Browser biometrics requires unlocked desktop app

Retspoon · May 24, 2024, 9:34pm

I have a Macbook Air with Macos Sonoma fully updated! I have noticed since this last update in the Apple Mac App store. I have to unlock the Desktop App before Biometrics will work in the Web Browser Extension this is both Firefox and Brave or Chrome the same thing. Not sure in Safari i don’t use it as a rule. Before this last update the biometrics would work with the Desktop App locked or unlocked.

Neuron5569 · May 24, 2024, 10:50pm

Hello T.J,

Bitwarden seems to have changed it to fix some still-unclear security problem, probably on an interim basis. If you can’t stand the new behavior, you may want to use PIN unlock until they fix it on a long-term basis.

https://old.reddit.com/r/Bitwarden/comments/1cyw9sp/extension_202450_always_requires_desktop_app_to/

johnedee · June 10, 2024, 11:53am

Sorry to report that did not work for me. I reset all the biometrics settings on both the desktop app and the browser extension (I tried Chrome, Edge and Safari), but it keeps happening. My exact symptom is that I click on the “Unlock with biometrics” button in the browser extension and it does nothing. I have to then go to the desktop app, click that button to unlock the desktop app, then return to the browser extension and click the button there, and then I get the prompt (via the desktop app) and it works. Whew.

garethsnaim · June 10, 2024, 12:25pm

Yes I am getting this more and more frequently.

I don’t understand the road bitwarden is taking, the preferences are some of the most confusing I have found for any software. I am non the wiser as to whats happening with any of the myriad options. regardless on PC in particular it seems to ignore everything and ask me very frequently for my master password.

As per good advice I have an insane master password, having to constantly enter it because of ultra confusing prefs or poorly preforming software is annoying to say the least.

My better half is constantly moaning now about having to tell it every time that she wants to use biometrics, it makes a mockery of the whole thing.

Nail1684 · June 10, 2024, 1:58pm

@johnedee @garethsnaim et al.:

Especially to the last posts here: there seems to be a recent change in the “biometrics-procedure” due to security issues - see here: Biometrics

martin_pozor · June 28, 2024, 8:41am

It seems change has been made to Firefox extension and now it is not possible to do biometric unlock without unlocking desktop app first.

This is very inconvenient. Every time I want to fill a password I need to switch to desktop app to do biometric unlock, then back to Firefox and again biometric unlock. This makes the extension almost useless.

This post https://old.reddit.com/r/Bitwarden/comments/1cyw9sp/extension_202450_always_requires_desktop_app_to/l5crkrk/ acknowledges the issue and says:

“This is expected new behavior to protect the encryption key stored by the desktop app, which is used for biometrics, from being used unexpectedly. The team is discussing solutions to allow this flow in a secure way.”

I am starting this thread to be able to track progress on solving this, as I believe this is critical for many users.

Neuron5569 · June 28, 2024, 10:27am

Here are a few related issues being tracked on Github. This first comment seems to be a long-term overview of what BW wants to achieve, and why this double-unlock behavior was introduced as an interim solution (with more details than in the reddit thread).

github.com/bitwarden/clients

Biometrics on BW for Chrome not working requesting PERMANENT unlock of BW for Windows

opened 08:09PM - 06 Jun 24 UTC

oeloo

discussion ux browser

### Steps To Reproduce 1. Activate Windows Hello on Bitwarden Chrome extension … 2. BW for Windows is not currently unlocked 3. Open Bitwarden Vault with Windows Hello ### Expected Result Bitwarden Chrome extension should open you vault so that you can enter your credentials on the websites you want. ### Actual Result You get the error: "User locked or logged out Please unlock this user in the desktop application and try again." ### Screenshots or Videos ![image](https://github.com/bitwarden/clients/assets/98819304/041c61b1-4b4a-4f63-a7b0-b150b1ea2264) ### Additional Context If BT for Windows is unlocked when using biometrics on BW for Chrome, you can unlock BW for Chrome extension. BUT this completely defeats the purpose of BW for Chrome extension. Furthermore if you have to keep unlock BW for Windows to use BW for Chrome, it is a major security issue. ### Operating System Windows ### Operating System Version 11 ### Web Browser Chrome ### Browser Version Version 125.0.6422.142 (Official Build) (64-bit) ### Build Version Extension=v2024.5.2 Windows client=2024.5.0 ### Issue Tracking Info - [X] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

