Add the ability for a user to be automatically logged out of the app after X minutes of inactivity (similar to the existing locking features). Logging out (as opposed to locking) will require the user to complete the 2FA step again. The downside to this feature would be that if the user does not have an internet connection (or Bitwarden server are down for some reason) they would not be able to access their vault.
GitHub issue: https://github.com/bitwarden/browser/issues/91
Even though that the user canāt login to the web vault, I believe we could use the local database (on the desktop or mobile app versions, for example) 1st and sync it later on when we get back online. I donāt believe itās a big problem, at least in my point of view.
EDIT: @kspearrin talked about I mentioned above here. So donāt mind my duplicate point of view on this one. 
Wow, I did not know that. I feel like Iāve dodged a bulletā¦ Thanks for the info. I assumed I could use āLog Outā as a synonym for āRequire 2FA at next loginā and for whatever reason (Safe in Cloud behavior, I guess) I assumed this would all work offline. 
Might you consider changing the name of that option to something like āDelete Local Databaseā?
I suspect K0media, redquinoa and I are not the only people who had no idea āLogoutā would do that before reading this comment. In most contexts, ālogoutā just means ābreak the connection with the server so that I have to authenticate again to access the server.ā
Is it possible to back up the local database in its resting, encrypted form and later restore it offline so that Bitwarden will recognize its state as ālogged inā (so the restored database can be read even if a connection to the server cannot be established)? That matters because it allows an automated backup to work just by including the needed files. Exporting to CSV and encrypting requires manual intervention.
Coises, automatically deleting the local copy of the vault data when you log out of the app is an important security feature. You donāt want to be leaving encrypted copies of your vault on every device you ever logged into a Bitwarden app on. Knowing your master password is the only thing stopping a person from being able to access your vault data if they can access the appās data file on the device. They donāt need a second factor, and access canāt be revoked remotely if the device is offline, since Bitwarden is designed to allow read-only access even when offline.
I believe you can back up the local encrypted vault data, and restore it to get to an old version of the vault, or to restore access in the event that youāve logged out and the Bitwarden cloud service is unavailable. I tested it with the Firefox app, and it seems to work fine. If you log out of the app, restore a data file backed up when you were logged in, and then restart the app, youāll be logged in again and you only need to enter your master password to unlock the vault. This works without an Internet connection. A far as I know, the app login never expires. But you will need to remember the master password you used at the time of the backup, because entering that password is the only way to unlock and decrypt the vault.
Being able to create automatic backups of my vault is an important feature to me, so I can guard against corruption of the vault data, see my old passwords if necessary, and ensure access to my vault even if the Bitwarden cloud service is unavailable.
I up voted this issues because I think its an important security flaw.
If a device was stolen or accidentaly got into the wrong hands where bitwarden has been logged into once before, then the āattackerā in that case has only 1 factor to break to access a persons entire password database.
I use the auto-lock function, but if someone did not have that enabled then an attacker may not even need 1 factor of authentication, they could just open up bitwarden.
Iām not sure what the default settings are for auto-lock.
Im also concious that I used Lastpass and that had 2FA on every login. Whilst I appreciate its a different product, they have this scenario covered.
Is anyone aware of a macro or shortcut available for logging out of bitwarden? That might at the very least give a quick option if your leaving your computer. But that still puts the onus on the person to ensure theyāre logged out. Auto-logout would be much better so it could be to a userās prefered interval and then forces 2FA process.
Also auto-logout mitigates the scenario I mentioned by forcing the 2FA after X time. If a device was in the wrong hands then this reduces the timescale.
I agree with Peter_Fiddes that this is a big issue. However, I donāt think auto-logout is the right answer for 2fa controls because of the implications for local cache, which are kind of a different issue entirely (whether nuking local cache is desired after a period of time is a distinct need from wanting there to be 2fa between you and secrets at all times). I suggest that while this is a good request on itās own, vote on this card ONLY if you are concerned about removing local cache after X minutes. If you want to ensure users must enter the 2nd factor every time the āunlockā timeout happens, you should be putting a vote here: 2FA when āunlockingā
+1; This is a must-have security feature to decrease the window of opportunity for an attacker on system compromise.
Despite the need for easy to use, default settings, more sophisticated, granular control might be nice for security nerds and IT people.
I moved to Bitwarden from LastPass, but I miss LastPassās sophisticated auto logout settings. I could quickly reboot a browser and stay logged in to LastPass, but I could expect auto-logout when offline for a user-determined period. Nice, considering a password manager should be a LOOOONG, sophisticated passPHRASEā¦ the only one you have to remember, but still a long, annoying type-in!
The local vault data (for the Chrome extension at least) is not automatically deleted. That puts me one password away from compromise, which is not why I paid the $10 for FIDO2 2FA.
However, if one was to delete the cached BitWarden data, that would ensure 2FA is required and not leave files which could be brute-forced lying around on the disk.
Iām thinking that I just need a Windows 10 shut-down script which completely zaps that local cached data every time. That will force the user to use 2FA to get back in to Bitwarden, which is what I want.
(Just tried that and it works a treat on Win 10: group policy editor, add a script to delete the cache on shutdown. It is run after Chrome is shut down by the OS apparently)
@kspearrin are there any news on an auto logout feature? At the moment we are testing bitwarden within only one department, but the missing option to automatically logout is a big problem that makes it difficult to go from test, to production within our whole organization.
I would like this feature. I like that my vault is wiped on logout. Either adding an Auto-logout option or
an option to have a logout button on the Main UI, would be enough for me.
I, too, would like to have an auto-logout feature similar to the auto-lock.
After I have closed the browser, I would like to be forced to authenticate with my hardware token again.
I donāt mind the database getting wiped on logout, makes it even more secure IMO.
Just made an account to upvote this feature.
Give users both the option to auto-lock and auto-logout.
Regarding being able to access the vault while offline, the majority of peopleās logins are for websites, so they would need to have internet in the first placeā¦
The only time I can see this being an issue would be having no internet access while traveling/abroad and needing your travel documents/IDs stored in the vault (personal experience with LastPass). A workaround to this would be to increase the auto-logout to longer periods of time (e.g. 1 week or 1 month) to still have access to the offline vault.
Hope this feature is implement. Cheers!
I would love this feature. At present lock, options have few options
I would like auto log out after 30 minutes or so and log out every time I lock system or idle for some time. I want to use these features together.
Lock feature options fine, but need an option to logout on browser close. Now, Yubikey is not prompted, even on reboot, unless previously manually logged out.