Logout if not unlocked in timeframe

Feature name

  • Logout if not unlocked in timeframe

Feature function

  • What will this feature do differently?
    • Clear local vault and session if not recently successfully unlocked
  • What benefits will this feature bring?
    • App secures itself when not used for some configurable timeframe
  • Remember to add a tag for each client application that will be affected

Human Description

Want to be able to always do pin unlock, but if I don’t unlock BW for “a while” it will assume I’ve lost the device.

Related topics + references

  • Are there any related topics that may help explain the need and function of this feature?

There is currently a mechanism for this, but the times aren’t configurable:

https://bitwarden.com/help/article/security-faqs/#q-how-long-does-bitwarden-cache-session-information

I see “Offline Vault sessions will expire after 30 days”, but I’m not sure what this implies.

  1. What is an “Offline Vault session”? In the context of this feature, the device might still have network access. Would this be “online” or “offline”? etc
  2. What does “expire” imply in this context? Can you still use the master password to unlock an “expired offline session”?
  3. Is the local vault cleared at any point without user action?
  1. When you login/authenticate, your session is valid for those time periods without reauthentication. If the device can sync with your Bitwarden instance, it would be ‘online’.
  2. Expiration means that the session is ended and the vault data is deleted, the same as a ‘logout’
  3. Yes, when the session expires :slight_smile: