I have just started to use the “Log in with Device” option in the Bitwarden extension in Edge. But I have an issue.
When I click to “Log in with Device” in the extension, on my unlocked Android phone I receive a notification “Login Requested: Confirm logon …” When I click on this notfication Bitwarden will open on the phone, but if Bitwarden is not already unlocked, it will prompt for my fingerprint as usual. If I present my fingerprint, Bitwarden unlocks but now I am just at the vault screen and don’t get taken to the “Are you trying to log in” page with the “Confirm Login” button. I can resend the notification a second time and approve at the second attempt.
If I DON’T provide my fingerprint and click in the background of Bitwarden, I get taken to the “Are you trying to login” page and can approve, but now Bitwarden on the phone doesn’t ask me for my fingerprint and I can only unlock Bitwarden on the phone by entering the master password.
I think I have quite a low vault timeout (about 15 mins) so often get asked for my fingerprint on the phone
I see this same behavior on Chrome while using Android. The “Confirm Login” screen is so fast that sometimes I can’t get to it before it times out. I don’t know of any way to adjust the timeout. This seems like something that Bitwarden should improve.
I’m not exactly sure what you are describing. Are you saying that you ignore the Android notification and then bring up Bitwarden that is already running in the background? It would help if you could provide more detailed instructions for this.
So as of today (2/3/22) the sign in flow for me has changed.
“Sign in with Device” from Edge Browser extension
Notification appears on phone (Pixel 6A, Android 13)
Notification launches Bitwarden app on phone
Bitwarden requests fingerprint, but NO “Log in requested” screen now appears behind it
Get taken to My Vault screen briefly
“Login Requested” screen then pops up on phone and I can confirm logon.
This is how I would expect it to behave.
To be able to bypass the fingerprint request and skip straight to providing the “confirm request” action, as has been happening this week, didn’t strike me as being very secure.