Is this possible as long as Bitwarden is an electron app? I can’t think of one that can communicate between across the system like that between two separate pieces of software, albeit one is an extension.
Login to browser extensions when logging into desktop app and vice versa
Browser extension and desktop app communication is part of biometrics, so they are definitely able to
What’s the state of this? I’m a little confused after the latest updates and preferences.
Once again, using the Mac App Store version Version 1.24.5 (513) and Safari extension 1.48.1. I just switched back from the non-app store version.
I saw the Bitwarden.app preference to “Enable browser integration” but I’m still being prompted for master password to sign in the the extension within Safari.
Where should the user expect to see Bitwarden use biometrics while using Safari 14.0.2?
macOS 11.1, M1 MacBook Pro.
Safari will come later, we have to update a few items but are well on our way.
Is this still in the cards?
I use multiple web browsers simultaneously (Brave, Vivaldi, Edge, Edge Insider, etc.), and it’s irritating to have to unlock my vault on each one individually. I get why the vault is locked when I close a browser, and for cases where I don’t also have the desktop app installed, this is definitely my preferred behavior.
But I do know that on at least some web browsers, extensions are allowed to communicate with native desktop applications. (For example, the MEGA extensions can have the MEGAsync desktop app handle downloads instead of doing it themselves. And the extension continues to inform the user of download progress.)
So, if a user has the Bitwarden desktop application installed, it would be useful to have the browser extensions rely on the desktop’s state for whether or not the vault is unlocked.
A great thing will be to change extensions working scheme or add new kind of extensions that could works this way: instead of opening the vault with the browser’s extension, the main desktop’s application (for example: Bitwarden’s Windows desktop’s application) take care of the vault management and opens a communication’s channel with the browser’s extension that just take care of things like forms filling and saving new entries.
Keepass can do it with some plugins/extension. Roboform 8 works like this. Sticky Password too. That’s 2 examples but I believe that 1Password may do it also. Maybe more.
I think that it is far easier to care about memory’s safety on the fewer levels possible. If you keep vault into OS, you doesn’t have to look for browsers flaws at the same time as Os’s ones.
At the same time, you avoid having the need for opening the vault in RAM twice to work with the desktop’s client for some purposes that are easier with it, and, with the extension to browse through web. So, it is obvious that it is hardware’s resources saving.
Another advantage of this setup is that it may be useful to improve Bitwarden faster by focusing on actions specific to apps or extensions without the necessity of working the same feature twice. I could also add the fact that Firefox for Android addon would immediately benefits from it by enabling unlocking vault with fingerprints already available with the full app.
Finally, some security experts have wrote that encryption is not safely handle into browsers. It is considered that it is better to avoid browsers extensions to encrypt/decrypt vaults.
Here here. I highly second this. And I would also add that pin code login and theme and settings should also travel across devices. I find it counter intuitive to have to set up pin login in each browser on each device.
I gotta disagree on PIN login for the same reason Microsoft doesn’t do it for Windows: a shared PIN is inherently, and extremely, insecure. That said, I feel physical security keys are secure enough to replace passwords outright, and even more so if you had to use said key on a trusted device. (For example, instead of plugging my Feitian FIDO U2F key into my computer, send a notification to my phone and require PIN or fingerprint, PLUS tapping the key to the NFC reader.)
I don’t see how sync pin from desktop app to browser plugin on the same system should be a security issue. Can’t both the plugin and the app best set up to access the same data files ? As to sharing across the cloud, actually Windows lets you enter a pin and syncs that across the cloud. Any data passing from the bitwarden server to the mobile app would be strongly encrypted, plus the master password would need to be entered first, so that’s probably strong enough security in my case. I don’t think I need to go to those extremes to log into my account to order a pizza at the local pizza place lol
Not only from a security-perspective, but also from a usability-perspective, this seems much better. I’ve used keepass this way and it’s a much nicer user-experience. I also wondered why I have to authenticate again after I logged into the desktop already. I’m an it-person, so I know how it works, but from a user-perspective, I’ve identitified myself already, why do I have to do it over and over? Wasn’t it clear it was me?
Of couse, I don’t mind reauthenticating to bitwarden as it’s the main keeper of the passwords, but not in every application that I would like to use it …
So, I’m a big supporter of this.
Off topic a bit, but the usability of keepass needs to drastically improve for family-usage. I bought a family- and premium-bitwarden license, but I can’t see bitwarden currently being used by my family to the usability-issues, although I like its architecture and opensource/security-perspective. So, I hope it will improve. I’ll probably switch to Lastpass untill then.
I agree with you. My point is that this is the type of improvement that most common people won’t fully understand. For that reason, it will be hard to gain votes for this request and see it realized. I already wrote to Kyle Spearrin to explain my point, but I haven’t got an answer… I will try to ask him what he think about it soon.
