Precondition: Unlock with PIN is enabled. My BW app/vault is unlocked
Current behavior: I invoke Bitwarden’s Auto-fill to fill credentials in some app. BW prompts me to enter my master password, even though the app is already unlocked.
Proposed behavior: I invoke Bitwarden’s Auto-fill to fill credentials in some app. BW auto-fills the credentials without any further authentication.
Convenience: I’ve already unlocked the app, why should I need to log in again for an Auto-fill?.
Security 1: I want Auto-fill using PIN instead of using biometrics because my phone unlocks with biometrics. Given that my phone unlock with biometrics, I don’t want a critical app – Bitwarden – to unlock in the same way. This is defense in depth.
Security 2: If the app I’m trying to Auto-fill into is malicious, it could (I assume) bring up a fake Bitwarden master password prompt dialog to capture my master password. Capturing my master password is very bad, and I will never enter my master password into a dialog that might be controlled by another app. So currently I can’t use the Auto-fill feature, and I instead need to go to the Bitwarden app to copy the credential’s password whenever I would otherwise use Auto-fill.
Security 3: There are some apps whose creators have blocked pasting into the password field. For those apps, using Bitwarden’s Auto-Fill – which seems to bypass the block – is the only reasonable way to get my complex password into the password field. But see the previous bullet: I’m not willing to enter my master password while another app is active.
Security 4: Manually pasting credentials into any app is dangerous because it bypasses the domain/host check that BW does before it Auto-fills. BW is currently making me manually paste, which is very bad.
On iOS it will ask for the PIN when using autofill if you choose to select the option that allows the PIN to unlock Bitwarden after it has been closed (that is, swiping up on Bitwarden from the App Switcher or shutting down your phone). However, if you opt to use the master password to unlock Bitwarden when closing it and not the PIN, it will always require the master password when autofilling. That includes after you have already unlocked the Bitwarden app with the master password and can now unlock Bitwarden by using the PIN.
If you do require the master password when unlocking Bitwarden after you have quit it, that might be the cause. Is that the intended behaviour? I wouldn’t think so because it doesn’t make using autofill easy when it always requires the master password when the application doesn’t.
@Doge7734: Thanks, very interesting! When setting up Unlock with PIN, I did indeed configure to require the MP after the app is force-quit – for the sake of increased security.
I just replicated your statement: if I configure to not require the MP after the app is force-quit, when I try to Auto-Fill I am indeed prompted for the PIN.
That’s great input if someone tries to fix this. I’m guessing it’s not the intended behavior for the reason you stated and because Android behaves differently.
@RogerDodger: Good question. They are different issues but they are definitely very related and possibly have the same root cause. The first one I posted was for the app logged in but locked, and the second one (this one) is for the app unlocked. In the first one I expected a PIN prompt, and in the second one (this one) I expect no prompt.
I probably should have created one request covering both changes.
I just tested this issue again and I’m surprised that it’s still broken.
Maybe I’m the only user on the planet not using biometric unlock for the BW mobile app? Biometric unlock for the BW mobile app is not a good idea: if an attacker has somehow gotten past the iOS biometric lock and is in your device, they might be able to also get past the BW biometric lock and get into your BW vault. “Defense in depth” would suggest that two different security controls (viz. biometric and password/PIN) should to be in place to protect a high-value asset like a password manager vault.
As a recap, here is the repro:
Unlock the BW iOS mobile app using the BW master password
Config: have a PIN set up on the BW mobile app, and have biometric unlock disabled
Go to any browser, navigate to a login URL for an account you have, touch the password field, and touch the BW autofill offer that appears above the keyboard
You’ll get a BW master password prompt – whereas you should get either no prompt or a PIN prompt, because you’re already logged into BW
I’ve tried this on 4 different browsers and they all behave the same.
If anyone is getting different behavior on iOS, do please let me know.