Can BitWarden remove 'fears around a [personal] passkey sync provider account becoming “locked”'?

According to both the blog, and a community post, as of 2022 “if you connect to the internet after 30-days of inactivity, Bitwarden will log you out, which wipes out the local vault copy.”[grb].

I presume this is still the case?

Secondly, according to the current docs Bitwarden has a feature to “deauthorize sessions from the Account settings page of your web vault to force logout”. Again, a logout is expected to wipe out the local vault copy.

This design doesn’t fit my own preferences. I would prefer to err on the side of availability. I personally could (and do) use manual backup features. However, the complexity means that recommending BitWarden to others is beyond me.

Clearly this is an opinion, but I found some people feel similarly. At least for personal use.

A lot of feedback I’ve gotten on my post about passkeys from yesterday is about fears around a passkey sync provider account becoming “locked” or otherwise invalid.

If your passkey sync fabric provider can remotely nuke your saved passkeys from instances of the app running on your devices or otherwise make the data inaccessible, that’s genuinely horrible…

- hachyderm.io/@rmondello , 17 Dec 2025

To my knowledge, the big 3 personal passkey providers (A/G/M) work the opposite way to BitWarden, consistent with their password managers. Firefox Account doesn’t store passkeys, but they also don’t support remote-wipe passwords.

The comments on Mondello’s post may have been inspired by a contemporary event:

20 Years of Digital Life, Gone in an Instant, thanks to Apple

- hey.paris, December 13, 2025

I’m not sure I understand the issue. Why is it a problem to simply log back in?

Yes, it’s absolutely true that the remote server can log your connected clients out, and if you lose access to the account—either by losing the credentials to access it (which happens all the time) or Bitwarden locking you out (either due to network restrictions, which happens sporadically, or by a policy lock, which is presumably possible but hasn’t happened).

Regular backups of your Bitwarden vault have always been a “necessary” part of keeping your credentials accessible. Many people don’t back up and can use Bitwarden successfully for many years, but these are just the lucky ones (or the majority). For the unlucky (or the minority), they may lose all their credentials (including passkeys) stored in Bitwarden if they can’t plead their case with customer support in time.

I believe KeePassXC can import passkeys exported by Bitwarden. This doesn’t address your point about being able to recommend Bitwarden to other people, but this is how it is now.

Bitwarden also doesn’t “remote-wipe passwords” – it’s just like the BW clients work that the local storage get’s deleted when you log out. (some would see this as a security benefit, BTW)

And I don’t see the difference to Apple/Google/Microsoft: when you store credentials in their cloud system and you log out on every device, you also can’t access what’s stored inside those accounts… until you log back in again.

So I too don’t understand the issue. (above and beyond the general / universal part of it…)

When I log out of Firefox Account in Firefox, it doesn’t wipe the passwords in Firefox. (Technically, Firefox shows a tickbox that, IIRC, lets you choose to wipe the passwords at the same time, but only as a convenience).

Chrome works the same. I believe Microsoft and Apple do as well. (Work-managed accounts might work differently).

If you log out of Google Password Manager on Android locally, it should wipe the local passwords & passkeys. But if you remove your device from your Google Account on accounts.google.com - or Google decides it needs to sanction you because you work for the ICC[*] - then all your synced data remains accessible on your device, & it shows you a nice warning triangle etc. Generally, the device will have automatically sync’ed all the passkeys from the online account, and they can still be used when Google is unreachable or unavailable.

Android supports remote-wipe at the device level, but it only works if you have Find Hub turned on. The doc seems to say Find Hub is now default-on. However, 1) you can opt out, unlike BitWarden 2) my personal threat model does not include Google deciding it wants to remote-wipe my devices 3) Google does not automatically remote-wipe my passkeys if the device has been inactive/offline for 30 days, a prospect which does make me feel threatened^W anxious. YMMV.

[*] Ah, yeah, another reason why this might have been a popular concern in Mondello’s replies.

… “remote-wipe my passkeys” is unnecessarily inaccurate here. You could say the only thing that happens here, is, that the temp data on the device gets deleted (expectedly!) and you have to re-authenticate then.

And I think one could say, you’re essentially complaining that Bitwarden is an online password manager, where your data is stored on a BW server (cloud or self-hosted) and only locally “downloaded” for using the data (and only “decrypted” there). If you really don’t agree with this general design of an online password manager, then you should consider changing to an offline password manager. (but also consider that if you lost e.g. the master password to e.g. a database file of the offline password manager KeePassXC then you also are “locked out” from your credentials there)

Or I can use the Apple or Google passkey systems.

• passkeys in your Google account: no access, when you were logged out (when you say “but I can login again”: yeah, no difference to Bitwarden in that regard)
• local on the device: when your phone dies, gets stolen or whatever, then your passkeys are gone too…

If Google Account removes my device, I believe the passkeys which were synced to my device will continue to work. Would you like me to test that?

Actually, yeah, why not test this… but before you test this:

1. I mean: logged out of your Google account on that device – and that device is removed from your Google account then.

2. And: I don’t know what “passkeys which were synced to my device” would be if we are accurate now. Passkeys are either device-bound/hardware-bound (and then they really are on your device/hardware, and can’t be synced) – or passkeys are synced or “software-bound”, and therefore can’t be stored on the device itself.

