Preventive measure against phishing attacks. A locked Vault in the browser opens a new tab prompting for the Vault password (url: moz-extension://…/popup/index.html?uilocation=popout#/lock). Include a visual that is unique to the Vault, e.g. fingerprint phrase, on the login screen. If it isn’t present or is different, it might be a pause for the user to validate they’re in the correct tab (alternatively browsers should include an indicator for extension-tabs).
One of the question that arose to me was , that the passphrase could also be spoofed by the attacker by fetching it through bitwarden’s official website if they are clever enough to do so.
The passphrase could ofcourse make the phishing attempt difficult and also in some circumstances prevent users from logging into self hosted instances of BW having similar domain names.
Some more clever way of implementing it could be developed.