Hi, in iOS 18 there’s a new option to add FaceID lock to almost any app.
I tried adding this to Bitwarden, which already has it’s own FaceID unlock, as a second extra layer of security, double FaceID.
Now the problem is that, when using this on Safari, for user/password autocomplete, only the first FaceID is triggered, the new iOS 18 one, but not the second one, the one from Bitwarden, you have to tap the “Unlock with FaceID” button.
I know this is just a minor thing, maybe not even a bug, but wanted to let you know about this behaviour.
Except, you’re wrong? The iOS implementation requires a matching face to unlock. No other option to bypass. No passcode option. Matching face or you’re not getting in. Period. As opposed to varying unlock combinations with the app’s implementation.
This being said, I trust iOS to implement FaceID based authentication much more securely, safely, and correctly than I do a bunch of BW iOS devs. You clearly are not industry.
OP I am with you in noticing this and much rather have the app be in a permanent state of being “fully unlocked” and then gated only by the iOS 18 native implementation. Unfortunately for us, this is not made possible given the app’s current design.
So is the support model of this product ignoring problems until people stop complaining about them or until people are forced to leave and find something better?
“Ask the community” is a group of your peers (e.g. other Bitwarden customers) that volunteer to help those with problems/questions. So is r/Bitwarden. It is not reasonable to beat up volunteers.
The need to tap the button likely comes from a requirement to demonstrate “authentication intent”. Here is how NIST describes it in their current draft (SP 800-63B-4, section 3.2.8):
The presentation of biometric characteristics does not always establish authentication intent. For example, using a front-facing camera on a mobile phone to capture a face biometric does not constitute intent, as it can be reasonably expected to capture a face image while the device is used for other non-authentication purposes. In these scenarios, an explicit mechanism (e.g., tapping a software or physical button) SHALL be provided to establish authentication intent.