Also:

github.com/bitwarden/clients

Can't unlock FF extension with biometrics anymore if Bitwarden is not unlocked

opened 12:36PM - 23 May 24 UTC

holdit

bug browser

### Steps To Reproduce 1. Firefox + Bitwarden + option to unlock with biometric…s enabled 2. Open Bitwarden client (from app store), but don't unlock it 3. Try to unlock the extension with your fingerprint ### Expected Result Until the Bitwarden client (installed via the app store) was updated to "2024.5.0", I could have the client running in the background locked, and when I used the browser extension, the "popup" window to use my fingerprint would come up and using it, the Bitwarden Firefox extension would unlock. Not requiring the client to be unlocked was good, as there's no need for content to be available if we're just using the client to process browser extensions requests to unlock via biometrics. ### Actual Result Since the update to the 2024.5.0 client, the option "unlock with biometrics" on the Firefox extension stopped working if the Bitwarden client itself isn't unlocked. The extension doesn't show an error or tells users what to do. The "popup" saying that Bitwarden is trying to unlock my vault never comes up and passing my finger over the reader doesn't do anything. The extension is never unlocked. ### Screenshots or Videos _No response_ ### Additional Context _No response_ ### Operating System macOS ### Operating System Version macOS 14.5 ### Web Browser Firefox ### Browser Version Latest stable/beta/ESR ### Build Version FF extension: 2024.4.2; macOS client: 2024.5.0 (app store) ### Issue Tracking Info - [X] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

martin_pozor · June 28, 2024, 10:46am

Thanks for pointing me to issues discussing this.

Makes sense, I am happy that it is acknowledged and will be eventually addressed.

srs · June 28, 2024, 7:18pm

I have configured the desktop app & browser extension to work together to let me unlock the vault using biometrics. Both use a timeout and are locked most of the time. Since some update a few weeks ago, I can’t biometrics-unlock the browser extension anymore while the desktop app is locked. (! - it’s locked! I’m logged into both apps)

I actually get an error message that explicitly explains this:

My question is why? Why would I want this? I need to unlock two apps now every time instead of just one. Is this a bug / broken feature?

For details, instead of just touching my fingerprint sensor, I need to (1) open the bitwarden app from my dock, (2) click “Unlock via TouchID”, (3) touch the fingerprint sensor, (4) minimize, (5), open the browser extension, (6) touch the fingerprint sensor again. - For no apparent reason?

I’m on Mac.

Neuron5569 · June 28, 2024, 7:38pm

Hello Steffen,

This behavior has been introduced recently to fix the vulnerability of leaving the encryption key in plaintext memory. See links to Github’s issues in this post:

srs · June 29, 2024, 10:32am

Eh, I see, thanks for this! I understand the problem and I guess it makes sense to be conservative here for now. I don’t really have anything to say but of course it’d be impractical if it stayed like this (at least without very long timeout intervals, which would be a security problem in their own right)

Neuron5569 · June 29, 2024, 10:46am

You can do these to alleviate the pain for now. I am sure they are on it; otherwise, they will keep getting complaints and comparison that BW is hard to use.

Use “Login with Device” to avoid entering the master password so much
Use PIN to lock, although you need to reset this every time you log in
Don’t close down the browser so you don’t get locked prompting for master password.

Nathan_Walker · June 30, 2024, 2:12am

This has become a big annoyance for me as well. I’m using Windows and Google Chrome, and I have both the extension and the desktop application configured to lock whenever I lock Windows. I was previously able to just unlock either of them when I needed to, but now I have to unlock both every time just as the user above described.

With the new changes, is there anyway I can still have both the desktop app and extension lock themselves when I lock Windows, and use biometrics to unlock the extension while the desktop app stays locked? If not, is a solution in the works to re-enable this use case?

grb · June 30, 2024, 2:24am

@Nathan_Walker Welcome to the forum!

As explained in a comment posted on GitHub by @mgibson, this is a temporary stop-gap measure to address a serious security vulnerability that was recently discovered; Bitwarden is working on a more permanent solution that will not require the two apps to be separately unlocked.

SomeKindOfNonymous · July 3, 2024, 3:45pm

Glad to see this is temporary!

Don’t close down the browser so you don’t get locked prompting for master password.

That doesn’t work for me, I have timeouts on both the desktop app and the browser set pretty short, 2 minutes, so I have to authenticate almost every time unless it’s been less than 2 minutes.

I’m guessing changing the timeouts to much longer will alleviate the problem, but is not good security practice

Neuron5569 · July 3, 2024, 8:18pm

How about using PIN instead of Biometrics until they fix this on a more permanent basis?

Ed_LaCrosse · July 30, 2024, 5:01pm

Apologies if I’m in the wrong thread.

I’m looking forward to getting this functionality back. I’ve been over to the github site and there has been no update there for 3 weeks. Will someone post a message here or somewhere when the “fix” rolls out?

Neuron5569 · July 30, 2024, 7:04pm

I don’t know when the fix is going to be rolled out.

Here’s a comment from one of the above links:

PR #9945 has still not been merged. Looks like the most recent activity was July 22, and there is one pending review.

So, there have been some activities, and it seems close to me, but I don’t know their review process.

Quexten · July 30, 2024, 7:56pm

Awaiting code review and QA on most of the changes required to bring the biometrics ux back up to par. I might have to follow up on the status on this since it’s a high priority issue.

DenBesten · July 30, 2024, 9:24pm

I am pretty sure that there will be celebration on all the forums when the need for this vulnerability-mitigation is no longer needed.

As for notification, the release notes are the most authoritative (although not quickest) source: