CLI: Support alternative vault unlock methods (PIN, biometrics, passkey)

Feature name

Alternative unlock methods for bw unlock after initial login

Feature function

All other Bitwarden clients — browser extension, desktop app, and mobile — support alternative
unlock methods after the initial login. The CLI is the only client that always requires the full
master password, both for bw login and bw unlock.

This creates unnecessary friction for interactive workflows where the vault needs to be unlocked
repeatedly throughout a session.

Proposed unlock methods (priority order):

1. PIN — a short, locally-verified code set after bw login
2. Biometrics — delegate to the OS (Windows Hello, Touch ID)
3. Passkey — longer term, aligns with Bitwarden’s passkey direction

The security boundary at bw login (full master password required) should remain unchanged.
Alternative unlock methods would only be available after the initial authenticated session is
established — exactly as implemented in other clients.

Related topics + references

• Unlock with PIN (closed) — narrower request, closed 2025
• Persist CLI unlock without BW_SESSION (closed) — related, closed 2025
• GitHub: bitwarden/clients — upstream CLI repo

Hey @mu88,

I just closed this one as there already are existing feature requests for that:

• CLI: Unlock with PIN (–> I just reopened that one)
• Biometric unlock for Bitwarden CLI
• Unlock with passkeys / FIDO2 (targets all BW apps/clients)

Please join those!