Bitwarden Desktop App Mac Does Not Prompt Re-Enter of Master Password on Biometric Change

On iOS, it appears that certain apps (bitwarden included) are smart enough to disable biometric verification and prompt the user to login again (re-enter their master password) when 1) an alternate face id is added or 2) face id is disabled then re-enabled again.

This is important because a bad actor who gets a hold of both your iphone and iphone passcode has the ability to add their own face id, thus allowing the bad actor to bypass entering any password (assuming the app does not prompt for re-login).

The same issue applies to MacOS. A bad actor who gets a hold of both your mac and mac passcode can add their own touch id.

In this case, Bitwarden does not appear to require re-authentication.

A few questions: (not sure if anyone knows the answers)

  • Is this a MacOS related limitation? There might not exist a similar API to what that on IOS for prompting re-login.
  • Has anyone heard anything about Bitwarden addressing this risk?
  • Is relying on the OS API to let apps know whether or not to prompt re-login reliable at all? Can bad actors get around it?
  • Should we go forgo using biometric verification because of this risk (even though using biometrics makes it so that one doesn’t have to type one’s master password, which is important especially in a more public setting)?
  • Am I thinking through this issue straight? What key info am I missing?
  • Is the same possible for the browser extension (e.g. for Safari)?