3. And the synced passkeys from that “live” in your Google account should indeed not be accessible on your device, when you are logged out from your Google account / (and) when that device is removed from your Google account…

PS: So, before you test this, make sure what (and where) you are actually seeing right now on your device – and that’s not always easy, as a passkey doesn’t have a “label” which says what it is (device-bound or synced)… Best thing would be, if you had some passkeys only in your Google account – when they’re still there or inaccessible, that should be a result we can make use of.

@sourcejedi I’m still interested in an answer to this question:

Alternatively, it doesn’t seem so difficult to refrain from logging out or deauthorizing your sessions, and to make sure that you use your Bitwarden apps at least once a month.

1. You can’t log back in if you’re banned by BitWarden. Whether because of a BitWarden security policy, or because they have been ordered to by their government.

2. As BitWarden isn’t one of the big 3 personal passkey providers (A/G/M), I have to ask “What happens if BitWarden comes to an end, as all things do”.

Ironically, the big 3 have this very simple answer.

I realize I failed to point this out before. This one nags at me personally, more than being banned by BitWarden.

You may have an argument that reassures yourself, that the remote-wipe feature can’t cause you a problem in practice.

“Remote-wipe doesn’t exist” is a simpler assurance for me, to remember, review, and suggest to others. (Or “is turned off”, but I’d be less happy with “this option is turned off on my devices” at the app level, than I am with turning off device-level remote-wipe).

(And yes, the big 3 have Resources. This is a feature that I’d like. It’s up to BitWarden whether it’s their priority or not. And how it could be reconciled with what business customers want).

3. The “30 day” (or “90 day on mobile”) part doesn’t help me as a reassurance. Any expiry period is going to make me feel there’s a “fail-closed” mechanism. And there is.

There was a server issue yesterday that caused some users to get logged out. Nothing to be concerned about, it can happen every now and then, for various reasons.

- u/cryoprof, March 25, 2023

4. Another factor in this is 2FA anxiety.

Remember that every darn service has it’s own theory of 2FA to get tripped up by.

I suspect you could make a good argument to reassure about this one, for most users needs.

I would like “device + device unlock PIN + bitwarden password = I can still use the credentials that were synced to the bitwarden app”. Because it makes a simpler argument for me to remember etc.

The same would be true for Apple, Google, Microsoft.

But why would you even be banned by Bitwarden? – I can’t remember any case here on the forum… As long as you use Bitwarden as it is meant to be, there should be no worry.

I’m frankly more concerned that e.g. Microsoft “decides” their AI would detect any “suspicious activity” in my account activity, OneDrive etc. and disable my account out of nowhere. (there are reports like that)

There is no known example of this happening, whereas it does happen on a regular basis for users who are trapped in the Google, Apple, or Microsoft eco-systems, with devastating consequences (see examples here, here, here, here, here, and here, as well as your own example here).

Nonetheless, if that is your main concern, there are only two solutions:

• Host your own Bitwarden server.

or

• Regularly create vault exports.

The same is not true for passwords in Firefox or Google Chrome. I tested it: You don’t need to log back in, in order to continue using the passwords which had been synced to the browser.

I’ve done the Android v Google Account test now.

You don’t need to log back in to Google Account, in order to continue using the passkeys which had been synced to your Android device.

Recording isn’t great, because it blanked the part where I removed the device from Google Account. If you skip to 4:10, you can see the resulting “! Verify that it’s you” warning, and that I’m still able to use the synced passkey to sign in to Microsoft (and still able to use a synced password).

Video: https://www.youtube.com/watch?v=tsiNIMdc1-s

You made a good point about checking for device-bound passkeys. Last phase of the test was to sign out of Google Account on the device. The video then confirms the passkey and password are removed.

(Finally, after the video, I signed the device back in, and the passkey and password re-appeared).

Of the systems I’ve seen, Bitwarden is the odd one out. Do you know any other consumer service that does remote-wipe passkeys or passwords? I.e. that treats the local copies as caches that expire, instead of persistent synced data?

Hopefully we’re all agreed on those facts now! I think I understand the available approaches for BitWarden, hence my attempt to write this up as a potential feature change.

Most reputable password managers behave like this, because it is considered to be a security feature.

1password is reputable, and they do not. They suggest using device-level remote-wipe features. So I’m curious, if someone knows another consumer password manager that does implement app-level remote wipe?

I think you’ve misunderstood the article that you linked, which appears to discuss the scenario in which your device is lost while 1Password is still logged in. The same applies in Bitwarden — if your device is lost or stolen while your Bitwarden vault is still logged in, the data is still present on the device.

The following article describes how to sign out of 1Password, which does “remove the vaults” from your device (just like logging out of Bitwarden purges the local vault cache):

Ah, I was wrong about 1password. Thanks!

I should have noticed it has separate steps for “Deauthorize device” v.s. “Regenerate Secret Key”.

The docs aren’t quite explicit, but their forum support staff say it triggers a remote-wipe, as opposed to a Google Account style remote disconnection.

“If the [device] is connected to the internet when 1Password is next opened, all data will be purged from that device before it can be used.” [2022]

“Now, if the device is connected to the internet when 1Password is next opened, all data will be purged from that device before it can be used.” [2018]