Add immediate session timeouts

Currently, the Bitwarden Authenticator app will not consistently lock and prompt the user to reauthenticate with their biometric ID after leaving then opening the app. The behavior I expected for this feature is for it to be identical to the mobile password manager app, where the app is always locked after leaving it and I am immediately prompted to reauthenticate with my biometric ID.

To reproduce:

  1. Download Bitwarden Authenticator
  2. Skip the launch tutorial and go to Settings
  3. Enable biometric login (e.g., Unlock with Touch ID)
  4. Leave the app
  5. Open the app

Version: 2023.5.0 (23)
OS: iOS 17.4.1
Model: iPhone SE

2 Likes

I tested how long the BW Authenticator would remain unlocked after Touch ID unlock on my iPad, and it’s at least 3 hours. (I didn’t test longer.) That is much too long and it’s a security issue.

(There is another, very similar request: Unlock with Face ID whenever app is visible)

I switched from Authy today and was shocked to find out that this app won’t time out/lock after being idle.

A timeout locking setting within the app, and automatically locking when the phone locks, are capabilities I expected as well, I’m switching from Aegis.

I’d be interested to understand the rational behind not adding locking within the app as, based on the feedback to the ticket I opened in Github, this was a conscious decision and I may be falsely assuming this adds incremental security with this capability, when it doesn’t actually.