I think it would be really awesome, if bitwarden was able to share login state between the desktop app and the browser. For instance, I imagine the flow going something like so:
- Login to desktop client
- Open browser
- Browser extension connects to desktop client
- Desktop client sends password vault information to the extension, which is automatically unlocked
What I’m not sure about is if there’s anyway to do this without severely compromising local security. Though, I also question how much you’d really be compromised. Once the password vault is open, I’m not sure there’s much stopping a local exploit anyways.
So, with that in mind, perhaps this could work off a “simple” public-private key cartography setup, where you “link” the browser extension to the desktop, then they communicate on the local machine via sockets.
The private key would be encrypted in the desktop app via the master password, and the public key would be part of the browser extension’s unencrypted storage. This stops an attacker from gaining access to the vault if they so happen to be on the network, and the port the communication is occurring on, just so happens to be open.
The real objective here is to make it so, if I keep bitwarden desktop – or perhaps even some bitwarden daemon it launches – open, it doesn’t matter how many times I open/close my browser, I remain logged in. While at the same time, I’m not storing something that can be used to decrypt my vault on my HDD, someone still has to start a program – bitwarden desktop – and login there. This just provides “all day” usability after, even with browser closes, or hops between Firefox, Chrome, etc.