Yep, Log out on browser close by default is something what makes sense to me. Looking forward to see something like this to be implemented.
Any news on this? I would really like to have an option that logs you out or at least something that prompts you for 2FA after a while.
At the moment 2FA is useless because I’m not prompted for that anymore. I just enter my master password and that’s it. I bought premium to use Duo.
Maybe 2FA can be added on lock? So if the extension gets locked after 30 minutes then you have to use 2FA.
(First post from new Premium user here.)
If the local database is getting wiped on log out, it’s really important for users to know that, particularly if they’re going to be someplace (e.g. on an airplane) where they won’t necessarily have ready Internet access but might be using other programs on a laptop that require passwords and such. I agree with Coises that the term “Log Out” is at best inadequate (and at worst misleading) to convey what happens.
A Log Out also means that if the BW server ever goes down (which happened to LastPass for several hours) you would have no access at all to your vault during that time.
Well, I might have to go back to LastPass if nothing is done about 2FA. I set up a new DUO account, set up 2FA with DUO and now I can’t use it.
Created a community account just to add a note about this issue.
@kspearrin this seems critical enough for you to at least weigh in once a quarter or so on whether this is moving forward or not so users can make more informed decisions about their security tool choices based on this thread.
Agree with previous commenters that it’s not at all clear from the UX/UI alone that the local database is (or may be?) wiped with logout and not with lock, and that there’s really a behavior matrix between logout/lock/2FA.
I would also propose to separate/document behavior between desktop app and browser extension - I don’t think it’s at all unreasonable to expect a browser extension to require network access as the rest of the browser is usually fairly DOA w/o it, but that a/the differentiator for desktop app is to store credentials possibly needed for offline use w/ the explicit caveats of data-at-rest exposure for those concerned with this issue. As a side-note I’d also add that for Bitwarden Desktop to actually fulfill an offline usecase it’d have to be able to replace OS-level password mgmt - wifi passwords etc. Without that, there’s little incentive to switch/merge the two+ tools.
Thanks for considering, and thanks for your updated reply!
Why don’t the devs reply to this issue…?
It seems there is either a technical reason or it is not valid for security reasons… but I don’t understand why not?
Can someone explain?
Also, why does Lastpass have this feature - does it operate in a different way?
I would like to see some consistency in the logout process between browsers. Chrome and Edge behave normally logging out of Bitwarden when I close the browser and requiring me to enter my master password when I reopen it. Firefox on the other hand just fills that information in even though I’ve told it to require it on a restart and now I’ve set it to every 15 minutes but it continues to autofill my password even though I don’t want it to.
I signed up to upvote this request. Pretty disappointed when i went premium to use my Yubikeys for 2FA and found out this feature missing.
But i understand that from a UX Perspective, it is tricky to explain (especially to new users) the difference between Lock and Logout. Maybe in the settings have two separate Groups – Lock and Logout – under Security, with a brief explanation how they behave differently.
LastPass does it in a pretty clear way. If I remember correctly, you define when you are logged out (ie. have to enter your master password) and and when to ask for 2FA (completely independent, for example every reboot or every 30 days). I have never felt that it was clumsy or confusing.
After signing up for 2FA I was a bit confused about not being prompted again on mobile, or browser plugins.
After investigating I get the choice as a default since most will open unlock fairly often. I’d love to see the option to auto-logout. My concern is forgetting to log out (not on a personal computer) and missing out on the benefit of 2FA. Never logging out somewhat defeats the point of purchasing premium with a Yubikey.
Signed up to show support for this feature. It’d be great if it was machine-specific too. I don’t mind it not logging out automatically on my personal computer, but on a public machine, it’s a security vulnerability.
Any word on when this feature might become available? We’d really like an option to log off the Windows application after X amount of time and not just lock the application.
Please implement this! Moving to BitWarden, but this is the only thing missing!!
Maybe BW team doesn’t wan’t the extra bandwidth of re-downloads of the DB. Then just make an option for redo 2FA on lock. Yes, this means you’ll may have to recode the 2FA exit routine if it’s connected to the delete DB routine.
…well, I’m going to try Zoho Vault. It seems to offer 2FA free and cloud storage for the same price as BW. …yep, this service is great. Accepts Yubikey (haven’t tried FIDO yet). Also, allows limiting IP address ranges. Click Settings for the browser extensions and My Account for the 2FA setup.
Yep, ZV signs you out after several time options in the browser extension. It authenticates through a popup window, but there is a checkbox to trust device for 180 days and the checkbox actually remembers your choice (unlike Google 2FA). It does leave that window open, which may get old, but a minor inconvenience for actual 2FA logout. You can also use a Google account to sign in, and there is a privacy autodelete for companies (I guess for the site usage history). Wow, actually there is a whole Audit feature for tracking who uses which passwords in a company and allows sharing, etc. Here is their direct comparison to BW (seems like a pretty targeted competitor to BW).
As far as i can tell this enhancement hasn’t been added yet (please correct me if I’m wrong).
Until the auto-logout enhancement is added, this line under “Premium” on bitwarden.com should be changed from this:
Two-step login with YubiKey, FIDO U2F, & Duo
Two-step login with YubiKey, FIDO U2F, & Duo (limited support)
The current line is misleading because when deciding to pay $10/yr, people don’t understand the semantics of “login” and “lock out”. My gut tells me that the folks at Bitwarden aren’t the type that would intentionally deceive people but IMHO that’s the net result of that line.
Also, not requiring 2FA after lockout defeats the purpose of Yubikey 2FA.
While I’m still satisfied with bitwarden overall, if i knew that bitwarden only had limited support for yubikey 2FA i wouldn’t have signed up for the Premium account.
I hope to see this security flaw corrected ASAP.
Regarding "The downside to this feature would be that if the user does not have an internet connection (or Bitwarden server are down for some reason) they would not be able to access their vault.: the browser plugin is pretty much only used for internet logins so if the internet is down, this is moot.
…replying with an edit to my post 2 posts above because I can’t edit it anymore:
Seems Zoho Vault isn’t reauthenticating with 2FA key anymore. Well, the Vault does, but not the browser extension.
I found that Yubikeys have a second ‘slot’ you activate by a long press (+3 secs). You can set the 64 bit (lowercase alpha) Static Password to the second slot and it acts as a very long one-click password. Not as secure as TOTP, but an option seeing as no affordable password managers offer locking including 2FA. Also, the Yubikey 4 (black with just the Y icon) does this and there’s a seller on eBay for $15 so you can match the password on a backup key.
Also cross-referencing a very similar discussion:
Struggling to understand why this nearly 2 year old request is still a request? There is already code to lock after timeout, how hard is it to re-purpose that to force a logout after a different timeout.
Before you go there, yes, its open source, but I’m not a developer.