Login to browser extensions when logging into desktop app and vice versa

New premium user here, there are a few things I still need to wrap my head around, but so far I must say it’s a great app.
The only thing I can’t understand is why this feature is missing!
We really need a universal login button!! :pray:

i need this feature too… :slight_smile:
why does it take so long? every pw manager i used has this thing implemented… :smile:

That’s the only thing our company stops to use Bitwarden instead of LastPass. I know LastPass is trash, but as far LastPass offers nearly the same funcionality. That would be a real best seller.

Feature name

  • Global unlock

Feature function

I have Bitwarden desktop installed. I also have the bitwarden extension installed into Firefox and Wavebox. I have to unlock the bitwarden vault three times, if I want to use it on the desktop and in Firefox and in Wavebox.
IIRC Lastpass had a feature that, when the LP desktop application was installed, unlocking that would automatically unlock the browser extension(s) too.
It would be nice to have this feature in Bitwarden, too.

Any news on this?

This is difficult to solve in a secure way due to various platform limitations.

Currently we require a user interaction to ensure it was initiated by a user. If we remove this then any application on the computer could potentially retrieve the decryption key and use it to gain access to the vault data.

I have given this a little thought.
Could the extension initially always start with the “never” lock (override provided the master has been entered at installation?).
(if no internet access or no sync available lock immediately)
Then once the vault has been synced read a set of entries from the vault with desktop “unique desktop instance identifier” “current lock state” “desktop lock settings” "timestamp when last lock/unlock "
configure the extension accordingly.

The effect is to slave the extension via the vault to the desktop. A new configuration option to allow this.
Some thought would have to be given to what happens with multiple instances of extensions and or desktop application.

But it does open the possibility of having different browser instances with perhaps matching different desktop instances with for example different vaults.
The mind boggles with the possibilities :thinking:

The reverse could happen from the browser extension to the desktop version though whether that is desirable is another question

But where is the difference between the Biometric authentication and this. The extension has to trust the desktop application in both cases. And if you add the same functionally vice versa doesn’t really make a difference. Or does it?

If you want the extra security just mess a bit with RSA and everything should be fine :slight_smile:

Isn’t the extension able to unlock it’s self without a password? What does Bitwarden do when you select never lock vault.

1 Like

The never lock option stores the encryption key on disk. Which is why it has the following warning.

image

You are kidding right?
Surely it doesn’t store the encryption key on disk in an unencrypted form.
I know that would on the face of it be an easy (well a quick & dirty) way to do it but wouldn’t it have been better to produce a token that was encrypted and renewed by the extension each and every time it is opened, and perhaps even at regular intervals or every time it is accessed or synced, sort of like a renewing ssl key pair.
The public one is used as the token which is encrypting a known sample and then decrypted with the private key to check the private key has not changed then the encrypted encryption key is loaded and decrypted and opens the vault. The ssl keys are regenerated and the encryption key is again saved with the new public key.

2 Likes

This feature will allow the browser to unlock automatically when the paired desktop app is already unlocked. It doesn’t make any sense from a security perspective to require a login/pin/biometric when the passwords are already available on the machine. By having this feature the passwords would be much more accessible while using the internet.

Saying “this is difficult” ignores that all the other major password managers that I know of do this seamlessly. My employer just pushed out bitwarden to employees, so I’m exploring it compared to my currently self-funded 1Password account. Bitwarden looks like a compelling alternative and I’d probably switch my personal stuff to it as well, but I won’t because of this issue of having to unlock everything independently.

As a developer on (macos) desktop, I don’t have any biometrics to make it simpler, so I want to be able to unlock my vault once per day (or per machine wake) with my insane master password and then be good in multiple browsers and the app.

1 Like

Hi @TheDan - welcome to the community forums.

To be fair, the full context of that comment was “This is difficult to solve in a secure way…” Just because other password managers accomplish this, there is no way to know if they do it in a secure way.

Bitwarden seems to be much more security conscious than their competitors, in part because they undergo security audits and their codebase is open source so everyone can verify how they accomplish something, which isn’t true of the competition. Personally, I would MUCH rather have a purely “convenience feature” not be implemented if it exposes a security risk.

I think most of the discussion above assumes that the browser extension does full decryption of the vault itself and thus needs to receive the key from something to do that. At least one other such arrangement that I do know the code internals of merely gateways requests from the browser to the running app. The communication between the two is authorized once, encrypted, and the browser extension is merely a client, not a full implementation, and thus does not have full capabilities or access.

And yes, some people will want to type their 24-character password every single time they fill a field, but not everyone does. Just like the above-referenced warning about the implications of “never unlock”, you don’t want to eliminate that use-case on principle, you just need to warn about the implications.

Anyway, just MHO about what would make bitwarden usable for me (and sounds like I’m not alone).

I created an account just to upvote this feature.

I currently use the Chrome extension, but have separate Chrome personas (work/private). Everytime I close Chrome, my vault for that persona locks.

I downloaded the desktop app for windows, thinking it would allow me to keep my vault unlocked between browser restarts. The ‘Allow browser integration’ setting kind of seems to imply that.

Hey @roelofvandervaart you can have multiple Chrome profiles open at the same time, if you’re keeping your desktop vault open at all times, can you provide more detail on the need to close the Chrome browser?

Hey @dwbit I know I can keep them open simultaneously and I do throughout the day.
However, on occasion, one needs to close a browser, right? Be it that Chome hogs a lot of memory, or has an update available, which will be installed upon restart or whatever reason

That’s beside my point.

The whole reason I downloaded the desktop app is that I thought (hoped) it might keep my browser sessions active as well. I have a really long and complicated master password and it’s annoying to have to type it in every time I close Chrome

Gotcha, thanks for clarification! The team is also working on other passwordless authentication options for this year’s roadmap, which means if you have the mobile app, you’ll be able to tap to login in that way. For now, I’ve passed your feedback along to the team.

I was also surprised that loggin into the Desktop app did not log you automatically in Bitwarden extension. I think it is also important for security reasons, people want to think “did I lock/unlock my Bitwarden vault ?” not “did i lock/unlock my Bitwarden vault on the desktop? and then did I lock/unlock my Bitwarden vault in Chrome extension?”

For information, 1password is behaving exactly like that: you unlock/lock once and everything is unlocked/locked 'desktop application and browser extension).

1 Like