Browser biometrics need desktop client to be unlocked?

I have configured the desktop app & browser extension to work together to let me unlock the vault using biometrics. Both use a timeout and are locked most of the time. Since some update a few weeks ago, I can’t biometrics-unlock the browser extension anymore while the desktop app is locked. (! - it’s locked! I’m logged into both apps)

I actually get an error message that explicitly explains this:

My question is why? Why would I want this? I need to unlock two apps now every time instead of just one. Is this a bug / broken feature?

For details, instead of just touching my fingerprint sensor, I need to (1) open the bitwarden app from my dock, (2) click “Unlock via TouchID”, (3) touch the fingerprint sensor, (4) minimize, (5), open the browser extension, (6) touch the fingerprint sensor again. - For no apparent reason?

I’m on Mac.

1 Like

Hello Steffen,

This behavior has been introduced recently to fix the vulnerability of leaving the encryption key in plaintext memory. See links to Github’s issues in this post:

Eh, I see, thanks for this! I understand the problem and I guess it makes sense to be conservative here for now. I don’t really have anything to say but of course it’d be impractical if it stayed like this (at least without very long timeout intervals, which would be a security problem in their own right)

1 Like

You can do these to alleviate the pain for now. I am sure they are on it; otherwise, they will keep getting complaints and comparison that BW is hard to use.

  • Use “Login with Device” to avoid entering the master password so much
  • Use PIN to lock, although you need to reset this every time you log in
  • Don’t close down the browser so you don’t get locked prompting for master password.

This has become a big annoyance for me as well. I’m using Windows and Google Chrome, and I have both the extension and the desktop application configured to lock whenever I lock Windows. I was previously able to just unlock either of them when I needed to, but now I have to unlock both every time just as the user above described.

With the new changes, is there anyway I can still have both the desktop app and extension lock themselves when I lock Windows, and use biometrics to unlock the extension while the desktop app stays locked? If not, is a solution in the works to re-enable this use case?

@Nathan_Walker Welcome to the forum!

As explained in a comment posted on GitHub by @mgibson, this is a temporary stop-gap measure to address a serious security vulnerability that was recently discovered; Bitwarden is working on a more permanent solution that will not require the two apps to be separately unlocked.

2 Likes

Glad to see this is temporary!

  • Don’t close down the browser so you don’t get locked prompting for master password.

That doesn’t work for me, I have timeouts on both the desktop app and the browser set pretty short, 2 minutes, so I have to authenticate almost every time unless it’s been less than 2 minutes.

I’m guessing changing the timeouts to much longer will alleviate the problem, but is not good security practice

How about using PIN instead of Biometrics until they fix this on a more permanent basis?