Automated Trusted Device Approval via Serial Number for SSO Organizations

Feature Requests Password Manager
, , , ,
1

Problem Statement: Our organization utilizes Bitwarden with SSO Login and requires Trusted Devices for vault access. This significantly improves the user experience by eliminating the need for end-users to remember a separate Bitwarden master password, relying instead on our established IdP credentials. However, the current workflow requires manual approval for every new device, even when the device is a known, company-owned, and managed asset. This manual approval step introduces administrative overhead, user confusion, and delays for users attempting to access their vault on a new or replacement company device. This amplified by users needing separate approvals for the desktop app and browser extension on the same device.

Proposed Solution: We propose the introduction of a mechanism to automatically approve new trusted devices based on their hardware serial number for users logging in via SSO.

  1. Admin Console Enhancement: Add a new section within the Bitwarden Admin Console, ideally under Organization Settings (perhaps alongside Policies or within a dedicated Device Management area).
  2. Serial Number Management: This new section should allow administrators to upload and manage a list of trusted device serial numbers. This could initially be via CSV upload/download, with fields for Serial Number and potentially a description/asset tag.
  3. Automated Approval Logic: When a member of the organization successfully authenticates via SSO on a new, unrecognized device:
  • The Bitwarden client should attempt to retrieve the device’s hardware serial number.
  • Bitwarden should check if this retrieved serial number exists in the organization’s pre-approved list managed in the Admin Console.
  • If a match is found, the device should be automatically approved as a “Trusted Device” for that user without generating a manual approval request.
  • If no match is found (or the serial number cannot be retrieved), the standard device approval workflow (manual admin approval or user self-approval if configured) should proceed.

Benefits:

  • Reduced Administrative Overhead: Eliminates the need for admins to manually approve known, company-issued devices.
  • Improved User Experience: Provides faster, seamless access for users logging into Bitwarden on new or replacement company hardware.
  • Enhanced Security Posture: Leverages existing asset management data (serial numbers) to securely grant device trust.
  • Streamlined Onboarding/Device Lifecycle: Simplifies the process when employees receive new hardware.

Use Case Example:

  1. An IT administrator uploads the serial numbers of all company-owned laptops into the new section in the Bitwarden Admin Console.
  2. An employee receives a new, company-issued laptop.
  3. The employee opens the Bitwarden application or extension and initiates login via their company SSO credentials.
  4. Bitwarden successfully authenticates the user via the IdP.
  5. Bitwarden detects it’s a new device, retrieves its serial number, and checks it against the organization’s approved list.
  6. A match is found.
  7. The device is automatically approved as trusted, and the user gains immediate access to their vault without admin intervention.

Future Considerations / Potential Enhancements:

  • Integration with MDM/Asset Management: In the future, this capability could be significantly enhanced by integrating directly with platforms like Apple Business Manager (ABM) and Microsoft Intune. This would allow for the automatic synchronization of serial numbers from these systems into Bitwarden, further reducing manual effort and potential for error.
  • Reporting: Add reporting in the Admin Console to show which devices were auto-approved via serial number match.