I’d like the ability to create profiles that have limited access to selected accounts/passwords.
Lastpass calls them “Identities.”
When I’m logged into my work computer, as an example, I would like some of the passwords available, but not everything. Switching profiles should be like logging out/in and require 2FA.
Possible duplicate of Log in with multiple Bitwarden user accounts
Linked accounts are different than the identity profiles.
Linked accounts is, as it sounds, linking two accounts together. My request is for separate profiles within the account that you can log into.
I like the idea. I’d never though of it though. It is not uncommon for users that don’t work at home to face this issue. It would add some extra security. I love it.
Huge fan of LastPass profiles - perfect for families that want limited passwords on their tablets in the children’s playroom and don’t want to worry about that device having full access to all of your passwords, and also don’t want to have to setup a separate bitwarden account for each device and then manage sharing - that’s not what we’re asking for here.
However, LastPass has downgraded the security around profiles to useless - they continually fail to understand the fundamental security distinction between using something and administrating that something.
I don’t want a separate account for my kids’ phones because when they create a new account and use Bitwarden as they would be trained to do so that they will be future secure password managers when they grown up, the new website and password are assigned to their separate account and is not automatically synchronized or granted control to my account.
With separate accounts, they are … separate - what’s mine is mine and what’s yours is yours. As a parent, I don’t want my kid setting up “finsta” or “fakebook” accounts under their separate Bitwarden account and I have 1) no access to it or to know about it, 2) no way to know who they share them to - did they just share their bank account password? did they not use Bitwarden and used really poor account/password security? and 3) no way to ensure that they are backed up when I backup my account.
And worst of all, they could disconnect the account from the shared folder by copying it into their own account folder and then changing the password so that the password my shared folder knows about was changed.
With profiles, one has a separate PROFILE for each device. Each device is given direct access only to the specific entries visible to that profile - it’s like a filter applied to your vault - for that device/profile.
Now here is where LastPass gets it wrong - if you know your LastPass password (or PIN - or worse - fingerprint) - you can change your device profile to anything else you’d like - including “upgrading” your access from a limited “Netflix-only Toddler Tablet” to complete full account access (the “full” profile). Think about that when the device is set to allow USE of Bitwarden with a simple PIN or a fingerprint - and then allowing that same authentication method to “upgrade” the device profile to full access to all of your passwords belong to us.
Knowing a PIN or having a fingerprint that unlocks a device to USE the device is not at all the same as being the account owner and demonstrating you own the account.
They used to require the entry of the master password to change the profile, so that effectively, you could set the tablet/phone device to the restricted profile, allow USE with a PIN, but for the device to change any security feature (like changing the profile!) required the master password to be entered.
I said “used to”. The way it works now, is that if you can use LastPass to get to your passwords, you can change any security feature of the account. Anyone with access to your phone or tablet that can access LastPass has complete control and access to your account - up to and including changing the master password itself!
Threat model: You let me use your phone to make a phone call, so you unlock it and let me use it. I add my fingerprint to the phone’s authenticated user fingerprints. If you have “Fingerprint unlock” – for any application, including LastPass and banking apps – I have full access to them as well to grant additional devices and accounts full access to your Bitwarden vault.
So please get this one right, Bitwarden.
It would be nice to have profiles.
A simple example could be work. I have a “Work” folder for all work-related passwords. When using the Bitwarden Chrome extension I would like to filter work-related passwords (those in “Work” folder) only, not to bring the possibility to unlock all my passwords.
Yes. 1Password do this by having separate vaults, so I can have a work vault, a private vault and a family vault say, and manage them all, but some users are only granted access to one vault.
@mike808 makes an excellent point about administering an account/vault: the manager (parent in my case) needs to be able to make changes, whereas my children need to be able to access their area/vault/account, but not to be able to make changes.
This a 100 times! I already use 7 different browser profiles depending on the use case (e.g., banking, social networks, etc.) and it would be nice to also have 7 different sub-vaults under my main account. Of course you could register 7 separate Bitwarden accounts, but to use advanced 2FA you would then have to pay for 7 premium accounts …
Currently it’s easier to keep some of the passwords outside Bitwarden stored in the browser’s password manager (cloud synchronized with E2E encryption, i.e., synch passphrase).
I don’t like that I expose my banking/email credentials whenever I log in on some random device when I need a password on-site. Similar to making an organisation and adding extra accounts that only have access to a limited subset of collections, I would like to organise my data into collections that a sub identity has access to.
How would we find out if this functionality is possible/likely from bitwarden?
I believe I had a similar request:
https://community.bitwarden.com/t/support-for-isolated-views-of-accounts-like-identities-sub-vaults-in-lastpass/6799
I wish I found this one first - I must have missed this one
This is the only feature missing from Bitwarden that prevents be moving over from Lastpass - I absolutely need it to separate work and personal accounts (while allowing for a handful of personal accounts to be accessible from the work identity) and would be willing to pay a subscription for it
Unfortunately it doesn’t appear to be coming any time soon (or have been acknowledged) so I’ll have to stick with LP or move to 1Pass 
I would like to be able to create multiple profiles on my vault. After login, I should be able to select which profile I want to use and only the credentials which were created in that profile would be accessible. If I wish to switch profile, I should be asked to enter the master password again.
