macOS Bitwarden desktop app allows the user unlock the vault with the device’s password if TouchID fails or the user chooses not to use biometrics.
This introduces a vulnerability: if someone sees me enter my device’s password and steals my device, it gives them the ability to not only unlock my computer but also unlock the vault.
Ideally, the vault should only take biometrics or master password. It should not allow the system password as a backup.
1Password implements this well. They have an option for you to toggle whether or not you want to allow the system password as an option.
We should make this option available in Bitwarden!
I’ve attached screenshot to show the difference.
