Fingerprint Support (All Platforms) - To do not re-prompt the master password all the time

Does this feature request apply to this workflow or should I make a separate post?

  1. Login item X has “master password re-prompt” ticked.
  2. When triggering auto-fill, Bitwarden starts Windows Hello.
  3. Windows Hello unlocks login item X.

I believe all these features exist separately, but this workflow above still forces you to re-type the master password.

I’m on Bitwarden 1.54.0 in the browser (Edge 95.0.1020.38 // Windows 10 Pro x64 19043.1288) with Bitwarden Desktop 1.29.1; Windows Hello works in the extension, but only to unlock the vault: not to unlock “master password re-prompt” items.

Apologies, couldn’t edit the previous post. That is a separate request, found here filed by @Ankit. :pray:

This deserves to be revived. It’s a sorely missing feature, that is repeated throughout the forum under separate Posts. If all votes for all posts for this feature were added up, it would certainly be top 10 or so. This is the one feature I can’t live without and the one reason I’m not using BW in place of LP, and I’m desperate to leave LP after over 10 years with them.

This was me asking for this so I could finally escape the hell of LastPass. Still nothing 6 years later. Seems to be BW is just as bad as LP except with technically inferior service offering. I don’t really see anything BW has that LP doesn’t, except for a better security record, which counts tons, but it’s not enough if it means I have to enter my Master Password 30x per day just to conduct my regular business. This is just such an easy thing to implement and yet… I will not switch to BW until this is done.

@Sasha_B Of course it’s not the same as the reprompt, but locking the vault and unlocking it via Biometrics 30+ times a day wouldn’t be an alternative?

But that would require actively remembering to lock the vault all the time, no? As far as I’m concerned, anything that relies on me taking action to prevent vulnerability is itself a vulnerability. That’s sort of the whole point to me of a password manager. It’s supposed to be set and forget. You only need to know one password and use either an authenticator app or fingerprint and that’s it. The rest is handled by the software. If I’m forced to remember to lock and unlock, think about what the status of my vault is if i leave my computer for a few minutes, etc, that’s just not what I’m looking for. That being said, if you have a solution that’s passive, meaning the vault will auto-lock within a couple minutes of my last use, I’m ok with that, though it still feels less secure to me.

@Sasha_B Well, two things:

  1. In Bitwarden you can set “auto-lock”, e.g. 1 minute, 5 minutes, etc. (or totally custom). But to be honest, in my personal experience, it sometimes doesn’t “auto-lock”. I personally have it set to an auto-lock of 5 minutes (in a way a reason for that comes down below), but made it a habit, to check or manually lock it every time I leave the computer. Just learning a new habit. Hard or easy, you choose.

Less secure is having an unlocked vault the whole day. As far as I know, that means for more or less every password manager, that some (or all?) of your vault data is unencrypted in the memory of your machine the whole day long (and could possibly be accessed by ever app - or malware etc.). Security-wise, every vault should be immediately locked the moment you don’t need it.

I’m still using LP. I have it set to lock/logout after 10 mins of inactivity. Additionally, for any vault item of any value, I have it set to Require Master Password Re-prompt. The idea is, 1. if i’m not around LP will logout so, little to no danger unless someone gets to my computer within 10 minutes of me leaving it. Unlikely but not impossible. But if they do then 2. they will not be able to access anything of value without my Master password or fingerprint.

It’s not the greatest security (especially in terms of the fingerprint), but unless I’m being tortured or they’ve managed to get my fingerprint (much more likely and easy than the torturing), I should be pretty safe.

Are you saying that Bitward will aut-lock even while you’re using the browser? Because that’s almost the same as requiring reprompt, except it means I’ll be unlocking BW like 100+ times a day. That’s the advantage of the way LP is setup. As long as I’m active on the browser, I have access to all my low priority vault items without any action. I just go to a site and i get logged in. Then for high-value I need to take action by providing fingerprint or password.

As far as I know, the “unlock-timeout” counts by using the browser extension - not by just “using the browser”.

I don’t quite understand… If I understand you correctly, you use your fingerprint for master password repromt with LP over and over through the day, right? Would that be so much different from unlocking the BW browser extension with your fingerprint “over and over through the day”?

Think again of the security implications, having your vault unencrypted in memory for hours…

I don’t quite understand… If I understand you correctly, you use your fingerprint for master password repromt with LP over and over through the day, right? Would that be so much different from unlocking the BW browser extension with your fingerprint “over and over through the day”?

Right, it would essentially be the same, which is why I was asking if the BW would lock the vault after a given amount of time, even while using the browser. But seems you answered that, i believe.

Think again of the security implications, having your vault unencrypted in memory for hours…

Ya, not sure what the implications are, but as I mentioned, it wasn’t the most secure setup, but it seemed to strike the right balance for me. 95% of the items in my LP are low-value, and the remaining 5% require a password reprompt. So, i wasnt/am not too worried.

That being said, I’m warming up to the idea of moving over to BW.