When extension and desktop app first connect to each other, each of them are unlocked and have the current keychain key in memory right? Now both of them generate a random key and encrypt the current keychain key. They can safely store it next to the keychain. Than they exchange the random generated keys and forget them. So it looks like this:
Extension (Random Key from Desktop App (RK1), Encryped keychainkey with RK2)
Desktop App (Random Key from Extension (RK2), Encryped keychainkey with RK1)
The Random Keys RK1 and RK2 can be stored in the keychain, because they are needed to unlock the other. So when eg. you start the Desktop App you unlock the keychain and RK2 gets accessible. Now you start Chrome and the extension asks the Desktop App for an unlock key. The Desktop App can safely provide it, because it knows that nobody can do something with the key unless he has the Encryped version as the Extension does. Now the extension got the RK2 and has locally stored the keychainkey encrypted with RK2. It can decrypt the keychainkey and unlock the keychain.
With a bit of refinement, eg. RSA encrypted communication, only provide the random generated key once and delete it after retriveal
Please add that feature. Look you guys recommend a long master password, but a long master password takes a long time to enter. This is really annoying in my opinion, that you waste your time with putting in your password each time you start your browser
Browser extensions connect with desktop client so that it can automatically pull usernames and passwords from desktop client, just like KeePassXCās browser extension.
What benefits will this feature bring?
No more login or unlock when desktop client is unlocked
Remember to add a tag for each client application that will be affected
Related topics + references
Are there any related topics that may help explain the need and function of this feature?
No.
Are there any references to this feature or function on other platforms that may be helpful?
I have just moved from lastpass due to concerns from security breaches and this is first major feature I feel is missing. Everything else so far as been easy.
Maybe because Lastpass has been developing their product since 2009 and currently has over 500 employees, while Bitwarden has only been around since 2016, starting as a one-man operation.
Thanks for the feedback all, just a reminder that to use biometrics to authenticate into the browser extension, the desktop app need only be open and can remain locked for the functionality to work, rest assured the feedback has been passed along to the team.
I just migrated from 1password to bitwarden a week ago, and am loving it! except the need for real browser extension integration. other than that, I see bitwarden as a real great upgrade because of many features I really like. I have been looking for an exit strategy from 1password ever since they began the move to a forced migration to cloud based only. I stopped syncing my 1password in dropbox or even iCloud long ago and thereās NO WAY I am going to be forced to put all my passwords in the cloud! Itās simpleā¦ there is no cloud, just other peoples computers took a bit of tinkering over the last week, but I am running bitwarden in proxmox (big proxmox fan), with docker installed on a debian 11 turnkey core LXC container, then portioner and bitwarden on docker. initially setup with a self signed ssl certificate, but took a deep dive into figuring out how to upgrade that ssl to a letsencrypt ca wildcard issued through my pfsense router with the help of acme and haproxy. steep learning curve, but now I suspect I could spin it all up in an hour from scratch. I upgraded to bitwarden premium as soon as it was installed and imported all my 700ish passwords without a hiccup.
I donāt love unlocking each of my browser extensions multiple times a day, but I am surprised that after reading almost all the above comments that no one mentioned the biggest problem this createsā¦ I have the desktop app set to vault timeout = on system lock and so when I step away from my mac, I start the screensaver, which locks my vault, which works great, just like 1password, but the browser extension doesnāt have that option that creates a real problem with how to set the vault timeout on the browser extension. I first discovered that when I came back to the mac, unlocked the mac and discovered my bitwarden app was locked but my browser extension wasnāt! this is bad. now I have to make a super aggressive browser extension timeout just to have a reasonable level of physical security.
Hey Jeff, just to clarify, when using biometrics to unlock your browser extension, your desktop app can stay in a locked state if that improves the flow.
that was clear, what wasnāt is how to do biometrics on a mac, but I think I figured it out. $200 dollar keyboard for system level unlock or or $50ish usb dongle for password managers like bitwarden only.