This would allow you to better separate work/personal/school related matters.
One feature that’s preventing me from moving over from LastPass (other than locking down items so they require the master password to fill, ideally with an option to not require the MPW for a limited time after) is that I can’t create isolated views/identities/subvaults that I can select from on a browser level
I use LP for Home and Work accounts, and have created a Work view that’s is mostly only Work accounts and a few personal ones I might need and a Home one to hide unnecessary work accounts. This means I can run one browser for personal email, and another for Work and reduce the chance of colleagues getting into a personal account if they need to use my computer.
Changing from one view to another should require the master password and when in the identity, creds from other views/master view should be hidden unless they’ve been added.
Adding a cred while in a view should add it to the master view and the currently open view/
There should also be a manager to allow adding/removing creds to/from an identity.
To be clear, this ISN’T referring to the already supported identity fills
It also looks like I’m not the only one wanting this:
If this (and the extra password on some items thing) we a part of BW, I’d be happy to jump over and pay you instead of LP
I have just converted from LastPass to Bitwarden.
Identities (isolated profiles) is, for me, the biggest missing feature!
It wasn’t a show-stopper for me, but I can certainly understand how it would be for some users.
This would be a great addition to Bitwarden.
I would love this feature too.
This is something that would keep me from switching back to KeepassXC if I ever persevere with Qubes. There is no point in me isolating my workloads with Qubes if my web-browsing Qubes have full access to all entries in the vault. I would rather have one Qube for general browsing that only has access to a subset of my vault - Reddit, Facebook etc. The only way I can do this at the moment is with KeePass in a vault Qube.
Identities would allow me to continue using Bitwarden with Qubes.
@mike808 from your persepctive did Bitwarden get it right? (Account Switching | Bitwarden Help Center)
I’m not a current user and only at the research phase, doing lots of reading and attempting to understand the implications of various scenarios. I’m having difficulty digesting it all! It sounds like you’ve got a good handle on the scene, and for more then just Bitwarden.
It is clunky, but I think there is a sort-of equivalency - but it still involves separate accounts for each device, with the additional caveat that all of the people involved must have not just separate accounts, but also have their own separate Family Plans. LastPass-style “profiles” are still the far better solution to BitWarden in this aspect only. BitWarden still wins for me in the totality, and I’m still hoping profiles will come to BitWarden.
Currently, the only way to implement LastPass-style profiles using BitWarden is for the people to be on the Family Plan, which gives them TOTP authenticator support which is awesome (especially Steam TOTP for the kids and when dad is a kid). Note that if you’re on the Family Plan, everyone you share with also gets the TOTP feature, even if they have a Free account.
The way the sharing works is you create an “Organization” and you share that vault (your “org” vault, aka “the fam vault”) to the family members and create separate subfolders within your organization for people and devices. You can then, as the Org Owner, assign permissions - read only, read-write, or manage/add/delete entries to the other people (and device accounts) that are in your Family Plan.
The problem is that the other adults in the family (and the kids as they grow up) need their own “org” for when they want to also have things that are just theirs (i.e. private) but also things that are theirs and they want to share with only some of the family (just like you are). So it means the family will need to each have their own Family Plan with BitWarden, which gets pricey and changes the value prop due to cost.
And it means being diligent about maintinaing that sub-folder tree and getting the heirarchy right - every person in the family/household gets their own sub-folder in the primary family “Organization”, along with every device gets its own sub-folder, and devices have to have their own “free” accounts. Which is a PITA when you are adding devices (phones, especially) and removing devices all the time.
Where it gets wonky is when you have certain devices that are dedicated to specific people in the family. i.e. the passwords you want to share with a child’s phone or laptop. Being its own device sub-folder in your Family Organization, you can give control to your child’s account and use-only to the device account. However, when the child is using the phone and its BitWarden app, they will be logging in as themselves under their own account, but they will need to remember to always use/add/remove/update passwords from the Family Organization Vault, not their personal vault, and not to login using the device account. At least to use shared accounts/entries in the vault or be a backup user for an account/entry in the Family Vault. Or, more importantly, the reverse - where they want your account to be their backup or to share their account with you. Basically, on a device, the user vault will be empty. And from an overall management view, so should the family members (the people) user vaults. However, that’s usually not the case with people - they will want to have some private entries in their user vaults. So for that reason, you can’t just turn on the “disable user vaults” global feature, you need to be able to do that on a Family/Organization per-member basis (devices should have their user vault disabled) and younger kids might need their user vaults disabled until they are old enough to understand and manage their own entries in it, knowing they get no backup or sharing or recovery abilities - there is no safety net for their user vault, only for the family organization vault (or their own organization vault when they take over their own backup/sharing management duties).
All of that is a lot of administrative complicated overhead for what is done with simple profiles in LastPass. Especially if I have to train the kids and spouse/partner in how to setup their own organization and sub-folders and maintain it within their own independent accounts.
Thank you for taking time to lay all this out. It’s a little disheartening to see what’s involved, but at the same time at least there is a path.
This would also be possible if I was able to put a password into a different vault without adding it to a collection and sharing it.
Which is what I thought I would be able to do, but it seems not.
I think enabling Collection for individual vault is something to think about and add an option in the extension or app to set a collection to filter, the switch between different collections could require the master password.