AUTO LOCK after master password entered on app restart

We know, the desktop app handles the fingerprint authorization for the browser app. If you use the browser app with a fingerprint sensor on Windows, you will probably have the app settings in the desktop app:

Start automatically on login
Unlock with Windows Hello, and
Require master password or PIN on app restart

This strategy assumes that you have set requirement for extra master password for certain critical credentials.

Current situation and problem:

When you enter the master password, your vault is open in the desktop app and stays open until you lock it manually or wait for the timeout you have set. This has 2 disadvantantages:

1. It is not your intention to open the vault, and it is a security risk to open it and perhaps leave it open (instead your intention is to use the browser app later in the session)
2. It is a hassle to lock the desktop app each time manually (one keystroke to much).

Feature request:

After you entered the master password on app start, the desktop app should still be locked or automatically get locked immediately. Advantages:

1. No need to care about your open vault
2. Start your day faster

In rare cases when you really want to start your day with editing your vault in the desktop app, you have to go through a 2 step login (master password + fingerprint). No big thing.

I don’t understand the connection between “master password re-prompt” for vault items and your request. Could you elaborate?

Setting the session timeout to 1 minute is not immediately enough?

2026-03-28--13-49-34-Qh5gxk3M7m752×551 28.6 KB

This is just to justify the settings strategy, and has no connection to the feature request, you are right. The thougt is that critical credetials should be secured by the MP and if you unlock the vault with the MP at the beginning of your session the re-prompt option for vault items should be made use of.

Yes, for 2 reasons:

1. When I start the PC I use to leave the console and get my coffee at the same time. This is one procedure every time and I don’t want to care if the vault is open or locked already.
2. Such a short timeout is uncomfortable for editing vault items, that’s why I prefer to have this setting on 5 minutes.

@Nail1684 Didn’t it used to be that the Desktop app could remain locked (as long as it was logged in and running in the background)? Is this no longer sufficient for using biometric unlock on the browser extension (i.e., is it now necessary to also unlock the Desktop app before unlocking the extension)?

@grb Good point. If nothing changed since I last tested it, that should still be the case. But it requires to uncheck “Require master password or PIN on app start” in the desktop app.

@krizzo I had the impression, you intentionally wanted this to remain checked, right?

That’s why I didn’t mention it so far… but if you don’t mind about this setting, you could indeed just uncheck this. And then, it is like @grb wrote: the desktop app just needs to be running in the background and you can unlock the browser extension without even unlocking the desktop app once.

With so many recent changes in the implementation of biometric unlock, it would be invaluable to hear from an authoritative source (@Quexten ) about current implementation details, and especially about the relative risks of unlocking with Windows Hello (with or without “Require master password or PIN on app start” enabled)…

Sure, I’ll try to give a brief description @grb

There are three biometrics implementations, Linux, Mac, Windows.

First, let’s talk threat modeling. The attacker model that we underly is an attacker that gets physical access to a device with a vault that is locked. The kernel space (operating system) is not compromised, but the attacker can run anything in user-space. The security goal here is that the attacker cannot access the decrypted vault.

We have to look at the three platforms separately.

Mac is the simplest, it is just storing your vault’s key (“user-key”) in the keychain, and using touch-id as an authentication gate. Authentication happens in the app, not by the keychain. Moving authentication to be handled by the keychain itself is a desire, but not really prioritized over other more pressing matters. Mac by default disables debuggers, and the electron features (devtools) are disabled in production builds, which is why security is achieved. (Side-note, in the past there were versions where devtools were active, which could be used as a means to bypass touchid. This is no longer possible, but shows why keychain-based authentication is better).

Linux stores the key in-memory only, specifically in memfd_secret protected memory or in the kernel keychain. The process in which the keys are held is additionally hardened to not be debuggable. User-space programs cannot get access to the process memory to get the key. Because of this, the security goal is upheld.

On Windows, we handle BFU (before first unlock) and AFU (after first unlock) mode separately. In BFU mode, there is no copy of the key in memory. Instead, we use(abuse) an API that allows Windows-Hello gated deterministic signatures. A static challenge gets signed, and the deterministic signature gets hashed, and this hash gets used as cryptographic key material, to decrypt an item stored on the key-chain. The windows key-chain is wide open to all apps on the user, but the key needed for decryption is only accessible after authenticating with windows hello. In AFU mode, the key is stored in DPAPI protected memory, and the process is hardened against debugging. A separate Windows-Hello API is used to gate access to this key. As per the assumptions of the threat model above, the attacker gains access to the physical device, and cannot gain access to the key. They would have to bypass Windows-Hello in order to unlock the vault.

