Authentication stages that include multifactor only authentication


#1

It would be really helpful if there was a way to prompt for MFA, when the unlocking the vault, not just when logging in. Ideally I would be able to use my u2f token in place of the vault password for a configurable period of time. For example:

0-1 hour after authenticating: I am not prompted for credentials
1-2 hour after authenticating: I am prompted for my MFA token only to unlock my vault
2+ hours after authenticating: I am prompted for my password and MFA token

Rationale:
The convenience of a hardware token is quite clear. By nature, it provides a second level that is far more convenient then typing a traditional secure vault password over and over. There is a certain drudgery that comes along with entering a password over and over that encourages users to increase vault-lock times that is counter-productive to security. Effectively leveraging the convenience of the token as a sort of interim lock between typing in passwords would be a great improvement. This is also a feature that competitors of bitwarden have implemented so it may offer users switching from lastpass, such as myself, a similar but more complete experience to other products.