Detect changed biometrics/fingerprint and re-prompt for master password

I recently deleted and re-added my fingerprints to my iPhone. One of my other apps, which allows TouchID for unlocking, prompted me for a password re-entry since the biometric data updated. Bitwarden, however, let me right in with the new TouchID configuration.

If the OS makes this info available, it would be nice if Bitwarden would re-prompt for a master password when biometrics change.

This is a pretty big security flaw to not be fixed yet.

1 Like

Yes! I wasn’t aware of this, but after hearing it… it’s a must have, definitely.

1 Like

Think so, too. This is really important! If someone gets to know your iPad Pin for example (which is easy, you just need to be watched entering it…) then someone can add a fingerprint and easily gets access to your vault. Just tested it.

I would love to vote for this another 19 times if possible. At the moment I’m not comfortable using Touch ID because of the security risk; if “Touch ID to unlock” is enabled, the entire Bitwarden vault can easily be accessed by anyone once the phone is unlocked. It appears that iOS has a straightforward method to detect changes to the Touch ID settings (evaluatedPolicyDomainState), so hopefully this would be a relatively simple revision to the code. It would certainly provide a lot of value… Touch ID to unlock is such a useful feature!

In the meantime, a PIN can be used to unlock Bitwarden in iOS, but that is not completely secure (although it is a lot more secure than Touch ID at the moment):

Keep up the great work! I’m really impressed with Bitwarden so far!

Example of LastPass implementation:

Those are the little things that improve security a lot in specific cases. Both 1Password and lastpass as well as most of the banking apps have this extra layer of security implemented.

Unfortunately there isn’t a reply or even acknowledgment from the dev after 1,5 years. @kspearrin Any hope for implementation?