Ask for master password only when not on specific networks

Thank you for your post!

Feature name

  • Skipping master password prompt when on home (or any other approved) network

Feature function

  • What will this feature do differently?
    Currently, every time Windows boots up, the app asks for a master password (as it is configured in settings). However, my request is to allow me to specify one or more networks (like home) and if connected to that network, then skip asking for the master password.

I understand the intent to ask for master password, but with so many of us working from home almost always, perhaps, recognizing the network as a safe environment and saving the step might be a bit useful.

  • What benefits will this feature bring?
    Save (very little) effort and time on logging in.
  • Remember to add a tag for each client application that will be affected

Related topics + references

  • Are there any related topics that may help explain the need and function of this feature?
    No.
  • Are there any references to this feature or function on other platforms that may be helpful?
    No.

Thank you. Have a nice day.

Hello @dumboldpotato , welcome to Bitwarden security forums !
As to the ability to unlock the vault without entering your long master password , currently you can setup a biometric unlock or setup a PIN or a combination of both.
For example , set BW to launch at startup and use biometrics like windows hello for unlocking at startup. Since you’ll be anyway prompted the windows hello on startup, just enter the windows hello password twice at , then subsequently you’ll be also asked for a PIN in addition to biometrics next time. You can simply ignore biometrics screen and proceed to enter PIN.

Other way is to allow a PIN to unlock your vault even after a restart. This cane be done if you uncheck “reprompt for master password on restart” while setting PIN.
But this would mean your encryption key would have to be stored in the storage , so depends upon how well you think your device is safe and trusted.

Your request about specified networks is similar to how PIN unlock works if its made to persist between sessions.
So if you trust the device you could simply chose to store it permanently on your devices which you feel are “safe” and trusted.
To just remind you that unlocking and logging in are different things , Logging in generally requires a 2FA code ,a master password and an internet connection for authentication.
Whereas in unlocking you just need a master password/PIN/biometric without internet. Though you’ll need internet for any modification to database.
I think using PIN is better option than to trust upon a network for unlocking the vault.
As you maybe knowing that the encryption key is derived each time from your master password through a cryptographical process to unlock vault and this key stays only in the ram until the application is running , so the attack surface is very much restricted to the ram of your computer or your storage in case you decide to save it for PIN on restart.
Allowing a network to be able to do that would open up a lot more attack surface and compromise the security without the user having adequate safeguards to mitigate any threats that can occur through a network authentication.

You can also look at the following for getting more idea into it.

Hi Gaurav, thank you for the detailed reply and explanation. I thought that there might be some security concerns about my request, but I thought I’d let the devs/experts figure it out rather than a noob like me.

The problem is not whether it’s a trusted device, just to clarify, it’s where I use the trusted device and hence the suggestion for specific networks. For example, when I use the laptop or phone at home, I know I can leave it (the app) unlocked (after the first time I use the master password), but the same trusted device may be at risk when I take it to office or other places. That was the rationale behind the suggestion.

I don’t know how it can be implemented or what the security concerns might be, but in my naive head it’s the question of having one more condition/parameter for vault timeout/unlock. If “not trusted place, like home”, then timeout at “system lock” (or any other condition the user chooses), else timeout at “reboot” (or whatever else the user is comfortable with for a trusted device in a trusted place).

I’ll leave it to you guys to check if its viable/feasible/possible. And thank you again for taking out the time to converse. Have a wonderful day. Take care and stay safe.

Okay , now i understand what you mean by your request.
It’s a feature where you want BW to change its timeout settings and maybe also its authentication method based on your location (home/office).
I see it having a use case in some scenarios.
I feel such feature would involve complexity and a lot more work in implementation. Since BW also works offline, this would simply not work when you are not connected or forgot to connect to a network.
GPS services are mostly available on a mobile phone , so it could possibly work consistently and accurately only on a mobile phone.
I am not sure if networks could reliably be identified.

Though such integration with location services would add a lot more lines of code and increasing complexity in it, so i don’t think it would be feasible for the dev team to consider it currently.
Maybe we could suggest some other way to address this use case.
(Ex: option for vault modes like home/outside on the login page when you first login or setting some specific office hours for a different timeout/lock behaviour).

You guys are the specialists and so I leave the idea to you and the team. Maybe, it’s possible, maybe, you’ll deem it impossible or unfeasible. As long as you consider it, I’d be appreciative.

Have a wonderful week ahead. Cheers.

1 Like