Login to browser extensions when logging into desktop app and vice versa

When extension and desktop app first connect to each other, each of them are unlocked and have the current keychain key in memory right? Now both of them generate a random key and encrypt the current keychain key. They can safely store it next to the keychain. Than they exchange the random generated keys and forget them. So it looks like this:
Extension (Random Key from Desktop App (RK1), Encryped keychainkey with RK2)
Desktop App (Random Key from Extension (RK2), Encryped keychainkey with RK1)

The Random Keys RK1 and RK2 can be stored in the keychain, because they are needed to unlock the other. So when eg. you start the Desktop App you unlock the keychain and RK2 gets accessible. Now you start Chrome and the extension asks the Desktop App for an unlock key. The Desktop App can safely provide it, because it knows that nobody can do something with the key unless he has the Encryped version as the Extension does. Now the extension got the RK2 and has locally stored the keychainkey encrypted with RK2. It can decrypt the keychainkey and unlock the keychain.

With a bit of refinement, eg. RSA encrypted communication, only provide the random generated key once and delete it after retriveal

Please add that feature. Look you guys recommend a long master password, but a long master password takes a long time to enter. This is really annoying in my opinion, that you waste your time with putting in your password each time you start your browser

3 Likes

Feature name

  • REAL Browser Intergration

Feature function

  • What will this feature do differently?
    • Browser extensions connect with desktop client so that it can automatically pull usernames and passwords from desktop client, just like KeePassXC’s browser extension.
  • What benefits will this feature bring?
    • No more login or unlock when desktop client is unlocked
  • Remember to add a tag for each client application that will be affected

Related topics + references

  • Are there any related topics that may help explain the need and function of this feature?
    • No.
  • Are there any references to this feature or function on other platforms that may be helpful?

Yep. This is really annoying. I had 1Password, and I do not remember this problem. Too many sign-ins.

This very same behaviour occurs on all 3 OSes:

  • Windows,
  • Linux,
  • macOS ( upto Monterey; havent tested on Ventura )

I would love this feature too.
Just switched from 1Password, this is the very only feature i miss from before.

I have just moved from lastpass due to concerns from security breaches and this is first major feature I feel is missing. Everything else so far as been easy.

This would be a huge quality of life improvement. I support this suggestion.

I’ve just switched from Lastpass and I don’t understand why this feature does not exist in Bitwarden.

Maybe because Lastpass has been developing their product since 2009 and currently has over 500 employees, while Bitwarden has only been around since 2016, starting as a one-man operation.

And because there are some security issues to be overcome - Bitwarden takes those very seriously. LastPass, well…

Thanks for the feedback all, just a reminder that to use biometrics to authenticate into the browser extension, the desktop app need only be open and can remain locked for the functionality to work, rest assured the feedback has been passed along to the team.

1 Like

I just migrated from 1password to bitwarden a week ago, and am loving it! except the need for real browser extension integration. other than that, I see bitwarden as a real great upgrade because of many features I really like. I have been looking for an exit strategy from 1password ever since they began the move to a forced migration to cloud based only. I stopped syncing my 1password in dropbox or even iCloud long ago and there’s NO WAY I am going to be forced to put all my passwords in the cloud! It’s simple… there is no cloud, just other peoples computers :grin: took a bit of tinkering over the last week, but I am running bitwarden in proxmox (big proxmox fan), with docker installed on a debian 11 turnkey core LXC container, then portioner and bitwarden on docker. initially setup with a self signed ssl certificate, but took a deep dive into figuring out how to upgrade that ssl to a letsencrypt ca wildcard issued through my pfsense router with the help of acme and haproxy. steep learning curve, but now I suspect I could spin it all up in an hour from scratch. I upgraded to bitwarden premium as soon as it was installed and imported all my 700ish passwords without a hiccup.

I don’t love unlocking each of my browser extensions multiple times a day, but I am surprised that after reading almost all the above comments that no one mentioned the biggest problem this creates… I have the desktop app set to vault timeout = on system lock and so when I step away from my mac, I start the screensaver, which locks my vault, which works great, just like 1password, but the browser extension doesn’t have that option :exploding_head: that creates a real problem with how to set the vault timeout on the browser extension. I first discovered that when I came back to the mac, unlocked the mac and discovered my bitwarden app was locked but my browser extension wasn’t! this is bad. now I have to make a super aggressive browser extension timeout just to have a reasonable level of physical security.

would this work https://unlox.it to enable biometrics on 2021 mac mini? if not, is there another way?

