Better Security for PIN-Login (only one try)

Fingerprint on smartphone is too insecure as quicklogin method.
Someone could force you to get your fingerprint.

I would like to have the possibility to unlock my account quickly with a 4-6 digit PIN (another possibility would be the first/last 4 digits of the password) - both under Win/Linux and on the smartphone.
To ensure security, the possibility should be built in that you only have one try for this.
If the PIN is wrong, you have to enter the complete password again.

I use a long password to protect my passwords in the safe, but I don’t want to have to re-enter this password every time - e.g. on the smartphone when I need to look something up quickly.

@Hoebelix Welcome to the forum!

Unlocking with a PIN is already an existing option in Bitwarden:

@grb
Hi,

Thx for the reply.
I’ve been using Bitwarden for almost a year now and I forgot that the basic function of PIN entry is included, but the way it’s implemented it’s hardly usable and basically - just like fingerprint - just a big security risk.
After all, if I have endless attempts to enter a 4-6 digit code, a 20 digit master password no longer makes sense.

That’s why I should have put the focus of my request on the 2.part →
“To ensure security, the possibility should be built in that you only have one try for it.
If the PIN is wrong, you have to enter the complete password again.”

My main vault is currently still SafeInCloud, as they offer the best security features coupled with convenience - but SafeInCloud unfortunately has no Linux support.

Example:
You have a 20 digit master password and you can set it to unlock the safe quickly with the first 4 digits of that password. For this you have exactly one try - otherwise you have to enter the whole master password again.

You can also set that if a certain number (variable between 5-25) of failed attempts is reached, the entire safe is deleted.

I hope my problem / wish is now more comprehensible.
I have therefore also adapted the heading to the request.

FYI, the current PIN code implementation has a 5-attempt limit.

Someone could force you to give up your pin or password too… :hammer::muscle::fist:

So the answer to this issue could be just like my Trezors for crypto. I set a self destruct PIN where if I enter the designated PIN it wipes and is completed before the screen shows the wipe happened. It could be a short 4 digit PIN and need not be the 8-9 digits the real PIN is.

Could BW consider implementing a self destruct PIN that when entered by the user the Vault would completely log out? That should be a simple change of coding I would think and then a duress attack would leave the user with options.

@OpSec That’s more in line with the feature request “Account self-destruct on device after a # of wrong master password tries”, but strays a bit from what OP has requested here.

@Mxx There is a small difference if someone has to get a password/PIN from me or if he just have to hold my finger on a display.

If they can force you to put your finger on your phone, they can probably beat the password/pin out of you too…If that’s your threat model…

And yet, they would have to be willing or authorized to use force. That is a big difference.
I don’t know where you live, but for example the police in my country are not allowed to beat you to get a password… But taking your hand for a moment to unlock the PW manager is.

Same where I live too. The self destruct thing works - BUT - only if you realize that when you do that the situation could go to a completely different level of “bad things”. My self destruct is not for when I am present, but for IF the device is stolen and they start guessing PINs, which are really short and they hit the destruct PIN. For when I am present I simply direct to a decoy “situation” using pre-selected digits to get there and they don’t know the difference at all. Sorry, this is getting off topic for BW forum.

Maybe BW could allow you to save "one fingerprint, which if used destroys the vault. You of course would need to remember to never use that finger, but it would be an option. Clearly in this situation you need to BACKUP your vault and verify the backup is flawless, but that is easy to do.

On my Android I enable the option to immediately turn off ALL biometrics by clicking one single button putting the devices into “lockdown” where only a password will be accepted. If I see “lights” I click the button just to be sure.