I don’t know if this is a bug or a missing feature or a “current intended design”,
But I noticed that if you select Unlock vault via PIN code in the app settings and say No to "Do you want to require unlocking with your master password when the application is restarted? "
Now when you try to autofill, you’ll be able to use your PIN code to unlcok vault and gather the item to autofill on that site.
However, now you can also open the app itself, unlcok it and gather access to everything in the vault/settings as well as all security aspects whch isn’t ideal for security.
If you say yes to "Do you want to require unlocking with your master password when the application is restarted? "
You now won’t be able to use PIN code to unlock the vault on the app, but that means you also won’t be able to use the PIN code for Autofill for some reason.
The ideal approach would be to have it so that you must use Master password for the app itself to unlock the vault and access everything, but have the option to use PIN code for unlocking the vault when using the Autofill feature.
Currently this isn’t possible as far as I know. It’s either PIN only within current session after using master password or use PIN everywhere to unlock, including after restart of the Bitwarden app.
Now like I said earlier, I don’t know if this is a bug or a missing feature, but this is something I would like to see implemented.
Hm. I think this bug could also be connected with your issue:
If I understand (and remember) this bug report correctly, then even with both biometric unlock and PIN unlock deactivated – and an unlocked vault – the iOS app still requires the master password for autofill actions (unless the session timeout is set to “never”).
PS: I was the one that changed your title to better reflect your request.
My preferred vault locking set up is to balance security and convenience by avoiding unlock via phone biometrics/passcode (already compromised if an attacker can access my phone) and requiring my full master password on first unlock, but allowing PIN verification when re-opening the app or while autofilling. This works perfectly on Android but since switching to iOS I am now required to re-enter my master password every time I autofill, even if my vault is unlocked.
iOS users are currently forced to choose between inconvenient security (always re-entering the master password) or less inconvenient weakened security (replacing master password with brute-forcable PIN or single-factor biometrics) which remains more inconvenient than Android as re-verification is required while the vault is unlocked. This makes Bitwarden unusable to me on iOS.
This was reported as a bug 3 years ago by @Joe4 on the mobile GitHub repository #2601 but seems to have gone completely unnoticed by Bitwarden and has since been automatically closed last year by a bot.
This FR has similarities with (but is different from) Joe4’s feature request 3.5 years ago
@Joe4’s feature request only discussed allowing iOS users to instantly autofill while the vault is unlocked whereas this feature request addresses the larger issues which were later explained by @Joe4 on GitHub in bug report #2601.
Hi there, issue #1167 seems distinct from the issue I’m describing here. I tested it out by setting session timeout to never and then manually locking the vault. You’ll be asked for a PIN if you switch to and from the Bitwarden app as expected, but when autofilling you’ll be required to enter your master password instead.
@InstaSnare You’re probably right – I think it’s already the second or third time that I was “deceived” by the title of this bug report (I forgot it has a precondition: PIN or biometrics are not enabled).
Hm. Could you try to deinstall/reinstall the iOS app? – I think I can remember reports where it worked after a reinstallation. (as you do seem to have PIN unlock enabled, but with “require master password on app start”)
