Account-level minimum lock time

Allow specification at the Bitwarden Account level of a minimum timeout period to be auto set on all client installations. Possibly also set a minimum prompt level (pass+TOTP, pass, pin) that could be configured on client installs.

Currently when installing in a new browser it defaults to browser restart/password. I wouldn’t allow setting a PIN at the account level, but I’d really prefer to have every new install default to locking after 5-15 minutes.

Thinking about it, this feels like the kind of thing that might be a very desirable feature on the business/enterprise side of things.

@fencepost … your feature request seems to have some overlap with this one: Sync Bitwarden settings, like "Lock after X minutes" or PIN and/or this one: Permit exporting and importing client configurations ?!

BTW, do you really mean “minimum lock time”? So minimum of 15 minutes - but if it were 24 hours, it’s also okay? Either I have brain fog today, or I think you mean a maximum lock time, right (e.g. “max. 15 minutes - or less…”) ?! PS: Assuming you aim at the security - and not at convenience

1 Like

It is available in the enterprise subscription.

1 Like

I think a MAXIMUM is available, but I haven’t see a MINIMUM.

Why would you want a lower bound on the vault timeout period? You want to prevent users from setting the timeout to “Immediately” or “1 minute”, which are the most secure options?

1 Like

I am aware of the maximum vault timeout policy setting in the portal. I want to be able to, from either Bitwarden’s cloud portal or MDM, centrally configure the vault timeout settings (among other things) for my users as a convenience to them, and to resolve the annoyance of having the vault timeout reset to 15 minutes every time a logout/login occurs.

Certain users have a very low tolerance for security inconveniences. Getting them to use a real password manager was difficult enough in itself. Having to manually put hands on each individual device for them to configure the timeout settings is an unnecessary pain, when it seems like I should be able to push out a configuration profile from MDM to set the timeout settings once and have it be done.

1 Like

Not to take away from your feature request, but the vault timeout settings should be preserved through a cycle of logout→restart app/browser→login; at least this is the case with the Desktop app and browser extension. The settings would only be lost if the app data are cleared (e.g., the app is uninstalled) or if the user switches to a different device or browser.

Good point. The timeout settings reset was something I noticed and can reproduce on the iOS app.

Seems like this iOS behavior would prevent you from achieving your stated goal of being able to “set the timeout settings once and have it be done” — even if the current feature request is implemented.

I would suggest that you report this failure to retain account security settings after logout as a bug/issue on Github, and if the issue is closed because it is “expected” behavior, then open a separate feature request for this here in the Community Forum.

I also see the value of having a default for the “lowest common denominator” type of users in the organization. We should be able to set this to a higher number than 15 minutes so that they don’t have to.

Note: merged two seemingly identical feature request together to prevent vote bifurcation.

I agree with @grb’s question: why do you want to prevent users from having shorter (and more secure) vault timeout settings?

I understand your point. I think, another way to avoid this would be to avoid repeated logouts/logins – by setting up locking/unlocking methods (PIN or biometrics). This would avoid the constant resetting of the vault timeout settings.