For Windows specifically, unchecking “require master-password on app start” enables the BFU flow I describe above. Assuming Windows-Hello is secure and cannot be bypassed, this shouldn’t change anything about the security guarantees. It should only be different if you assume a stronger attacker, one that can bypass Windows Hello, or one that has user-space code running while the real user is interacting with the device. However, if you do assume this stronger attacker model, then a bunch of other assumptions also break. (For instance, such an attacker could just take a memory dump of your browser, with your Bitwarden browser extension during use). For this reason, we don’t underly this stronger threat model for any security descisions / designs.

Windows now has Windows-Hello based Passkeys with PRF support, which would be a more approrpiate way to implement unlock. However, again there is a prioritization issue.

You might consider hitting winkey-L immediately before leaving your desk. An unlocked vault is not your only risk when walking away from an unlocked computer.

Yes, things are not quite back to where they were. Today,

If I quit and restart my browser, biometrics continue to work just fine.

If I restart the desktop vault, I do need to unlock my already logged-in desktop vault once (either via biometrics or master password) before biometrics work within my browser extension. There is no need to keep it unlocked, but one does, of course, need to keep it running and logged in.

I have also verified that if the desktop has not gone through this initial unlock before launching the browser, it is necessary to either restart the browser or disable/reenable the extension before browser biometrics work.

Today when the browser extension notices that the desktop is unavailable, it greys out the unlock button like this:

image461×134 4.54 KB

This even happens dynamically if the browser login page is displayed and one quits the desktop vault. One thing that would reduce friction is if the browser were able to attempt to reestablish the connection while this is displayed and greyed out.

Windows 11, 25H2
Bitwarden Desktop 2026.2.1
Chrome 146
Bitwarden Extension 2026.2.0
Server 2026.3.1

[quote=“DenBesten, post:8, topic:95365”]
If I restart the desktop vault, I do need to unlock my already logged-in desktop vault once (either via biometrics or master password) before biometrics work within my browser extension. There is no need to keep it unlocked, but one does, of course, need to keep it running and logged in.
[/quote]

This is unexpected.. Thinking about it, this is expected. The browser extension never sends up a key to the desktop app, so with the current implementation, the desktop app is always in BFU mode, and you would need “don’t require master password on app start” enabled to use it without first unlocking the desktop app separately.

At any rate, the extension biometrics weirdness will be fixed by [] Shared Unlock for Web, Browser, Desktop by quexten · Pull Request #19698 · bitwarden/clients · GitHub which will hopefully replace browser biometric unlock entirely.

@Quexten Thank you for taking the time to respond! I have a few follow-up questions:

I think you are referring to an attacker running user-space code that presents the user with a Windows Hello prompt, and tricks the user into completing the biometric authentication, something we have discussed before. Would that not be possible in your original (weaker) model of the attacker — who is still able to “run anything in user-space”?

Could you provide some example of attack methods available to this stronger attacker (one that is able to compromise biometric unlock without master password on restart) if it is still BFU? My understanding is that yes, all bets are off if there is malware present while the vault is unlocked, but I’ve liked to believe that a user has a “grace period” to detect the presence of malware prior to first unlock of the vault (on any client) — or even prior to subsequent unlocks (as long as all logged-in clients are locked with a strong master password).

Put less formally, the assumption is “my device is stolen (or seized i suppose) with the vault locked”, not “my device has malware running while I use it / while I unlock the vault”. The latter is significantly stronger and as mentioned, if we do suppose it then a lot of other places break / can be abused / “all bets are off”.

As soon as any client is unlocked, userspace malware on windows can generally access process memory and steal your keys / vault contents. On mac and linux this may not be the case depending on a few factors.

@Quexten Thank you, but it’s not clear to me which of my two questions your most recent comment was intended to address. Thus, I am still left unclear about what advice I should give forum participants regarding potential drawbacks of disabling “require master-password on app start” when unlocking with Windows Hello.

