Hello, this is a very similar feature request to Detect changed biometrics/fingerprint and re-prompt for master password , but for the Desktop app. I only found one comment here TouchID on macOS: prevent fallback to macOS Account Password - #10 by Rjch talking about it.
I am using the latest version of Bitwarden with macOS Monterey 12.2.1. I recently added a new fingerprint to my Mac. 1Password7, which allows TouchID for unlocking, asked for a the master password since the biometric data was updated. Bitwarden, however, let me in with the new TouchID configuration.
Would it be possible to have Bitwarden re-prompt for the master password when biometrics change?
I feel this is a substantial security flaw, especially because users are not aware of it.
This is also probably a big reason it will be hard to get votes for this feature request. I personally ran Bitwarden on my mac for over a year before I realised that anyone with my mac password and 2 minutes with my mac could walk away with all of my passwords.
If users were made aware of this potential security issue I think they would be voting in droves!
That is why you should make use of 2FA.
I do make use of 2FA. Generally 2FA is used to identify a device as trustworthy, rather than needing to use it every time you enter your password or every time your computer wakes from sleep which for many would be time consuming and impractical. So even with 2FA enabled I believe my concern is still valid. If I’ve misunderstood, please explain in more detail.
Incidentally @Peter_H , do you see any downside to this request being implemented? I’m always keen to know if I’ve missed something.
How do you think we can make more users aware of this? Maybe posting on Reddit?