on desktop that also has all of your TOTP entries - this is mentioned periodically on Michael Bazzell’s podcast.

Even if you store TOTP entries in Bitwarden, it’s a good preparedness idea to have a backup of your TOTP entries ready to use - independent of concerns of whether or not your Bitwarden vault could be compromised, as detailed in podcast episode 284.

I did see 2fA toggle off again today but don’t have enough data to open an issue probably.

Symptoms were iPhone app gave me a no-data blank screen for the vault almost like it failed trying to download data. Verified the vault was ok using desktop Mac which was still logged in.

I then stopped the BW process on the iPhone (swipe up) and opened it again, and was prompted to log in with master pass and 2FA with a yubikey, which worked ok and the vault was fine on the iPhone again.

The ask for yubikey bugged me so I checked the 2FA settings on the iPhone and found that face-unlock had been disabled, so this is three times this has happened. Re-enabled it and things were fine again.

Possibly unrelated, but on iOS on iPhone and iPad I ‘do’ periodically see prompts to unlock the mobile device with keycode in order to (re)enable Face unlock, so it’s possible there’s some underlying mobile os thing going on under the hood that’s turning off the Face unlock for BW too.