Detect changed biometrics/fingerprint and re-prompt for master password

I recently deleted and re-added my fingerprints to my iPhone. One of my other apps, which allows TouchID for unlocking, prompted me for a password re-entry since the biometric data updated. Bitwarden, however, let me right in with the new TouchID configuration.

If the OS makes this info available, it would be nice if Bitwarden would re-prompt for a master password when biometrics change.

This is a pretty big security flaw to not be fixed yet.

2 Likes

Yes! I wasn’t aware of this, but after hearing it… it’s a must have, definitely.

2 Likes

Think so, too. This is really important! If someone gets to know your iPad Pin for example (which is easy, you just need to be watched entering it…) then someone can add a fingerprint and easily gets access to your vault. Just tested it.

1 Like

I would love to vote for this another 19 times if possible. At the moment I’m not comfortable using Touch ID because of the security risk; if “Touch ID to unlock” is enabled, the entire Bitwarden vault can easily be accessed by anyone once the phone is unlocked. It appears that iOS has a straightforward method to detect changes to the Touch ID settings (evaluatedPolicyDomainState), so hopefully this would be a relatively simple revision to the code. It would certainly provide a lot of value… Touch ID to unlock is such a useful feature!

In the meantime, a PIN can be used to unlock Bitwarden in iOS, but that is not completely secure (although it is a lot more secure than Touch ID at the moment):

Keep up the great work! I’m really impressed with Bitwarden so far!

1 Like

Example of LastPass implementation: https://i.imgur.com/sD0yy3Q.jpg

2 Likes

Those are the little things that improve security a lot in specific cases. Both 1Password and lastpass as well as most of the banking apps have this extra layer of security implemented.

Unfortunately there isn’t a reply or even acknowledgment from the dev after 1,5 years. @kspearrin Any hope for implementation?

1 Like

Some more information about why this additional check is important and a solution including example code on how to implement this additional check:

1 Like

I also was surprised not to have to re-type my master password after changing my fingerprints on Android. Enpass also has this security measure. I think this is a major flaw in the security of the app.

I’m also surprised this is already mentioned in April 2018 and still not fixed…

1 Like

I actually think that it should be reset anytime the Device Password changes, or Bio-metrics change.

1 Like

I’m (unpleasantly) surprised that this security flaw still isn’t fixed yet. Also please restrict the number of failed attempts with biometrics. Now you have unlimited retries.

1 Like

I think the team has completed this feature. I did see this in Github. I am not a programmer so I don’t know what all of this means.
Invalidate biometric on change (#1026)

1 Like

@vachan @Bart Yep, in progress!

4 Likes

Should be out in the wild with v2.7.0 :slight_smile:

3 Likes