Fingerprint Support (All Platforms) - To do not re-prompt the master password all the time

app:all

#1

This is already mentioned in many places.

Discourse:


GitHub:



I know that this can be troublesome for each platform in specific, but here goes nothing.
I’d like to suggest one more thing for anywhere you use BW:
Use your fingerprint as a master password replacement (desktop/browser/mobile) to do not have to re-type it all the time.

Re-typing the master password, depending on the complexity, can be a harsh (besides to be aware of keyloggers, that an other user mentioned this better here). So this could be more user-friendly: BW would recognize the fingerprint as an alternative for the master password (after the 1st login and remembering the user, with an authentication re-prompt, of course).

This should be already be available on Android, then I’d suggest for other places such as on desktop and web extension (with an optional binary module, as mentioned on the references above).

Sorry if this is a duplicate, I just wanted to make it more clear to understand. LP already uses this, so it’s nice to use this feature. No matter if it be free to use or premium feature. I’d pay only to use it anyway (and to support you, surely. But I’d prefer for free to make it more comfortable for my cheapskate friends).


Require master password "re-prompt" for some items
Easier Way to Log In?
#2

LastPass supports this on their web vault and browser extensions? Not sure now that is possible.


#3

@K0media I started just skimming through and I got confused a bit. So I read at 0.5 speed and wrote my own summary of links you added.

The first - require master password when touching sensitive entries in the vault. So, vault is unlocked, but certain entries require master password before they are accessed or amended.

The second - bitwarden extension should ask for master password when firefox is relaunched and vault is locked. Right now, it sits silently with red lock until you manually do it.

The third one - I might not fully get this one, this is request to add option to enable 2FA with fingerprint. Currently, 2FA is only when you login, unlocking can be done with master password or fingerprint. The user would like to do fingerprint + 2FA.

The fourth one - User reported inconsistency between other apps and bitwarden in number of failed attempts to unlock with fingerprint.

The fifth one - Add support for third party fingerprint scanner for devices/OS that don’t have native fingerprint support.

I hope I got all of them right in context regarding “what author had in mind”. :slight_smile:


What you ask for seems to be unrelated to hmm, 4 out of 5 issues above? Do you really mean word “replacement” when you say it? Do you mean that you can use fingerprint to fully log in, unencrypt vault, if device was trusted/accessed before?
For all I could see, in my old LP days, LP was logged in, but locked. You can unlock it with ‘just’ fingerprint (but it does not mean it replaced master password). I can’t see how LP’s thing is any different than BW on my android phone.


#4

Nooo, don’t get me wrong, lol. They support it only for the web browser extension (by installing a small binary).

About the web vault I’m not sure. But it is currently a premium feature (for the web browser extension and desktop version only, mobile it is already native), that became a bit expensive after they raised their charges. :sweat_smile:

Okay, I guess I expressed myself wrong. What I actually asked for was exactly what the mobile version (as you say) already does. But that being for Desktop and the web browser extension platforms. For web I know it should be almost impossible to do, as it would fully require you to log in to access the web vault 1st.

It should be a shame to say that I’m not a BW user yet because LP has some unique features that BW doesn’t have just yet. But I’m considering to migrate really soon. Right now I’m helping up by translating it to my native language.

And yes, you are right. 1st you need to be logged in (I tend to leave my vault with the master password remembering it) and finally you can use your fingerprint to unlock it whenever you want to access it again.

What LP currently does on Desktop and web extension is: when you are already logged in, it uses your fingerprint to unlock your vault, so you do not have to re-type your master password over and over again to unlock it. It’s a clever security measure, in my opinion, because you just need to touch/swipe your finger on the sensor depending on the case. Without worrying about someone breaking in to peep your vault accidentally.

Optionally 2FA like TOTP could be enabled if you want. But only by requiring your fingerprint to unlock your vault (on Desktop and web extension platforms) all the time it’s already a big help.

If you suggest me to change/edit the title of this thread, I thank you already. I think that I expressed myself wrong since the beginning, but I’m not such an expert into digital security, so I know only some functionalities and features. Concise terms sometimes are difficult to me. I’m not a programmer, so… :sweat:

PS: Sorry for the late reply. I’ve been stopped from posting replies the first day on the community due to the spam filter.


