Compatibility of bitwarden vault login with usb fingerprint readers?

Can anyone tell me if I can just buy a Kensington usb fingerprint reader with my windows 10 PC and then use it to authenticate to bitwarden (desktop app and especially browser extentions of Chrome/Firefox) instead of my master password?

What I actually want to achieve is to force bitwarden to log out after a relativly short time because it is the only possibility at the moment to force that the security key needs to be used (which I consider the only real safety for me). But if I do so I will always have to type in my master password as well, which is kind of bulky as it is a secure password with somewhat like 20 digits…

I had a look at the Kensington webpage and they advertise that their verimark Fingerprint Key is FIDO U2F and Windows Hello compatible and works with several password managers but bitwarden is not in the list.

Is there any fingerprint reader on the market, which will enable what I am trying to do or is this feature just not possible at the moment? I really need that sort of passwordless convenience in combination with safety. And fingerprint plus security key just seems to be a really nice combination.

2 Likes

Unfortunately, this is not possible. Your master password is always required to login to your vault because it is needed to generate a decryption key in your Bitwarden client so that your vault contents can be decrypted on your device.

Bitwarden does support Windows Hello (and biometric devices compatible with Windows Hello), but only for unlocking your vault. However, your hardware security key would not be needed to unlock, defeating your proposed workflow, if I understand correctly.

I mean: The whole story about FIDO2 is to ultimately make secure 2FA passwordless authentication possible. I understood it in the following manner: I need at least 2 of these factors to authenticate:

  • something that I remember (e.g. master password)
  • something that I own (e.g. security key)
  • someone that I am (e.g. fingerprint, facial recognition, DNA :smile: …)
  • (somewhere where I am (location))

Somehow it seems odd to me: I have perfectly unique biometrical attributes engraved into my fingertips, which could all be considered perfect unique master passwords. But is there no way to replace the somehow inconvenient something that I remember-token by the lot more convenient something that I am-token or maybe - which I would even consider the very best option - additionally / as alternative to the master password?

I’ve seen for example that the a relativly new Kensington fingerprintreader (VeriMark Guard USB-A/C) seems to store up to 10 fingerprints secureley encrypted on the device itself so that the confirmation check if a fingerprint was correct is done internally in the device and handed back to the operating system. And the device is fido2 cetified (of which I hope means that it supports WebAuthn and all that stuff). And I think the YubiKey Bio is very similar.

Both devices (VeriMark Guard USB-A/C and YubiKey Bio) could be considered 2 factors within one device, because you have to own the device and to be able to prove that you are a certain person with the device. This would be a passwordless and secure dream if it was already supported anywhere (I don’t know if it is…?).

Does bitwarden have any plans for the future regarding this matter?
Is it so complicated to generate the possibility to decrypt a vault with two private keys (one is your master password and the other is for example your fingerprint)?
Am I missing some point?

1 Like