Divide the Vault Timeout option (Support different events for lock vs. logout)

In the settings you can currently have a menu (Vault Timeout) in which you set the time until the Vault Timeout Action (can be set to Lock or Log Out) occurs. This means that it’s either Lock or Log Out.

My request is to have two separate options by having two separate Vault Timeout menus for Lock and Log Out. For example I’d like my system to Lock after 5min and to Log out on System Sleep which would increase the security by requiring 2FA.
Currently I have to choose between 2FA after System Sleep (which leaves the Vault unlocked for quite some time) or locking it after 5min but no 2FA after System Sleep.

This is what it currently looks like:Screenshot from 2020-08-06 10-57-24 (copy)

This is what I would like: Screenshot_2022-11-21_12-0121

3 Likes

That seems a good extension proposal.

I was already wondering why e.g. the Android app keeps being logged in even after an android reboot.
At events like an reboot I would want to have the vault being closed (new password login, not only locked).

2 Likes

I think there was a similar request here: Lock Vault on system lock, logoff or shutdown ONLY. Made a few days after this request.

Would love to see this. Really miss this level of granularity.

1 Like

This seems like an excellent idea

+1 would love to have this.

+1 I’d love to see this added to BW, the current setting forces users to compromise between security and convenience.

+1. I’d also like this feature.

Semantically, there are two different questions I would like the application to ask:

  1. “Who are you?” – as verified by the master password. Asked “once in a while” (eg on system wake/power on)
  2. “Are you still you?” – as verified by a pin, or some other low-complexity input. In my mind, this would be a highly intolerant input, where a single wrong character (types at any point) would trigger the “Who are you?” question.
2 Likes

Feature name

Set options for both auto lock, and auto logout, on different time frames

Feature function

Currently, users have the option to select EITHER lock OR logout after a set amount of time.
It would be more ideal, in my use case to implement auto lock after a relatively short period of time, but auto logout after a longer period

as an example. I come back from lunch, and unlock my vault to login to various sites or services. After that, I often do not touch bitwarden for the rest of the day. If I do not remember go specifically logout at the end of the day, the vault remains stored on my device, requiring only the master password to open. In an environment with multiple coworkers sharing an office space, this is not ideal. I would like the vault to lock after a few minutes, which is sufficient for stepping away from my desk to grab coffee, use the restroom, etc, but then logout and require 2fa after a relatively longer period, such that if I forget to logout before leaving for the day, or worse, the weekend, it will logout and secure my vault.

2 Likes

I agree with Magnus, I wish the Android app would require full authentication after reboot. Including 2FA. I have not needed to provide 2FA authentication on my phone since I first setup bitwarden, over a year ago. As my phone is the most likely digital device to be lost or stolen, it seems somewhat backward that it has some of the lowest level of password security.

+1

It would also be nice to be able to select multiple options for locking/logoff like 60 minutes OR system lock

1 Like

+1

Late, but still missing this feature, as it would provide some good extra security

+1, especially useful for phones

Another bump for this, would really appreciate this feature!
When I’m on my laptop I’m happy for my vault to lock after a few minutes and to use my pin, but after 10-15 minutes I’d really like it to logout as well.

+1. It would very useful, to auto lock after a few minutes, but auto logout (and require 2fa) after lock/system wake up/system restart.

+1 To slightly add to this, the ability to Lock with PIN separately from Lock with Master Password.
i.e. Lock with PIN on browser restart, and Lock with Master Password on system lock.

That way when I’m actively using my computer I can use a PIN, and when I’m away the memory is purged. Otherwise it becomes frustrating to use…

2 Likes

First, I want to issue a giant “thank you” to the entire Bitwarden team for developing a truly awesome open-source platform. The value that BW brings to the table is unparalleled, and the digital world thanks you for making it a more secure place.

Here is my question/suggestion regarding the vault timeout action:

Right now users can specify a vault timeout period and action (lock vs logout). I love this feature, but I was wondering if we can make it even better. How about having the ability to specify a vault timeout period for each parameter (lock and logout) to work in concert, without having to choose one vs the other? i.e. Auto-lock after x-time and auto-logout after y-time.

I think this should be a fairly simple update to implement, and could offer users greater control over their security setup. For example, perhaps I want the vault to auto-lock fairly quickly, but still want the vault to auto-logout after a longer period of time.

This will maximize security while still maintaining convenience as I’m working, as I can quickly unlock w/ biometrics. However, it will also preserve the added security benefit of a full logout when I’m not actively working, without having to remember to logout manually.

If there is currently already a way to do this, please, inform me. Thank you again, and please keep up the great work in this space.

It would be great if there were a configurable timeout period after which biometric unlock would stop working, and the password is required to be entered again. For example, each day I have to enter the password first, which then allows me to use the biometric unlock for the rest of the day.

Because what you’re asking for (disabling of biometric unlock with a requirement to re-enter the master password) can be achieved by logging out, I think your request for what amounts to a configurable logout period is equivalent to this one:

If you (or the mods) agree, this topic can be merged into the above feature request topic (cc: @dh024 @dwbit).

1 Like

Can throw my hat in on supporting this. If I recall, LastPass has a similar option to do a soft-timeout (lock) and a full-timeout (logout, e.g. when you close the browser, logoff, timer, etc.).

In their version, I believe there are subtle differences between the two actions … I can’t remember if the soft-timeout just required a PIN or not. The full-logout I think de-loads everything from memory until you relogin, but it’s been awhile.