Detect changed biometrics/fingerprint and re-prompt for master password


#1

I recently deleted and re-added my fingerprints to my iPhone. One of my other apps, which allows TouchID for unlocking, prompted me for a password re-entry since the biometric data updated. Bitwarden, however, let me right in with the new TouchID configuration.

If the OS makes this info available, it would be nice if Bitwarden would re-prompt for a master password when biometrics change.


#2

This is a pretty big security flaw to not be fixed yet.


#3

Yes! I wasn’t aware of this, but after hearing it… it’s a must have, definitely.


#4

Think so, too. This is really important! If someone gets to know your iPad Pin for example (which is easy, you just need to be watched entering it…) then someone can add a fingerprint and easily gets access to your vault. Just tested it.


#5

I would love to vote for this another 19 times if possible. At the moment I’m not comfortable using Touch ID because of the security risk; if “Touch ID to unlock” is enabled, the entire Bitwarden vault can easily be accessed by anyone once the phone is unlocked. It appears that iOS has a straightforward method to detect changes to the Touch ID settings (evaluatedPolicyDomainState), so hopefully this would be a relatively simple revision to the code. It would certainly provide a lot of value… Touch ID to unlock is such a useful feature!

In the meantime, a PIN can be used to unlock Bitwarden in iOS, but that is not completely secure (although it is a lot more secure than Touch ID at the moment):

Keep up the great work! I’m really impressed with Bitwarden so far!