You wrote previously:

To me, these statements indicate that an attacker capable of running user-space code while the real user is interacting with the device already has a “bunch of” options for compromising a BFU biometrics-locked vault, which implies enabling “require master-password on app start” for biometric unlock does not add any practical advantage in terms of defending against such an attacker.

However, I don’t understand how that can be accurate, since I thought that an attacker with such capabilities would not be able to compromise a BFU biometrics-locked vault that has “require master-password on app start” enabled, if the user never unlocks their vault while the attacker’s code is running.

Have I misunderstood something?

which implies enabling “require master-password on app start” for biometric unlock does not add any practical advantage in terms of defending against such an attacker.

I agree with this under the above security definition, there is no extra security benefit provided. This only changes if you underly a (in my opinion unrealistic / not useful) different security definition / threat model to one where the attacker can either gain root, or can break the security of Windows Hello or can run user-space code while the user is interacting with the device.

I guess I personally don’t consider the above scenario to be so unlikely, especially in the case of malware.

Maybe I need to re-clarify. “Unrealistic/not useful” does not mean unlikely. Whether this is likely for you is up to your judgement. It’s just more the case that there is so many other ways that in that specific scenario can access your data, that it is not useful to assume as a threat model for examining the security of the biometrics system.

If we do make the assumption that an attacker can run user-space code while the user is interacting with their device, they can also get the user’s vault content by:

• Dumping the desktop app’s renderer process memory on the desktop app
• Dumping the browser’s process memory while the user is interacting with the browser extension
• Listening to key-strokes globally and capturing the master-password

and, sessions can be exfiltrated by:

• Dumping the browser’s cookie cache

That said, as mentioned above, if you do underly a threat model where the attacker does run user-space code while the user is interacting with the system, then yes, the BFU flow would allow unlocking the vault by prompt-phishing the user via Windows Hello.

@Quexten Can they do any of this before first unlock?

While the app is in BFU mode, before the user interacts with the device, they cannot dump Bitwarden application memory to get secrets. Listening to key-strokes and attacking the browser’s cookie store is possible regardless of whether Bitwarden is even installed.

So if a user has not unlocked their vault, and if they have not yet started typing their master password to unlock their vault, then it seems that they would remain protected against the attacker who can run user-space code — unless that attacker runs code to trick the user into completing a Windows Hello authentication (which would net them access to the cryptographic keys required for decrypting the local vault cache).

So this would be one example where enabling “require master-password on app start” would meaningfully safeguard the user during the BFU phase, correct? Or does this attacker have other ways of compromising the vault (before the user types the master password or otherwise unlocks their vault), even when “require master-password on app start” is enabled?

I tested and confirm @grb: the behaviour as expected (put in other words):

1. As long as the desktop app is in BFU (before first unlock) mode, the browser app requires MP. The desktop app needs to be in AFU (after first unlock) mode, for the browser app to accept Windows Hello.
2. In the desktop app, having checked “Require master password or PIN on app start”, the AFU state can only be achieved with the MP. While having unchecked the setting, the AFU state can be achieved with biometric unlock.

But having unchecked “Require master password or PIN on app start” is not exactly what I want in my risk scenario, which considers biometrics insufficient against local aggressors. My security strategy must sustain knockout drops in a hotel lobby/room, or a violent intruder at home, rather than a nerdy hacker. This includes victims get spyed out how biometrics is accomplished, and this rules out a PIN login generally. @quexten: BW security strategy should cope with local raid as well as theft/seizure!

Paradoxically in this scenario, biometrics is indispensable to avoid exposing the MP or a passkey device at every single login (besides of the comfort aspect). And that’s why master password-reprompt is mandatory for critical credentials. A second vault without biometrics enabled is worth considering, even though complicated to handle.

In the local violence scenario, biometric auth should offer a way to drop it in a case of emergency and fall back to MP auth. As long as you are concious you can try to loggoff Bitwarden and shut down your device. That’s why “Require master password or PIN on app start” in the desktop app can be a safety anchor, and it shouldn’t given up.

I skimmed through the PR and, as far as I understand the timeout mechanism (unsure if I do), I like to mind that timeout on an exposed smart phone must be short while timeout on the desktop or BW web in a save environment should be longer for maintenance of the vault. Setting the timeout high in save environment must not let the smart phone follow.