I am tired of having to retrieve a master password every couple of hours, every time I use my phone, etc. I set up PIN code access, but it never asks for a PIN. I try to set up biometric access on my phone, but the Chrome extension does not recognize it. When I try to access the website, it asks me to authenticate on my phone. I get a notice and I approve. Seems great. But then it puts me through ANOTHER authentication step using my phone and a QR code. Often, I am asked to authenticate AGAIN on my phone, wth yet another password entry.
I appreciate security, but if you want the user to choose complex passwords, you cannot make the product THIS hard to authenticate so that they have to both remember the passwords, enter it several times, and go through all these steps.
Your experience does not seem normal, but it is a bit difficult to understand what is happening, especially since you appear to be talking about three different Bitwarden apps (mobile app, Web Vault app, and browser extension).
First, please be aware that every app and browser extension works independently of the others — unlocking one app or extension does not unlock any of the others.
Second, it sounds like one of your problems may be related to the possibility that you have set your Vault Timeout Action action to “Log Out” instead of “Lock”. This would explain why you are not prompted to unlock with a PIN, and would explain why you are using “Login with Device”, and it would explain why you are being asked for 2FA (mobile passkey by QR code).
Thus, I would recommend that you check the preferences and account security settings, and set the Vault Timeout Action action to “Lock” (remember that you have to do this for every installed Bitwarden app or browser extension, because they are all independent entities). This will allow you to set up a PIN for unlocking the apps.
Normally, you would still have to enter the full master password the first time that you unlock an app after restarting it, or the first time that you use a browser extension after restarting a browser. If you are willing to trade some security for convenience, you can disable this behavior by disable the option “Lock with master password on restart” when setting up your unlock PINs.
Finally, the Web Vault app does tend to fully log out whenever you close the browser tab where you had logged in. Thus, the “Login with Device” option can be convenient for accessing the Web Vault (passwordless login with a Yubikey is also possible). If you use “Login with Device”, then you should make sure that you check the “Remember Me” option on the two-step login authentication prompt. That will waive the 2FA requirement for 30 days on that browser.