Yep, Log out on browser close by default is something what makes sense to me. Looking forward to see something like this to be implemented.
Any news on this? I would really like to have an option that logs you out or at least something that prompts you for 2FA after a while.
At the moment 2FA is useless because I’m not prompted for that anymore. I just enter my master password and that’s it. I bought premium to use Duo.
Maybe 2FA can be added on lock? So if the extension gets locked after 30 minutes then you have to use 2FA.
(First post from new Premium user here.)
If the local database is getting wiped on log out, it’s really important for users to know that, particularly if they’re going to be someplace (e.g. on an airplane) where they won’t necessarily have ready Internet access but might be using other programs on a laptop that require passwords and such. I agree with Coises that the term “Log Out” is at best inadequate (and at worst misleading) to convey what happens.
A Log Out also means that if the BW server ever goes down (which happened to LastPass for several hours) you would have no access at all to your vault during that time.
Well, I might have to go back to LastPass if nothing is done about 2FA. I set up a new DUO account, set up 2FA with DUO and now I can’t use it.
Created a community account just to add a note about this issue.
@kspearrin this seems critical enough for you to at least weigh in once a quarter or so on whether this is moving forward or not so users can make more informed decisions about their security tool choices based on this thread.
Agree with previous commenters that it’s not at all clear from the UX/UI alone that the local database is (or may be?) wiped with logout and not with lock, and that there’s really a behavior matrix between logout/lock/2FA.
I would also propose to separate/document behavior between desktop app and browser extension - I don’t think it’s at all unreasonable to expect a browser extension to require network access as the rest of the browser is usually fairly DOA w/o it, but that a/the differentiator for desktop app is to store credentials possibly needed for offline use w/ the explicit caveats of data-at-rest exposure for those concerned with this issue. As a side-note I’d also add that for Bitwarden Desktop to actually fulfill an offline usecase it’d have to be able to replace OS-level password mgmt - wifi passwords etc. Without that, there’s little incentive to switch/merge the two+ tools.
Thanks for considering, and thanks for your updated reply!
Why don’t the devs reply to this issue…?
It seems there is either a technical reason or it is not valid for security reasons… but I don’t understand why not?
Can someone explain?
Also, why does Lastpass have this feature - does it operate in a different way?
I would like to see some consistency in the logout process between browsers. Chrome and Edge behave normally logging out of Bitwarden when I close the browser and requiring me to enter my master password when I reopen it. Firefox on the other hand just fills that information in even though I’ve told it to require it on a restart and now I’ve set it to every 15 minutes but it continues to autofill my password even though I don’t want it to.
I signed up to upvote this request. Pretty disappointed when i went premium to use my Yubikeys for 2FA and found out this feature missing.
But i understand that from a UX Perspective, it is tricky to explain (especially to new users) the difference between Lock and Logout. Maybe in the settings have two separate Groups – Lock and Logout – under Security, with a brief explanation how they behave differently.
LastPass does it in a pretty clear way. If I remember correctly, you define when you are logged out (ie. have to enter your master password) and and when to ask for 2FA (completely independent, for example every reboot or every 30 days). I have never felt that it was clumsy or confusing.
After signing up for 2FA I was a bit confused about not being prompted again on mobile, or browser plugins.
After investigating I get the choice as a default since most will open unlock fairly often. I’d love to see the option to auto-logout. My concern is forgetting to log out (not on a personal computer) and missing out on the benefit of 2FA. Never logging out somewhat defeats the point of purchasing premium with a Yubikey.
Signed up to show support for this feature. It’d be great if it was machine-specific too. I don’t mind it not logging out automatically on my personal computer, but on a public machine, it’s a security vulnerability.