Auto-logout after X minutes

app:all

#1

Add the ability for a user to be automatically logged out of the app after X minutes of inactivity (similar to the existing locking features). Logging out (as opposed to locking) will require the user to complete the 2FA step again. The downside to this feature would be that if the user does not have an internet connection (or Bitwarden server are down for some reason) they would not be able to access their vault.

GitHub issue: https://github.com/bitwarden/browser/issues/91


2FA when 'unlocking'
Setting to "Unlock with 2FA" along with the current security unlock options
2FA when 'unlocking'
Nested vaults to implement multiple security levels
#2

Even though that the user can’t login to the web vault, I believe we could use the local database (on the desktop or mobile app versions, for example) 1st and sync it later on when we get back online. I don’t believe it’s a big problem, at least in my point of view.

EDIT: @kspearrin talked about I mentioned above here. So don’t mind my duplicate point of view on this one. :sweat_smile:


#3

@K0media The local database is wiped from the device whenever you log out.


#4

Wow, I did not know that. I feel like I’ve dodged a bullet… Thanks for the info. I assumed I could use “Log Out” as a synonym for “Require 2FA at next login” and for whatever reason (Safe in Cloud behavior, I guess) I assumed this would all work offline. :scream: :cold_sweat:


#5

Similar 2FA when 'unlocking'


#6

Yes indeed this feature is very important.


#7

Might you consider changing the name of that option to something like “Delete Local Database”?

I suspect K0media, redquinoa and I are not the only people who had no idea “Logout” would do that before reading this comment. In most contexts, “logout” just means “break the connection with the server so that I have to authenticate again to access the server.”

Is it possible to back up the local database in its resting, encrypted form and later restore it offline so that Bitwarden will recognize its state as “logged in” (so the restored database can be read even if a connection to the server cannot be established)? That matters because it allows an automated backup to work just by including the needed files. Exporting to CSV and encrypting requires manual intervention.


#8

Coises, automatically deleting the local copy of the vault data when you log out of the app is an important security feature. You don’t want to be leaving encrypted copies of your vault on every device you ever logged into a Bitwarden app on. Knowing your master password is the only thing stopping a person from being able to access your vault data if they can access the app’s data file on the device. They don’t need a second factor, and access can’t be revoked remotely if the device is offline, since Bitwarden is designed to allow read-only access even when offline.

I believe you can back up the local encrypted vault data, and restore it to get to an old version of the vault, or to restore access in the event that you’ve logged out and the Bitwarden cloud service is unavailable. I tested it with the Firefox app, and it seems to work fine. If you log out of the app, restore a data file backed up when you were logged in, and then restart the app, you’ll be logged in again and you only need to enter your master password to unlock the vault. This works without an Internet connection. A far as I know, the app login never expires. But you will need to remember the master password you used at the time of the backup, because entering that password is the only way to unlock and decrypt the vault.

Being able to create automatic backups of my vault is an important feature to me, so I can guard against corruption of the vault data, see my old passwords if necessary, and ensure access to my vault even if the Bitwarden cloud service is unavailable.


#9

I up voted this issues because I think its an important security flaw.

If a device was stolen or accidentaly got into the wrong hands where bitwarden has been logged into once before, then the ‘attacker’ in that case has only 1 factor to break to access a persons entire password database.

I use the auto-lock function, but if someone did not have that enabled then an attacker may not even need 1 factor of authentication, they could just open up bitwarden.
I’m not sure what the default settings are for auto-lock.

Im also concious that I used Lastpass and that had 2FA on every login. Whilst I appreciate its a different product, they have this scenario covered.

Is anyone aware of a macro or shortcut available for logging out of bitwarden? That might at the very least give a quick option if your leaving your computer. But that still puts the onus on the person to ensure they’re logged out. Auto-logout would be much better so it could be to a user’s prefered interval and then forces 2FA process.

Also auto-logout mitigates the scenario I mentioned by forcing the 2FA after X time. If a device was in the wrong hands then this reduces the timescale.


#10

I agree with Peter_Fiddes that this is a big issue. However, I don’t think auto-logout is the right answer for 2fa controls because of the implications for local cache, which are kind of a different issue entirely (whether nuking local cache is desired after a period of time is a distinct need from wanting there to be 2fa between you and secrets at all times). I suggest that while this is a good request on it’s own, vote on this card ONLY if you are concerned about removing local cache after X minutes. If you want to ensure users must enter the 2nd factor every time the “unlock” timeout happens, you should be putting a vote here: 2FA when ‘unlocking’


#11

+1; This is a must-have security feature to decrease the window of opportunity for an attacker on system compromise.


#12

Despite the need for easy to use, default settings, more sophisticated, granular control might be nice for security nerds and IT people.

I moved to Bitwarden from LastPass, but I miss LastPass’s sophisticated auto logout settings. I could quickly reboot a browser and stay logged in to LastPass, but I could expect auto-logout when offline for a user-determined period. Nice, considering a password manager should be a LOOOONG, sophisticated passPHRASE… the only one you have to remember, but still a long, annoying type-in!


#13

The local vault data (for the Chrome extension at least) is not automatically deleted. That puts me one password away from compromise, which is not why I paid the $10 for FIDO2 2FA.

However, if one was to delete the cached BitWarden data, that would ensure 2FA is required and not leave files which could be brute-forced lying around on the disk.

I’m thinking that I just need a Windows 10 shut-down script which completely zaps that local cached data every time. That will force the user to use 2FA to get back in to Bitwarden, which is what I want.

(Just tried that and it works a treat on Win 10: group policy editor, add a script to delete the cache on shutdown. It is run after Chrome is shut down by the OS apparently)


#14

@kspearrin are there any news on an auto logout feature? At the moment we are testing bitwarden within only one department, but the missing option to automatically logout is a big problem that makes it difficult to go from test, to production within our whole organization.


#15

I would like this feature. I like that my vault is wiped on logout. Either adding an Auto-logout option or
an option to have a logout button on the Main UI, would be enough for me.


#16

Would love to have this feature.


#17

I, too, would like to have an auto-logout feature similar to the auto-lock.
After I have closed the browser, I would like to be forced to authenticate with my hardware token again.
I don’t mind the database getting wiped on logout, makes it even more secure IMO.


#18

Just made an account to upvote this feature.

Give users both the option to auto-lock and auto-logout.

Regarding being able to access the vault while offline, the majority of people’s logins are for websites, so they would need to have internet in the first place…

The only time I can see this being an issue would be having no internet access while traveling/abroad and needing your travel documents/IDs stored in the vault (personal experience with LastPass). A workaround to this would be to increase the auto-logout to longer periods of time (e.g. 1 week or 1 month) to still have access to the offline vault.

Hope this feature is implement. Cheers!


#19

I would love this feature. At present lock, options have few options

  1. Minutes
  2. System Lock
  3. browser restart etc.

I would like auto log out after 30 minutes or so and log out every time I lock system or idle for some time. I want to use these features together.


#20

Lock feature options fine, but need an option to logout on browser close. Now, Yubikey is not prompted, even on reboot, unless previously manually logged out.