Hey Jeff, just to clarify, when using biometrics to unlock your browser extension, your desktop app can stay in a locked state if that improves the flow.

that was clear, what wasn’t is how to do biometrics on a mac, but I think I figured it out. $200 dollar keyboard for system level unlock or or $50ish usb dongle for password managers like bitwarden only.

Like many others, after Lastpass’s breach of Trust, I converted to Bitwarden. I’ll have to say Lastpass is very refined compared to Bitwarden - making the switch is a little alarming in the usability department. The basic usability features that Lastpass has had for a very long time seem to be lacking in Bitwarden. The fact that this thread has been 5 years without any action from Bitwarden is a little alarming. We’ve built a whole (large) company from scratch and reached maturity with less than 10 developers in less time. Makes me second guess the switch.

1 Like

I support this feature. Bitwarden becomes cumbersome when dealing with multiple browser profiles and multiple browsers. I have 3 profiles in Edge plus Chrome, Firefox and Vivaldi. Everytime I switch to a different profile or browser, I have to login (with biometric). It is quite annoying when I have to login 6 times after each system reboot when I should be able to do it once. Sometimes I have gotten to lazy I just use 1password instead but I prefer to use Bitwarden as my main password manager.

Hi,

I would think it should be possible to implement this securely. One idea would be that when setting up the client (stand-alone application) and the browser plugin/extension, they would be paired in some way, and then in the future, if the client is running when the extension starts, it would unlock the vault. In this scenario, no other application would be allowed to do this, only the browser extension that has been “paired” with the client. (This is just an idea, don’t know if it’s the best possible solution.)

The pairing should be made to work also with multiple identities (multiple profiles in browsers / multiple vaults or whatnot in Bitwarden). I’m suggesting that each identity may be paired to one or multiple vaults, and each vault may be paired to one or multiple identities (each of these pairings may be done one at a time, of course). I’m not proposing any specific implementation here, only commenting that this type of functionality should also exist (provided that the “pairing” functionality exists at all)…

Also, when opening the web vault from the browser extension (or client) (when the vault is unlocked), the web vault should be unlocked automatically. This should also be possible to do securely (SSO).

The key thing is probably this: the app asking for the unlock (app A) has to be securely identified in some way by the granting app (app B), and then “app B” gives some kind of secure message back to “app A” (or if not granting, an error message or no message at all).

I’m not familiar with developing browser extensions, secure messaging (protocols) and other knowledge that’s needed here, but as a CS student I’d say I know enough to know that it’s possible.

One option could also be to send a vault unlock request to the user’s phone, provided that the user has bitwarden installed and set-up on the phone. This would be nice also for unlocking the desktop app (so I could use my fingerprint instead of the cumbersome password). I suppose phones (as devices) are considered more “personal” than computers, anyway… (even though I personally also consider computers to be quite personal, at least when talking about personal computers – just like a musical instrument (you don’t even touch another’s musical instrument without first asking permission))

Hey Folks,

I thought I was missing something in the settings, but now I see we’re missing this feature completely, bummer. Please let us know when this feature will be available or if you guys are working on it, or considering to work on it.

In my current job we’re using 1Password, before that in another company we used LastPass. Both of them feels bloated compared to BitWarden, and I like open source things, but missing this feature hurts.

Keep it up, and please let us know,
Cheers

This feature needed to be added yesterday. I’m moving over from KeePassXC to help sync passwords with my family and I was alarmed to find that a project as well funded as Bitwarden, compared to KeePassXC does NOT have this feature. Embarrassing for you actually. And embarrassing for me having jumped the gun on BW and adding some disappointment to my family, and myself for having to constantly enter my massive passphrase. You guys seem to care little about what the community wants. I was super hesitant to use BW because you guys are doing the same thing with this feature that you did with argon2id. Sit on it for years with virtually no response. But the Lastpass debacle sure made you giddyup with argon2id. Maybe shame and trying to save face is your motivator.