Like many others, after Lastpassās breach of Trust, I converted to Bitwarden. Iāll have to say Lastpass is very refined compared to Bitwarden - making the switch is a little alarming in the usability department. The basic usability features that Lastpass has had for a very long time seem to be lacking in Bitwarden. The fact that this thread has been 5 years without any action from Bitwarden is a little alarming. Weāve built a whole (large) company from scratch and reached maturity with less than 10 developers in less time. Makes me second guess the switch.
I support this feature. Bitwarden becomes cumbersome when dealing with multiple browser profiles and multiple browsers. I have 3 profiles in Edge plus Chrome, Firefox and Vivaldi. Everytime I switch to a different profile or browser, I have to login (with biometric). It is quite annoying when I have to login 6 times after each system reboot when I should be able to do it once. Sometimes I have gotten to lazy I just use 1password instead but I prefer to use Bitwarden as my main password manager.
I would think it should be possible to implement this securely. One idea would be that when setting up the client (stand-alone application) and the browser plugin/extension, they would be paired in some way, and then in the future, if the client is running when the extension starts, it would unlock the vault. In this scenario, no other application would be allowed to do this, only the browser extension that has been āpairedā with the client. (This is just an idea, donāt know if itās the best possible solution.)
The pairing should be made to work also with multiple identities (multiple profiles in browsers / multiple vaults or whatnot in Bitwarden). Iām suggesting that each identity may be paired to one or multiple vaults, and each vault may be paired to one or multiple identities (each of these pairings may be done one at a time, of course). Iām not proposing any specific implementation here, only commenting that this type of functionality should also exist (provided that the āpairingā functionality exists at all)ā¦
Also, when opening the web vault from the browser extension (or client) (when the vault is unlocked), the web vault should be unlocked automatically. This should also be possible to do securely (SSO).
The key thing is probably this: the app asking for the unlock (app A) has to be securely identified in some way by the granting app (app B), and then āapp Bā gives some kind of secure message back to āapp Aā (or if not granting, an error message or no message at all).
Iām not familiar with developing browser extensions, secure messaging (protocols) and other knowledge thatās needed here, but as a CS student Iād say I know enough to know that itās possible.
One option could also be to send a vault unlock request to the userās phone, provided that the user has bitwarden installed and set-up on the phone. This would be nice also for unlocking the desktop app (so I could use my fingerprint instead of the cumbersome password). I suppose phones (as devices) are considered more āpersonalā than computers, anywayā¦ (even though I personally also consider computers to be quite personal, at least when talking about personal computers ā just like a musical instrument (you donāt even touch anotherās musical instrument without first asking permission))
I thought I was missing something in the settings, but now I see weāre missing this feature completely, bummer. Please let us know when this feature will be available or if you guys are working on it, or considering to work on it.
In my current job weāre using 1Password, before that in another company we used LastPass. Both of them feels bloated compared to BitWarden, and I like open source things, but missing this feature hurts.
This feature needed to be added yesterday. Iām moving over from KeePassXC to help sync passwords with my family and I was alarmed to find that a project as well funded as Bitwarden, compared to KeePassXC does NOT have this feature. Embarrassing for you actually. And embarrassing for me having jumped the gun on BW and adding some disappointment to my family, and myself for having to constantly enter my massive passphrase. You guys seem to care little about what the community wants. I was super hesitant to use BW because you guys are doing the same thing with this feature that you did with argon2id. Sit on it for years with virtually no response. But the Lastpass debacle sure made you giddyup with argon2id. Maybe shame and trying to save face is your motivator.
took a bit of tinkering over the last week, but I am running bitwarden in proxmox (big proxmox fan), with docker installed on a debian 11 turnkey core LXC container, then portioner and bitwarden on docker. initially setup with a self signed ssl certificate, but took a deep dive into figuring out how to upgrade that ssl to a letsencrypt ca wildcard issued through my pfsense router with the help of acme and haproxy. steep learning curve, but now I suspect I could spin it all up in an hour from scratch. I upgraded to bitwarden premium as soon as it was installed and imported all my 700ish passwords without a hiccup.
that creates a real problem with how to set the vault timeout on the browser extension. I first discovered that when I came back to the mac, unlocked the mac and discovered my bitwarden app was locked but my browser extension wasnāt! this is bad. now I have to make a super aggressive browser extension timeout just to have a reasonable level of physical security.