By now, if you know a way to promote this thread, I’ll be really interested to know.
I don’t think that requiring the desktop app to be installed would be a great benefit.
Some users, mainly in corporate environment, are not allowed to install arbitrary executables on their computer. I’m currently in one of those environments, and I can use BW because it just takes the form of a browser extension which my company doesn’t enforce any control on.
Though, I do feel like allowing the desktop app and the extension to talk if they’re both installed would be very nice. That would allow to unlock once and use both apps for example.
There are already some feature requests related to this, see:
Also, I’m out of votes but I do support the idea
Same with me! I switched to “Bitwarden” because I’m able to only use the browser extension at work. I’m not allowed to install any software on my laptop at work. That’s why I’m not able to use “Sticky Password”. Because I need to have the desktop app installed to use the browser extension.
“1Password” has got 2 browser extensions - the legacy extension needs the desktop app to be installed and the new extension is able to work without desktop app.
At home I’m using the Bitwarden desktop app and the browser extension for Vivaldi. I would love to only have to unlock one instance to unlock the other instance too. Actually I have to unlock the desktop app and the browser extension.
Very nice idea!
Maybe having an extension that allows 2 working methods: one standalone and one attached to main application if detected and/or chosen. Roboform’s Firefox add-on works this way. Or making 2 different extensions, but it will add complexity in my opinion.
I still believe that it isn’t efficient to open the database twice, but at the same time, I agree with you that it’s also important to be able to work with the extension alone.
aren’t you able to install an application as a normal user? Maybe it’s blocked too, but I know environments where this is possible as it runs as your user and doesn’t require administrative privileges to be installed.
I’m not sure, but I think it’s possible from Microsoft’s Store. I didn’t test it though. Maybe it could be allowed or blocked by admin too.
By the way, my point is that the extension should works with desktop’s app and as a standalone one if there is need to. Or, offering 2 extensions that works in the 2 needed scheme. The way I see it, it could be as simple as a switch directly on main extension’s frame that turns it to one another. If app is chosen, it ask for a paring code (for example). If standalone is chosen, it acts the same way as actually.
I’m able to install but I’m not allowed! I’m only allowed to install software which is on our firm whitelist. And Bitwarden is not on this whitelist.
I’d like to see such a feature too, but not because I think it’s actually necessary. My current “problem” (it’s more of a nuisance) is that unlocking the browser extensions takes incredibly long. As far as I can tell, it downloads the entire database on every unlock, and that is what it’s taking so long. If it would use the desktop app to get the information, it wouldn’t have to download all of it on unlock first. So my request is slightly different in: either “make the extensions work faster” or “use the cached information of the desktop apps better”.
After a long time not feeding that request, I decided to feed it with an argument that matters for the power surfers more than other probably. Maybe not… there may be some other reasons than mine to do so. I always use 2 browsers at the same time for better compartmentalization of security level. To me, it means using one browser for common surfing and lesser private use and the other for job, banking, buying, etc. It allows better handling of privacy and security.
So, even if only security maniacs like me do so or someone that needs a specific browser to work but doesn’t like it at its usual one. I believe that a solid passwords manager like the one we adore (not to mention it ), should help that kind of use to be easier. If the user only needs to unlock the main application to use it and all the linked extensions, it helps a lot to fasten browsing.
Also, I noticed that there’s a bug with Vivaldi’s browser extension. The Bitwarden’s extension isn’t working flawlessly when it comes to locking (not very cool for security though ). So if the locking happens at the main application, it become less difficult to manage different browsers extensions coding, considering that the differences specific to each browsers wont need a lot of code to adjust.
And, for those who need an extension in a controlled environment where it’s not possible to install the main app, the only thing needed, is to make the extension works in a minimal (to make it lighter and easier to update) or complete autonomous mode when there’s no application to back it.
So, to resume the benefits :
- Stronger security at the OS level than in a browser’s environment for encryption/decyption;
- Faster (only one authentication) and easier unlocking of many instances of Bitwarden;
- Live syncing of the opened instances of the same OS done instantly as they are using the same database;
- Less RAM and CPU needed for all these instance (again, one database opened in RAM);
- Easier use of the OS features for both security and authentication capacities;
- Lesser risks of syncing conflicts;
- Easier and “probably”, lighter coding and updating of the extensions;
- Lighter extension means lighter browser if someone works with a lot of extensions opened;
- Less possibilities that some new flaws in one or many browsers (all Chromium based for example) break the extension’s security by making such flaws weaken Bitwarden’s extension. Less code, less weaknesses;
- and maybe other benefits I just don’t know…
Sure, there’s cons, feel free to share those, but don’t speak about the amount needed as one of these because it can’t be a good reason to make the decision to stop working forward. That way, Bitwarden will miss its purpose for my part.