After signing up for 2FA I was a bit confused about not being prompted again on mobile, or browser plugins.
After investigating I get the choice as a default since most will open unlock fairly often. I’d love to see the option to auto-logout. My concern is forgetting to log out (not on a personal computer) and missing out on the benefit of 2FA. Never logging out somewhat defeats the point of purchasing premium with a Yubikey.
Signed up to show support for this feature. It’d be great if it was machine-specific too. I don’t mind it not logging out automatically on my personal computer, but on a public machine, it’s a security vulnerability.
Please implement this! Moving to BitWarden, but this is the only thing missing!!
Maybe BW team doesn’t wan’t the extra bandwidth of re-downloads of the DB. Then just make an option for redo 2FA on lock. Yes, this means you’ll may have to recode the 2FA exit routine if it’s connected to the delete DB routine.
…well, I’m going to try Zoho Vault. It seems to offer 2FA free and cloud storage for the same price as BW. …yep, this service is great. Accepts Yubikey (haven’t tried FIDO yet). Also, allows limiting IP address ranges. Click Settings for the browser extensions and My Account for the 2FA setup.
Yep, ZV signs you out after several time options in the browser extension. It authenticates through a popup window, but there is a checkbox to trust device for 180 days and the checkbox actually remembers your choice (unlike Google 2FA). It does leave that window open, which may get old, but a minor inconvenience for actual 2FA logout. You can also use a Google account to sign in, and there is a privacy autodelete for companies (I guess for the site usage history). Wow, actually there is a whole Audit feature for tracking who uses which passwords in a company and allows sharing, etc. Here is their direct comparison to BW (seems like a pretty targeted competitor to BW).
As far as i can tell this enhancement hasn’t been added yet (please correct me if I’m wrong).
Until the auto-logout enhancement is added, this line under “Premium” on bitwarden.com should be changed from this:
Two-step login with YubiKey, FIDO U2F, & Duo
Two-step login with YubiKey, FIDO U2F, & Duo (limited support)
The current line is misleading because when deciding to pay $10/yr, people don’t understand the semantics of “login” and “lock out”. My gut tells me that the folks at Bitwarden aren’t the type that would intentionally deceive people but IMHO that’s the net result of that line.
Also, not requiring 2FA after lockout defeats the purpose of Yubikey 2FA.
While I’m still satisfied with bitwarden overall, if i knew that bitwarden only had limited support for yubikey 2FA i wouldn’t have signed up for the Premium account.
I hope to see this security flaw corrected ASAP.
Regarding "The downside to this feature would be that if the user does not have an internet connection (or Bitwarden server are down for some reason) they would not be able to access their vault.: the browser plugin is pretty much only used for internet logins so if the internet is down, this is moot.
…replying with an edit to my post 2 posts above because I can’t edit it anymore:
Seems Zoho Vault isn’t reauthenticating with 2FA key anymore. Well, the Vault does, but not the browser extension.
I found that Yubikeys have a second ‘slot’ you activate by a long press (+3 secs). You can set the 64 bit (lowercase alpha) Static Password to the second slot and it acts as a very long one-click password. Not as secure as TOTP, but an option seeing as no affordable password managers offer locking including 2FA. Also, the Yubikey 4 (black with just the Y icon) does this and there’s a seller on eBay for $15 so you can match the password on a backup key.
Struggling to understand why this nearly 2 year old request is still a request? There is already code to lock after timeout, how hard is it to re-purpose that to force a logout after a different timeout.
Before you go there, yes, its open source, but I’m not a developer.
I am a bit disappointed that there is not such option. I really want to see an option where I can do the following:
a) lock after 5 minutes and quick unlock via PIN or fingerprint
b) logout completetly after phone or computer restart and enter masterpassword + yubikey
Hope to see it’s soon. Actually I upgraded to premium because I thoght this would be possible.
Yes you’re right, maybe I described it a bit odd. To sum up: There should be an option to choose complete logout (i.e. after phone restart) and then login via password + yubikey. Actually this shouldn’t be a big problem because most of the functions are already implemented. I am okay witht he fact that I need internet to re-login. I had this function with Keepass and I miss it.
Yes found that option. But the problem is I cannot use quick unlock via PIN in combination with masterpassword + yubikey. Either I use the “lock” option (but then Bitwarden never logs out when the app is closed) OR I use the “logout” option. With the last option you have to enter your password + use yubikey every minute (if you choose tresor timeout 1 min) and I don’t want that. I just want to quick unlock via PIN and after phone restart it should ask me for my password + yubikey.
Currently when extension locks and user unlocks extension again the 2nd factor is not requested. The request is to change it so that when extension locks, the behaviour of log-out is called. Because then when logging back in, a 2nd factor is requested.
Please add an option for auto logout or to require 2FA after bitwarden locks. We currently will not use the browser extensions, the mobile or desktop apps because they never auto-logout (i.e 2f is never required). This seems like a simple and absolutely necessary add for people that need strong security.