Consistent handling of Master Password re-prompt for TOTP

Jordan_Barnartt · July 19, 2022, 1:02am

Feature name

Feature function

For an item with TOTP and Master Password Re-prompt enabled, the TOTP code is available by simply viewing the item, however trying to copy the TOTP code will result in a Master Password prompt.

In line with the goal of the Master Password re-prompt functionality, either the TOTP code should be hidden until the Master Password is entered, or it should be possible to copy it without the re-prompt. Currently, the re-prompt isn’t serving any purpose.

Personally, I would rather rather the prompt not be required for the TOTP code, and have more flexibility in deciding which fields the prompt appears for (https://community.bitwarden.com/t/master-password-re-prompt-on-specified-sub-fields/32540), but regardless I think it should be consistent.

Lju · November 13, 2024, 7:03pm

I find this to be a huge security hole, if someone steals my laptop while it is still on and logged in they can use all my TOTPs without having to put any passwords, even though I have specified password re-prompt for those accounts.

DenBesten · November 13, 2024, 11:57pm

Welcome, @Lju to the community!

You might consider setting a “vault timeout action” to protect against this risk. The common approach seems to be “lock” after N-minutes and then configure biometrics to make small values of N tolerable.