I am very new here but not new to password managers. I’m a Mac / iOS user. I created a new account and turned on two-factor authentication from the Mac client. So far, so good; two-factor authentication is active for my browser and iOS logins. But it doesn’t challenge me with the Mac client. It just logs in with the Master password. Have I missed something? Wouldn’t we want two-factor to apply to the Mac OS too?
Are you sure that you are actually logging in and not just unlocking the macOS client? Does the prompt say “Verify identity”/“Unlock”, or does it say “Log in with master password”?
Ok, I discovered what you guys were saying on my own. Trying to replicate the issue, I chose “Bitwarden,” log out, and selected the email associated with my account. Upon re-opening the client, I must authenticate with my master password AND NOW the two-factor authentication. It is important to note that I previously just closed the application rather than logging out and closing.
I don’t know if this is a bug, enhancement, or suggestion… The Mac desktop client apparently does not log you out when you close it. Other applications I have used that used two-factor also logged you out of the application upon closing the app. That is what I would recommend from a design programming perspective. I can’t imagine the benefit of staying logged in on a computer when I already closed the app. My problem here was anticipating that I would be logged out when I closed the Bitwarden client.
Thanks to the community for helping me. I am evaluating Bitwarden in hopes of migrating from my existing password manager.
You should be able to change the behavior by going to the app Settings, and changing the Vault Timeout Action to “Log out”. Also make sure that you have disabled the option Close to tray icon.
Most Bitwarden users actually stay logged in on their apps all the time. One benefit is the convenience of not needing to supply your master password and 2FA each time that you need to access your stored credentials — instead, one can use a shorter password, a numerical PIN, or biometrics (e.g. fingerprint or face recognition) to unlock the vault whenever one wants to access vault information throughout the day. Another benefit is that if there is a temporary server outage at Bitwarden, or a temporary problem with your internet connection, you can still view your vault data using your Bitwarden app, if you haven’t logged it out.
So a typical configuration for most Bitwarden users is to set the Vault Timeout Action to “Lock” and set a short Timeout period so that the app locks when not actively being used; in addition it is common to enable Unlock with PIN (where the “PIN” can also contain letters and special characters in addition to numbers) — on browser extensions and mobile apps, the Unlock with Biometrics option is also popular.
To get the full experience, you should use the browser extension version of Bitwarden on your Mac (and the Bitwarden mobile app on your iOS devices). Unlike the browser extensions and mobile apps, the Desktop app does not have the ability to autofill login credentials on websites, which is a more secure and more convenient way of logging in (as compared to copying and pasting information from the Dekstop app).
I am not sure I am sold on this “feature:” when closing the desktop app, it allows me to reopen without requiring 2-factor authentication on the next login. Now that I know the desktop client doesn’t do that, I can plan accordingly and “log out.”
Regarding two-factor, will I need to do the same, log out, for the mobile iOS client as well? It appears so as I practice with the iPhone App. That seems to be a more significant security issue as I rarely “lose” my laptop but have left/lost mobile phones. Can you force a two-factor authentication on a mobile app short of REMEMBERING to log out? (It’s that REMEMBERING part that I may forget to do.)
Your idea of pin codes would make sense for the desktop, especially if I were in and out of the desktop client during the day. I had previously read that the system allowed for simple pin codes.
The purpose of the 2FA on your Bitwarden account is only as a stop-gap measure to prevent vault access by an attacker who has already acquired your Master Password. To be candid, this feature is mainly to protect careless/uninformed users, who use a recycled (or trivially simple) password as their Bitwarden Master Password (thus being vulnerable to credential stuffing attacks or low-grade brute-force attacks), or who are not careful about keeping their Master Password secret (thus being vulnerable to shoulder surfing or similar leaks).
As long as you have a strong Master Password (a randomly generated passphrase consisting of at least 4 random words), never use the Master Password for anything other that accessing your Bitwarden vault, and keep your Master Password 100% confidential, your vault data is sufficiently protected by locking your Bitwarden apps when not in use.
If you lose your phone (or laptop) with your Bitwarden apps still logged in but locked, there is nothing that anybody who finds/steals your devices can do to get into your vault, unless they have also obtained a copy of your Master Password (or PIN, if you’ve elected to lock the vault using a PIN). This is because your vault data exist only in a strongly encrypted form on your devices while the vault is in a locked state.
All of this being said, it is possible to have the Bitwarden app log out automatically. Just go to the Settings and set the “Vault Timeout Action” to Logout; I would also recommend choosing a suitably short time Timeout period (~15 min). Now the app will log itself out automatically, within 15 minutes of last being used (or whatever timeout period you select). With the default state of the vault being logged out, each time that you want to access some password-protected online service, you would have to go through the following process:
Enter your Bitwarden username.
Enter your Bitwarden master password.
Complete the 2FA process.
Transfer the stored credentials into the login form for the online service that you are trying to access.
Most Bitwarden users would consider such a workflow to be unreasonably cumbersome.