This confuses me. If biometrics are incompatible with your threat model, it pretty much moots this entire conversation, yet you still remain susceptible to the $5 wrench, despite solving the knocked-unconcious threat.
I don’t get why a pin needs to be ruled out. Pins only work on the local device, cease working after a small number of failures, and can be as complex as you want.
This picture shows the Hello-PIN requirements; Bitwarden-pin requirements are similar.
This conversation, and the associated PR (shared unlock) are about the interaction of the different vaults on a single windows laptop. Nowhere is it proposing that unlocking one laptop should also unlock your phone, or even other laptops, although there is a FR to extend login with device to do similar. The is also a FR that suggests syncing settings between devices, but it is careful to call out the need for some things to remain unique-per-device.
I agree with @DenBesten, shared unlock is on a single device between multiple Bitwarden apps (multiple extensions, the desktop app, multiple web vaults), not between different devices.
That doesn’t really reflect my opinion. Biometrics is under certain conditions a solution my local thread model - in fact it prevents the PIN/PW from being spied out or the U2F from being snapped, I wrote. The condition which would make biometrics preferable over other authentication methods in a local thread scenario is a way (ideally multiple ways) to drop it quickly, which includes refusing after a view failures, and requiring the MP after loggout/shutdown.
I can agree only in some way. My opinion developed from my preference for short pins, which could be spied out easily. Long pins are quite safe but cumbersome to use for every single login.
Conventionally, PINs have a couple of additional distinguishing characteristics.
PINS tend to require physical presence. That is, they work when at the console, but not via remote desktop. As a result, they have a greatly reduced attack surface.
PINS also tend to require administrative or self-service resetting after a small number of failures (5 is common). This makes them much more resistant to brute-force attacks, but also more susceptible to denial-of-service attacks.
I was joking and understand what you are saying, but I think we in are an endless loop regarding passwords and security.
A average user reads an article or watches a short tech news story on YouTube claiming some new technology will make passwords redundant.
The user then learns that in addition to a HW token or some type of passkey solution, you will need Biometrics. No biometrics on your PC; type in a PIN. No need to worry because it will only be 4 to 6 digits long, so it will be easy to remember. Oh hang on a minute, a PIN is too easy to hack.
We better start using letters and special characters and make it longer. As far as the average user is concerned we are back where we started.
