Apparently if I enable Windows Hello to unlock my desktop client or the FF extension, then it’s possible to unlock the vault with just that, and without my master password, even when the app is launched. Which, for me, indicates that my MP is stored on my computer and only protected by Hello, which seems to be quite insecure in and of itself, not to mention that I can’t force the app to ever require the MP before accessing the vault.
So, is this behavior by design? How can I have BW to not store my MP in Hello, and use that to access my vault only after having been unlocked using my MP in the first place. Is this feasible? Same for the browser extension.
No, that’s an option. You can definitely require Bitwarden to logout fully. Just disable the Unlock with Biometrics option.
If you want, you can unlock with a PIN instead, and enable the option to Lock with Master Password on Restart.
Apparently, there’s a misunderstanding here regarding the desired goal. I do want to use biometrics to unlock, while definitely requiring master password on app launch.
Is this combination impossible? Why?
How does the app unlock the vault using biometrics only? Does it store the MPW in W Hello?
Sorry - I don’t know of a way to enable biometric unlock, EXCEPT for the case when the browser restarts.
And no, your master password is never stored anywhere on your computer. Instead, a key is created from it that will unlock your encrypted vault. Where does that actually get stored with Windows Hello? I am not sure - but it seems to be a trusted solution. Perhaps it gets stored in the PC’s TPM?
Windows hello storing the decryption key to your vault doesn’t have that level of risk that you are worried about.
If you are worried about someone bypassing windows hello , then you must first be worried about someone making your pc infected and implanting keyloggers in it.
So if your system is compromised , then no level of security incl. master password would save your data from being leaked.
Though i should say that you should use windows hello integration only if you don’t share its password with anyone and its not a weak one.
No, my passwords are all fine, as you might guess by my being so conscious about getting compromised. My concern is that fingerprint ID is not that very secure to begin with - I’m fine with it to quickly unlock my phone/laptop in relatively controlled situations, but e.g. if my device gets stolen, then I wouldn’t trust all my passwords solely on fingerprint protection (not to mention the blue ones, which would already officially have my fingerprint by the time they get to my device). That’s why I want requiring much stronger auth when it is started.
So, in any case: I want a solution where whatever is able to unlock my vault is ever stored in RAM, and never written to permanent storage. (To clarify: a stored key able to unlock my vault is not any safer in my view than storing the MPW itself. Obviously.)
Of course, I don’t expect my password manager to protect me from getting keylogged - I have my measures against that otherwise. But i do want it to protect my passwords to the standard which is reasonable and anyway not technically any challenging - given that whatever I wrote above would only require smarter configuration, not any new algorithms or features developed.
Then I would ditch biometrics and Windows Hello and unlock with a PIN instead (see my earlier post above). This will achieve your goal perfectly.
Thanks for the suggestion. What I’m trying to understand here is whether there is some fundamental reason which makes this impossible to technically implement (Hello except on startup), or it just happens to be not possible to configure that way currently?
I suspect it has more to do with the perceived security of using Windows Hello (with hardware TPM) - it just isn’t a credible risk for regular users.
In that case, I might send a PR eventually, for allowing this scenario in the clients.