Hi community, I’m having issues with incosistent Login with Device behavior.
For context: Bitwarden on Windows, Chrome + Bitwarden on Pixel (Android 15), keeping them both signed out after x time.
It can take from 1 to 5+ attempts for the Chrome extension to pick up on the approved login from the mobile app, which after the first approval remains logged in, as I’ve read in earlier threads that can get in the way of the approval being pushed.
And while I did use to keep BW logged in all the time until recently, having had multiple serviced compromised, including Paypal, has finally sobered me up on comfort being directly at odds with security. Still, Login with Device provides an elegant compromise and I’d love to get it working consistently.
Any information and suggestions welcome. If it’s an ongoing issue, I have no problem waiting it out, and if it’s Chrome-specific, I’ll happily switch browsers.
Did you start having the problem after the latest server update yesterday? I certainly have. I think it’s a problem on BW server side, not on your configurations. Since this post of yours, though, my problems with the web app disappeared, although I did clear the cache once. Are you still having a problem? Also with the web vault?
I don’t know the circumstances of your compromise, but maybe some of these ideas may help with the new protocol you are following:
The desktop app on Windows can also be used to approve login. This may help reduce the friction of picking up your phone to approve login. Also, if you have to enter the master password on the phone, having a running and logged-in desktop app would eliminate having to enter the password on the phone.
BW considers the clients in locked state (requiring password on restart) cryptographically safe. Besides being logged out, this is the safest configuration. Having the vault quickly and automatically locked, and rarely logged-out, may be a more usable configuration.
Hey there @Neuron5569, thanks for the info. This has been happening for a few days, so I wouldn’t directly correlate it with the server update.
My mobile BW unlocks via biometrics/face so that part of the process is frictionless. I’ll try the desktop app in hopes it alleviates this issue. And I’ll be switching from Chrome because.. it’s Chrome.
I did just switch back from Ungoogled Chromium though, as having an unsanctioned browser as well as some third party plugins outside of the Chrome Store now rub me the wrong way after my recent sour experience. Even considering nuking my Windows installation out of fear of kelyoggers and such.
As for the locked vault, I decided against that since it doesn’t give the option to unlock via “login with device”, meaning I’d still have to enter my master pw every time. However, maybe I’m overreacting to begin with and should simply stay logged in? Because if my BW was compromised, I’d be seeing a lot more damage since I amassed over 200 accounts
For your “Login with device” failures, the only idea I have is to clear the existing states by uninstalling the app, deleting the data directory (at least for desktop) if needed, exiting the browser, and then reinstalling. For the web app, try clearing the cache and see if that helps. Otherwise, maybe someone else will have an idea.
To clear the malware, here are some options:
Keep scanning with MS Defender and external third-party tools until you’re satisfied. There are free one-time scanners from ESET, Sophos, Emsisoft, Trellix, Dr.Web, TrendMicro, and (unfortunately, probably one of the best) Kaspersky.
Restore from previous backups.
Reinstall the OS.
Ask for help on forums like BleepingComputer, MalwareTips, and the companies’ forums. Just keep in mind that these can be privacy-intrusive since you’ll need to post logs for people to help you. Personally, I’d probably stop at option 3.
You can set up your extension/desktop app to unlock with a PIN (requiring a password on restart) and biometrics/Windows hello too. As mentioned before, BW considers the locked state to be cryptographically safe.
My number one rule for staying safe is to avoid getting malware, because they can take everything, or you have to assume they do, regardless of the precautions you take. Your “layers of defense” approach might stop the attacker at some point, but you can’t know for sure where. If you have risky behaviors or belong to a higher-threat group, getting the best AV protections might give you an edge.
@Neuron5569 The desktop app is working consistently as far as login approvals so I’ll stick with that.
Will look into the other measures you advised, and thank you for going the extra mile to provide suggestions. Cyber security will become an everyday topic as society grows more dependant on digital services. Cheers and have a nice day!
Marked your initial desktop app advice as a solution. I still have to enter the email when logged out despite ticking remember me, but I can live with that.
I’d suggest you continue to unlock your vault using your Master Password. There’s no reason not to; in fact typing it on a regular basis helps build memory retention. I type mine probably 20 times a day every day, no issues.
You type HRxA^3J0c!jkxkd7D#5KpwbFo out 20 times a day, every day?
I’m a fast and accurate typer and haven’t looked at my keyboard in over a decade but there’s a limit to my masochism. Especially when certain symbols such as ^ don’t register at first, requiring me to type it out two times ^^ and then deleting one of them, also counting the number of •••• to see if I did it right. Every day, all the time, for every site I visit, just to auto-fill?
Unless there’s a stark difference in the security between using login with device vs typing out the password, I’d rather stick with the former myself.
Fair enough, as I said earlier comfort doesn’t mix well with security, so if typing it out is more secure than using other means to enter the vault, I may consider the hindrance
