Consistent handling of Master Password re-prompt for TOTP
Feature function
For an item with TOTP and Master Password Re-prompt enabled, the TOTP code is available by simply viewing the item, however trying to copy the TOTP code will result in a Master Password prompt.
In line with the goal of the Master Password re-prompt functionality, either the TOTP code should be hidden until the Master Password is entered, or it should be possible to copy it without the re-prompt. Currently, the re-prompt isn’t serving any purpose.
Personally, I would rather rather the prompt not be required for the TOTP code, and have more flexibility in deciding which fields the prompt appears for (Master password re-prompt on specified sub-fields), but regardless I think it should be consistent.
I find this to be a huge security hole, if someone steals my laptop while it is still on and logged in they can use all my TOTPs without having to put any passwords, even though I have specified password re-prompt for those accounts.
You might consider setting a “vault timeout action” to protect against this risk. The common approach seems to be “lock” after N-minutes and then configure biometrics to make small values of N tolerable.
I’m going to close this feature request, as I think it is being tracked here already: Require Re-Prompt for Entire Item (view, edit, etc.) as Bitwarden seems to implement that also on all clients (which should eventually also result in a consistent handling for TOTP). – So, this discussion should be continued there.