That statement makes me curious. Against which attack does a short timeout help, especially when I am the only user? And do you mean a lock timeout for both the browser extension and the desktop application?
Yes extension only locks not log out. Reason I just use pin now because itâs a pain to have to log in every reboot of PC for the desktop. So I just find the whole biometrics useless when it comes to bitwarden.
Second logging into the app requires me to type in my master password which is NOT short and a pain in the rear. So just having an locked extension I can use a short pin and be done with it. So the whole purpose of having biometrics is useless when you have to log in at every restart of PC or if app decides to log you out from time outs to have to re-enter in a long password.
So desktop app is totally useless for what I got it for which was to have a quick convenient login which is my fingerprint that is fast and secure.
Interesting, since I have the opposite experience. I just bought a fingerprint sensor for my desktop PC with the primary purpose of unlocking my vault. Now I have to type my master password exactly once a day (which helps to keep it memorized) and can unlock the browser extension even after restarting the browser. Perhaps I try a shorter timeout next.
Youâre confusing logging in and unlocking constantly.
If you would use biometrics with the desktop app again, you would not have to log in every reboot, but just unlock the desktop app the first time with the master password. After that first unlock, you then can unlock the desktop app with biometrics, just as it was before the change of the desktop app that came with version 2025.8.0. (PS: And with that, you then could use unlock with biometrics for the browser extensions also all day long â as long as you donât close the desktop app.)
But on the other hand, unlocking the desktop app with a PIN is also fine.
A few benefits, none substantial:
- If your machine were to become malware infected, a locked vault is less vulnerable.
- Attacks such as the recent âclickjackingâ one depend upon a unlocked vault.
- It serves as a âuser authorizationâ step before creds are released to a website.
Agreed exposure remains when actively using the vault, but at least it is not 100%.
1 Like
In that case everything is lost already. The malware just waits for an unlocked vault or captures the typed master password.
- Attacks such as the recent âclickjackingâ one depend upon a unlocked vault.
- It serves as a âuser authorizationâ step before creds are released to a website.
Number 2 sounds rare but not impossible to happen again. Another conscious step however could be valuable. I will change my config later and try this, thanks for the suggestion.
Perhaps. The goal is risk reduction, not risk elimination.
We donât know the capabilities of any theoretical malware. Clickjack for example is only effective while on the particular website. And malware embedded inside âFree!!SuperSuduko3k!!â may be dependent on the application being open in another window.
Another example is a coworker/stranger sneaking onto the computer/phone that you forgot to lock. I do use different lock timeouts on my phone, on my work PC and on my home PC, due to different perceived likelihood of a drive-by attack.
That is what I thought about, too. However, installation of additional software is getting more and more regulated, so I am stuck with the browser extension on my work notebook.
I am going to test it later, but perhaps you can let me know this: Is is possible to lock both the browser extension and the desktop application after a timeout and then just unlock the browser extension with one swipe?
- Real malware doesnât use all theoretically possible attack modes, so the above is a worst-case scenario.
- If your device becomes infected while your vault is locked, you at least have an opportunity to detect and eliminate the malware before unlocking.
1 Like
Yes. Biometrics to unlock the browser does require the desktop to be logged in, but it does not ever need to be unlocked other than momentarily after the app is launched (on windows due to a current Hello limitation).
1 Like
Yeah, I noticed that limitation on Linux, too. I am curious why Mac is not affected but Linux is. 
@DenBesten So I changed the lock timeout in both the desktop app and the browser extension. So far it works well, but every time I unlock the browser extension, the desktop application pops up. The same happens when the timeout kicks in. Is there a setting I am missing or am I experiencing this issue?
Unknown.
Win 11, everything current or close to current, I have the desktop locked, (minimized to tray icon), and with a sufficiently recent âmaster password unlockâ. If I lock and unlock my chrome extension, Hello takes a picture and my chrome extension unlocks, but Bitwarden desktop remains minimized and locked.