Master Password Re-prompt - configurable grace-period

The master password reprompt feature is great but it has some annoying shortcomings.

Namely:

  • There should be a way to say “if you’re reprompted me/I’ve continued to use Bitwarden in the last few minutes, it’s fine, don’t ask again”
    • This is particularly important for doing bulk actions, or cases where you might need to access the item repeatedly (it’s much nicer than having the forethought of “open the browser extension as a window so it doesn’t need reauth”)
  • The UX is somewhat nonsensical, particular when it comes to TOTP. You can always see the code but the button to copy it requires a password reprompt? Seriously?
1 Like

Hey @Dark_Arc thanks for the feedback, regrading the last bullet, the team is working on a revision where the reprompt will protect the whole vault item.

I’m glad to hear that, but please don’t ship this without some kind of “cool down” option. Especially with more and more services switching to a 2-phase login system, it’s extremely tedious to repeatedly enter a master password after you just did it 5 seconds ago.

It ends up being punishing enough, the feature loses a lot of its value (because it’s not worth the inconvenience).

I came here to ask the same question about having to re-enter the master password over and over and over (which I have to do quite often). @dwbit Are there plans to implement a similar feature to LastPass to not re-prompt for X minutes/hours?

1 Like

Hey @WashamDev thanks for checking in, I’ve updated the title to better foster community voting and discussion.

Regarding this change, does that relate to this request or simply a change/addition to the current master password re-prompt feature for individual items?

I am also wondering if this title for a configurable “grace period” or custom wait time for master password re-prompt would be more applicable

Master Password Re-prompt - configurable grace-period

This could possibly also tie into additional Enterprise Policies for an Organization maximum timeout until items/vault is required re-prompt.

1 Like

Hey @cksapp thanks for checking in, it was a general statement about the functionality and not related to grace period specifically, topic has also been updated, thanks for the simplified suggestion!

If we unlock an item with a master password re-prompt, leave the vault unlocked for [30, 60, 90 120] seconds

Feature function

Problem
Some bank sites ask for credentials on two pages, e.g., username on the first page and password on second page. If that bank URL has a master password re-prompt, I need to unlock that item on each page separately.

For example, chase.com has a user + pass with a master password re-prompt. Currently,

  1. Click auto-fill and enter master password.
  2. The first URL only accepts a user name.
  3. Click “Next” to move to the next page.
  4. Click auto-fill and enter master password again.
  5. The second URL only accepts a password.

This issue also occurs with a common bug in credit / debit card entry, where Bitwarden can sometimes requires 2x or 3x auto-fills (on the same URL) to fill all fields (e.g., credit number first time, expiration date second time, and CCV on the third time).

Other times, we need to login into multiple sensitive (i.e., master password re-prompt protected) in a short amount of time, say like two bank accounts to start a transfer. Thus, all re-prompt items should be unlocked and not require a re-prompt in that time.

Solution
It would be helpful if Bitwarden could add global timeout setting that makes the vault with a master password re-prompt have a 30-second (or configurable) window where the vault remains unlocked after being successfully unlocked. Then, you would only need to enter the master password once (unless it takes you longer than 30 seconds to reach the second URL).

It’s not a major issue, though I believe it is a helpful tweak borrowed from LastPass.

Related topics + references

This request is a follow up to the now successfully-implemented Master Password Re-Prompt request.

When using logins set to require reentering the master password, I sometimes have to enter my password repeatedly in a very short span of time. The most common case for me is unlocking my vault specifically to use a password-locked login. It’s also an issue if logging into multiple accounts and for sites with separate username and password screens.

If the user proves their identity once, there is little point in immediately asking a second time. I think the clear solution is a setting, similar to vault timeout, that would skip master password confirmations within a configurable time range since the password was last entered. (Unless the vault is locked, of course.) The time range would need much smaller initial increments than for vault timeout.

I saw a mention in another thread of other methods of confirmation, so a corresponding option for each would make sense. “After confirming identity via [password/biometrics/etc], do not require confirmation with that method for [time].”

Related topics + references

This would be a broader version of this request.

1 Like

I’d also like a feature like this. I opened a request here for a broader option that would leave all password-locked items unlocked for a configurable period after the master password is entered.

1 Like

That’s a great improvement. Could we merge these two requests? Either mine into yours or yours into mine? That way, hopefully, we can combine votes.

How does one merge requests? Mine doesn’t have any votes so far, so it would make sense to emrge into yours.

1 Like

Ah, I actually did not know how either, but the mods have done it. I’ve given a hopefully-improved OP post that combines both of our issues.

I’m also happy to copy your text fully, especially if I’ve missed something helpful.

1 Like

Another feature that I wanted, that I found in search, that was requested more than a year ago! :frowning:

Hey @Warden1 thanks for your feedback, please keep in mind there are many open feature requests for the team to consider, rest assured your feedback has been passed along to the team :+1:

I’ve also merged the request into ‘configurable grace period’ as it is a similar request with more votes.