Adding Biometric/PIN authentication with Master password re-prompt

I will add a yes to this! That is of course if I even stay with BW. Things are going sideways today with the apple iOS app and that is why I am in these forums.

I agree with you all, this feature is a must have for security.
I did no use Lastpass, but learnt here that Lastpass has this feature for years. This confirms this feature is a must have in Bitwarden.

For info, I was pointing this lack of feature in tis thread

and a user thankfully told me a feature request had been created for it and give me this thread url. I have voted

I’m also missing this feature. Any ETA or GitHub issue tracking this?
Is it something that could be contributed as code and would have a good chance to get merged?

@eregon Welcome to the forum!

To get started with contributing code, read this, then post a proposal on GitHub.

For everybody in this thread, I am personally curious why this feature is so important to (some of) you. Do you not lock your vault when it’s not in use? You can set up a short timeout interval for automatic vault locking, then unlock the vault with biometrics whenever you need to use a password. Why is this not adequate?

@grb Thank you so much for asking!

The answer is no, we don’t lock the vault when it’s not in use, and we want it available without extra prompts when we use it for LOW RISK passwords and other information. So we set longer timeouts - 30 mins, 2 hours, maybe even lock on browser restart, and lock our device when we leave it for a coffee break or toilet break. If we forget to lock our device one time, the risk is low.

I guesstimate that 80% of passwords are “low risk” (e.g. online stores, forums, subscriptions, social media, etc.) and 20% are “high risk” (banking, email, security systems, source code repos, government services, etc.). Everyone’s definitions of risk will be different.

High risk passwords must not be available for these extended timeout periods, in case we forget to lock the device or if the device’s unlock procedure is not secure enough. The same goes for other high risk data stored in secure notes for example (see Require Re-prompt for entire item (view, edit, etc.)).

The master password reprompt feature gives us the ability to protect our high risk passwords during a longer vault timeout period. Unfortunately it does not accept biometric authentication, so the master password must be entered every time we need to use a high risk password. And unfortunately there is no separate reauthentication timeout, which could expire access to high risk passwords quickly, ensuring a high level of security is maintained.

I believe the above use case is extremely common - certainly everyone who has voted for this feature, plus hordes who have not. I appreciate you asking the question so we can communicate why this feature is so important to us.

Lastly, there’s a user segment that does not have biometric authentication. I’m one of them when I’m using my Mac Pro. To be secure right now, I have to enter my long master password every time I need to access the vault - which is all day, every day. I don’t mind doing that when I use a high risk password, but it’s incredibly annoying for the 80% of the time I use a low risk password.

1 Like

Thanks for explaining how you use the browser extension. As a work-around, I would suggest setting up a second Bitwarden account for your “low risk” passwords, and using the account switcher to access your main Bitwarden account when you need access to “high risk” credentials.

I appreciate the workaround suggestion. I don’t mind using workarounds as long as they are not permanent. But have to say I had pretty much given up hope of the master password reprompt enhancements being implemented.

Maybe @eregon will get somewhere with this.

1 Like

Similar to what @Caign said, my use case for this is when using BitWarden on the phone or computer, for high risk passwords I want some extra safety, as it’s not rare BitWarden would have been unlocked for some low risk password some minutes before. It’s not really practical to lock BitWarden on the phone (one could use Session timeout: Immediately but then it’s pretty annoying with two-pages login). Using master password reprompt is very inconvenient on the phone (slow to type, especially non-alphabetic characters), while it works fine on the computer (where I don’t have biometric authentication).

Unfortunately I don’t think I will have time for this soon.
I was hoping the BitWarden core team would implement this, especially seeing this message and later messages.

If you set the “Vault Timeout Action” to Lock instead of Log out, and enable “Unlock with Biometrics”, then all you have to do is to unlock the app with your fingerprint any time that you wish to use a password (“high risk” or “low risk”). If you set the timeout interval to “immediately” (or to 1 minute, if you are able to keep your phone physically secure during this time period), then your vault will be locked while not in use, thus keeping all accounts (“high risk” and “low risk”) safe.

Yes, that’s same settings I just tried. I think it may be a good enough workaround on the phone, let’s see. However it doesn’t help on the computer/browser as like many others I use a longer timeout to not have to retype the master password so often. So maybe something like reprompt only when no biometrics could work, but it feels like a hack (inconsistent security between platforms) and requires shorter timeouts on phone than otherwise necessary.

The Desktop app and browser extensions can also be set up to unlock with biometrics. If your computer does not have it inbuilt, add it.

Any new updates?

Totally agree. Needed.