I have a yubikey 5c nfc.
Set bitwarden app to log out after 5 minutes, and enabled FaceID for unlock
Log into bitwarden app, prompts for login and yubikey. All work
Don’t log out
Within 5 minutes, open another app, when iOS prompts for password, click “passwords”, launches bitwarden.
Here’s where the problems occur.
Bitwarden is asking me to log in again.
After providing email and password, prompts for yubikey NEO and doesn’t recognize my 5c NFC. See screenshot.
I am unable to log into the app this route and must open bitwarden app, copy credentials and paste into the other app. If it’s been longer than 5 minutes I have to log in and use yubikey.
You seem to have conflicting statements here, are you wanting this to Log out or Lock after your timeout?
For more details see Understanding unlock vs. log in
Kent my concern is ALWAYS having bitwarden set to lock and unlock via FaceID. This does not protect my vault in the event someone with knowledge of my pin gets ahold of my phone. They can just add a new face and log into bitwarden.
My yubikey in this instance would be of no help.
The settings as follows seem to suggest I should be able to authenticate once through login, using my yubikey, then use FaceID to unlock until the vault timeout triggers. This would then require login with yubikey
Below set to 1 hour
Vault timeout - 1 hour
Vault timeout action - log out
Unlock with faceid - on
The problem I have with this setup is bitwarden is prompting me to login when I auto fill but not accepting my yubikey. I have to log into the app to retrieve my credentials.
Once I have logged into the app, I still can’t use auto fill because it prompts me to login in again and fails on yubikey challenge.
However, FaceID works for unlocking the app until hour expires. So the settings work in app, but not when utilizing auto fill.
In a nutshell bitwarden is forcing me to bypass 2FA when using a mobile device. It’s relying on biometrics that is not as secure as the yubikey which I have enabled on web logins.
This portion is a bit confusing to me as I understand once the vault or your mobile app has reached its Timeout setting then it should require whatever you have set, either Lock or Log out. If the app is logged in and unlocked then during that 1 hour time frame you have set the app should remain unlocked and allow you to open, access your logins, and auto-fill without needing to authenticate again
I do not currently have an iOS device though to test with, either to reproduce or see how the login and auto-fill flows may function especially with Face ID or Touch ID.
Regarding this portion, I would say that is likely not the intended behavior here, especially if this fails to auto-fill. If that is the case it is likely you are experiencing a bug, which is best recommended to file a bug report on GitHub.
Try to be as detailed as possible, and if you can possibly try to include any relevant information such as software and app versions, device type, and any screenshots or video captures of the issue happening so the Bitwarden team can hopefully reproduce the issue.