#5

Taken from the LP documentation about Fingerprint Readers:

LastPass has support for various fingerprint readers, including Windows Biometric Framework, as a Premium feature. Once enabled, you can use the Fingerprint reader to login to the LastPass browser extension, rather than having to enter the Master Password. This includes Master Password reprompts as well.

Sorry, I missed this last part in bold. But it only re-prompts the master password in case you’re not already logged in (and saved your master password to remember you).

Also this:

Requirements

  • Windows 7 or above
  • Must have Windows Biometric Framework drivers installed (WBF is only available in Windows 7+)
  • Safari and Opera can be supported by installing an additional binary component.
  • Windows 8 may require an additional component to be installed. This component is installed by the LastPass Universal Installer. If you are having problems swiping your finger in Windows 8, please try running the LastPass Universal Installer from: https://lastpass.com/installer/
  • Chrome extension also requires the binary component. (Just like I said.)

Hope it’s clear now.

Source: https://helpdesk.lastpass.com/multifactor-authentication-options/fingerprint/


#6

Came here to ask exactly for this. Glad I’m not the only one, this is the only thing I need for Bitwarden to be perfect for me. As someone coming from LastPass, being able to use my fingerprint as a replacement for the Master Password is a must.

I was looking for a cheap and reliable password manager alternative since LogMeIn bought LastPass. Even though it created a free tier I will never trust LogMeIn, let alone with my passwords. It is a shady company with a bad history.

Please Bitwarden team, implement this!!!


#7

I am thinking of switching to another password manager, because the lack of fingerprintsupport in the chrome extension.


#8

Please add this to the android firefox mobile extension !

desktop extension for me is not as important but on my phone it is a bit of a pain entering the LONG master password every time firefox restarts


#9

There’s somewhere Kyle mentioned that the security key can’t be held when the browser restarts. I just can’t remember where exactly, but he said it works better that way. :confused:


#10

That would be so nice and easy :relieved:


#11

Are you planning to support windows fingerprint in near future?


#12

I was about to buy one of those some time ago. I just didn’t buy because of the additional customs fee. Taking that off, it would perfect for this scenario.


#13

I ordered 2 of them ( a pack of 2 ) for a discounted price of £53
Amazon messed up and only sent 1.
I called up and the guy said the only option he has is for me to return it for a refund.
This didn’t make sense, I just wanted him to send me another 1.
In the end the guy refunded me the full £53 and said I can keep the one they sent :sweat_smile:
So I ordered another 1 and have only basically only paid £13.50 each.

Oh and it works REALLY well with “windows hello”. Scans in 0.15 seconds. much faster than my phone !
Now I just need @kspearrin to add fingerprint scanning to his firefox extension.

@kspearrin how much $$$ you want ?


#14

Hmm, not a bad deal then. I just didn’t buy with the extra taxes because our currency is much weaker than the usual. It’s like you buy a bill here for 23 cents (in US dollar). It’s lame, really.

However, about the bounty on the feature request, I don’t think it will turn out that easy. Some time ago I saw Kyle mentioning somewhere that was about to create an official profile on https://www.bountysource.com/

It’s not so old, but so far I haven’t heard the news on this yet.

PS: I’m glad you had a good results with your new toy. I’ll consider buying one of those (maybe imported from China), so I can have the hands on this and see if it’s really worth it or waste. After my marriage, who knows, hehehe. (Yes, I’m about to marry a woman right in my bday’s date, lol.)


#15

Roboform for Windows Desktop supports fingerprint reader access for free. In fact, it is one of my favorite features of any password manager as it provides fast and convenient access to my passwords. That said, I really like Bitwarden and I think that is one killer feature that is still missing. Please add support for Windows fingerprint reading. Thanks!


#16

I bought this Kensington fingerprint key

https://www.kensington.com/p/products/security/biometric/Kensington-VeriMark-Fingerprint-Key-Supporting-Windows-Hello--FIDO-U2F-for-Universal-2nd-Factor-/

Setup with bitwarden U2F with no issue


#17

I’d be glad for this feature in the linux (Fedora) client.


#18

/What’s the status on this?


#19

As discussed here I think any sort of 2FA unlocking on a PC is a bad idea and should not be implemented.


#20

How is it worse than unlocking Windows login with 2FA?

https://www.yubico.com/why-yubico/for-business/computer-login/windows-login/

I am not advocating one way or the other, Just trying to learn. Thanks.