I have a Macbook Air with Macos Sonoma fully updated! I have noticed since this last update in the Apple Mac App store. I have to unlock the Desktop App before Biometrics will work in the Web Browser Extension this is both Firefox and Brave or Chrome the same thing. Not sure in Safari i don’t use it as a rule. Before this last update the biometrics would work with the Desktop App locked or unlocked.
Hello T.J,
Bitwarden seems to have changed it to fix some still-unclear security problem, probably on an interim basis. If you can’t stand the new behavior, you may want to use PIN unlock until they fix it on a long-term basis.
https://old.reddit.com/r/Bitwarden/comments/1cyw9sp/extension_202450_always_requires_desktop_app_to/
Sorry to report that did not work for me. I reset all the biometrics settings on both the desktop app and the browser extension (I tried Chrome, Edge and Safari), but it keeps happening. My exact symptom is that I click on the “Unlock with biometrics” button in the browser extension and it does nothing. I have to then go to the desktop app, click that button to unlock the desktop app, then return to the browser extension and click the button there, and then I get the prompt (via the desktop app) and it works. Whew.
Yes I am getting this more and more frequently.
I don’t understand the road bitwarden is taking, the preferences are some of the most confusing I have found for any software. I am non the wiser as to whats happening with any of the myriad options. regardless on PC in particular it seems to ignore everything and ask me very frequently for my master password.
As per good advice I have an insane master password, having to constantly enter it because of ultra confusing prefs or poorly preforming software is annoying to say the least.
My better half is constantly moaning now about having to tell it every time that she wants to use biometrics, it makes a mockery of the whole thing.
@johnedee @garethsnaim et al.:
Especially to the last posts here: there seems to be a recent change in the “biometrics-procedure” due to security issues - see here: Biometrics
It seems change has been made to Firefox extension and now it is not possible to do biometric unlock without unlocking desktop app first.
This is very inconvenient. Every time I want to fill a password I need to switch to desktop app to do biometric unlock, then back to Firefox and again biometric unlock. This makes the extension almost useless.
This post https://old.reddit.com/r/Bitwarden/comments/1cyw9sp/extension_202450_always_requires_desktop_app_to/l5crkrk/ acknowledges the issue and says:
“This is expected new behavior to protect the encryption key stored by the desktop app, which is used for biometrics, from being used unexpectedly. The team is discussing solutions to allow this flow in a secure way.”
I am starting this thread to be able to track progress on solving this, as I believe this is critical for many users.
Here are a few related issues being tracked on Github. This first comment seems to be a long-term overview of what BW wants to achieve, and why this double-unlock behavior was introduced as an interim solution (with more details than in the reddit thread).
Also:
Thanks for pointing me to issues discussing this.
Makes sense, I am happy that it is acknowledged and will be eventually addressed.
I have configured the desktop app & browser extension to work together to let me unlock the vault using biometrics. Both use a timeout and are locked most of the time. Since some update a few weeks ago, I can’t biometrics-unlock the browser extension anymore while the desktop app is locked. (! - it’s locked! I’m logged into both apps)
I actually get an error message that explicitly explains this:
My question is why? Why would I want this? I need to unlock two apps now every time instead of just one. Is this a bug / broken feature?
For details, instead of just touching my fingerprint sensor, I need to (1) open the bitwarden app from my dock, (2) click “Unlock via TouchID”, (3) touch the fingerprint sensor, (4) minimize, (5), open the browser extension, (6) touch the fingerprint sensor again. - For no apparent reason?
I’m on Mac.
Hello Steffen,
This behavior has been introduced recently to fix the vulnerability of leaving the encryption key in plaintext memory. See links to Github’s issues in this post:
Eh, I see, thanks for this! I understand the problem and I guess it makes sense to be conservative here for now. I don’t really have anything to say but of course it’d be impractical if it stayed like this (at least without very long timeout intervals, which would be a security problem in their own right)
You can do these to alleviate the pain for now. I am sure they are on it; otherwise, they will keep getting complaints and comparison that BW is hard to use.
- Use “Login with Device” to avoid entering the master password so much
- Use PIN to lock, although you need to reset this every time you log in
- Don’t close down the browser so you don’t get locked prompting for master password.
This has become a big annoyance for me as well. I’m using Windows and Google Chrome, and I have both the extension and the desktop application configured to lock whenever I lock Windows. I was previously able to just unlock either of them when I needed to, but now I have to unlock both every time just as the user above described.
With the new changes, is there anyway I can still have both the desktop app and extension lock themselves when I lock Windows, and use biometrics to unlock the extension while the desktop app stays locked? If not, is a solution in the works to re-enable this use case?
@Nathan_Walker Welcome to the forum!
As explained in a comment posted on GitHub by @mgibson, this is a temporary stop-gap measure to address a serious security vulnerability that was recently discovered; Bitwarden is working on a more permanent solution that will not require the two apps to be separately unlocked.
Glad to see this is temporary!
- Don’t close down the browser so you don’t get locked prompting for master password.
That doesn’t work for me, I have timeouts on both the desktop app and the browser set pretty short, 2 minutes, so I have to authenticate almost every time unless it’s been less than 2 minutes.
I’m guessing changing the timeouts to much longer will alleviate the problem, but is not good security practice
How about using PIN instead of Biometrics until they fix this on a more permanent basis?
Apologies if I’m in the wrong thread.
I’m looking forward to getting this functionality back. I’ve been over to the github site and there has been no update there for 3 weeks. Will someone post a message here or somewhere when the “fix” rolls out?
I don’t know when the fix is going to be rolled out.
Here’s a comment from one of the above links:
PR #9945 has still not been merged. Looks like the most recent activity was July 22, and there is one pending review.
So, there have been some activities, and it seems close to me, but I don’t know their review process.
Awaiting code review and QA on most of the changes required to bring the biometrics ux back up to par. I might have to follow up on the status on this since it’s a high priority issue.
I am pretty sure that there will be celebration on all the forums when the need for this vulnerability-mitigation is no longer needed.
As for notification, the release notes are the most authoritative (although not quickest) source: