So,
- You are using a public/untrusted computer that has the Bitwarden extension installed on it.
- The BW extension on this untrusted computer displays a QR code that you scan with your trusted phone.
- The QR code is used to establish and authenticate a Bluetooth connection over which the two Bitwardens can securely communicate.
After which, your vault is downloaded and unlocked on the untrusted computer - The untrusted computer proxies a passkey authentication ceremony between the website and your trusted phone. .
So that you can access your bank password on an untrusted computer. - And login to your bank account on said untrusted computer.
Still have a very basic problem believing that public computers would have the Bitwarden extension preinstalled, that I can trust the extension’s pedigree, and that I can trust the public computer to be free of malware (e.g. a session hijacker or an AITM). In this scenario, I would only use the library computer to access public resources and would do my banking via my phone’s web browser.
For login with device, it is 4 clicks, and one smile-for-the-camera.
-
At the login page, my email address is prefilled in, so I just click “continue”.
-
On the password page, I click login with device.
-
My phone gets a notification stating “login requested…confirm login attempt for”. I click on it, which opens bitwarden, which I unlock with FaceID.
-
Bitwarden displays a bit of confirmation information, to which I click “Confirm Login”
-
Back on the computer, I am logged in (well, I would have been had I checked the "don’t prompt for MFA for 30 days)..
I don’t see how opening/unlocking Bitwarden (or my camera app) to scan a QR code would simplify this.
You might check out this FR.