Currently, the Bitwarden Authenticator app will not consistently lock and prompt the user to reauthenticate with their biometric ID after leaving then opening the app. The behavior I expected for this feature is for it to be identical to the mobile password manager app, where the app is always locked after leaving it and I am immediately prompted to reauthenticate with my biometric ID.
To reproduce:
Download Bitwarden Authenticator
Skip the launch tutorial and go to Settings
Enable biometric login (e.g., Unlock with Touch ID)
Leave the app
Open the app
Version: 2023.5.0 (23)
OS: iOS 17.4.1
Model: iPhone SE
I tested how long the BW Authenticator would remain unlocked after Touch ID unlock on my iPad, and it’s at least 3 hours. (I didn’t test longer.) That is much too long and it’s a security issue.
A timeout locking setting within the app, and automatically locking when the phone locks, are capabilities I expected as well, I’m switching from Aegis.
I’d be interested to understand the rational behind not adding locking within the app as, based on the feedback to the ticket I opened in Github, this was a conscious decision and I may be falsely assuming this adds incremental security with this capability, when it doesn’t actually.