🚧 Passwordless login - Secure delivery of master password to new devices

A new device could be logged in by linking it with an existing device, so that a user to never has to manually type their master password on new devices. An unlocked bitwarden client already stores keys in memory, and it could transmit them in encrypted form to another device.

This would be convenient for any user, and could be done securely. Actually it might even be more secure than potentially revealing your password by allowing bystanders to watch you type it.

For some users, this feature would be critical. Imagine a user who chooses not to memorize the master password. Instead, they randomly generate a complex string and store it securely offline. This makes it extremely inconvenient to login a new device. The user needs to access their secure storage and somehow get it into the other device. Security compromises may be made in the process. For example:

  • revealing the password visually to bystanders
  • sending the password over the internet in plaintext

Some implementation ideas:

  • QR code to initiate session
  • asymmetric encryption with public key exchange between devices and fingerprint verification before transmission. encrypt master password with pubkey of target device.
  • additionally encrypt the master password with the PIN from the source device, so the PIN must be typed on the target device to login
  • send login email address with the password to streamline the login process

After reading all of the posts in the secret key file request thread, I believe that the improvement I describe here would actually satisfy many of the people who are asking for that feature.

This is not accurate.

The relationship between your request and the linked request for a secret key/keyfile is not clear.

Thanks for your feedback. I would be happy to address your concerns.

Maybe not. I’m not familiar with the code. Anyway this is where I was getting my information:

This implies that the password is stored in memory unless it is stored on the hard drive.


Did you read it? It includes this text:

could probably be implemented with added functionality to display a scannable QR code for easier transfer of this Secret Key

The core focus of that request is actually asking for something that is already implemented in bitwarden. But from the discussion it seems that people want a variety of related usability features for key management. This is one of them. You can see a more detailed explanation in my latest post in that thread.

Storing a key in memory is NOT the same thing as storing a password. Your password is never stored in memory or on disk.

Yes, I have read the secret key/keyfile request thread.

I’ll wait to see if other contributors to that thread agree with you or disagree with you on the statement above.

I have no horse in this race (as I’m not interested in the proposed feature in this thread or in the linked thread), I just posted to set the record straight about master password retention, and to try to provide some clarity to your feature request.

1 Like

Hey @Drew have you already had a look at the passwordless Log in with Device functionality? Currently available for the web vault, with more platforms to follow.

2 Likes

That’s awesome! Thanks for sharing. I didn’t do my due diligence for this feature request since I created it primarily on behalf of other users from the other thread I linked.

The request remains to implement this login method in other clients. There is the potential usage pattern where a user does not need to memorize or manually type their master password, and instead they can rely on bitwarden to securely facilitate key propagation to all clients. If this is only implemented for the web vault, that usage pattern is not supported. It requires universal or at least broad bidirectional support among clients.

Is the work for this currently in progress? If not, I think it is valuable to keep this request open.

Thanks @Drew yes the team will continue to expand compatible clients :+1: I added the ‘in progress’ flag to this feature request.

One thing this request seems to have that the login with device feature doesn’t is the ability to sign in to NEW locations with device. It’s my understanding that login with device requires any new location must have the password typed at least once. While that is likely more secure, if the situation arrives where a user is to use a web vault or something at a friend/family’s house, they wouldn’t be able to unless they had their full master password. While we should memorize it, it it’s more functional for some users (thinking of some family here lol) to make something truly secure they can store somewhere just in case and use passwordless from a single source like their bitwarden app on their phone 99.99% of the time.

Perhaps a slight enhancement to the push notification for new devices only like an approval button and code. For future logins the code wouldn’t be necessary, just the approval currently.

I’m sure this isn’t a new idea, I’ve seen similar suggestions elsewhere but adding this to the in process request.

I’m more interested in biometric logins without needing to type your master password.

This is exactly the situation I would like to avoid, and it’s the reason why I created the request. It makes zero sense to me if “login with device” only works after you’ve already logged in.

1 Like

Thanks for your feedback everyone, the current implementation of the functionality eliminates the need to enter your master password for the web vault on a known device (after logging in with master password once).

The team will also continue to expand/iterate on new and existing ways to access your accounts, more to come.

1 Like

I agree that the passwordless login should only occur after a manual entry of the master password, thus making the device entered on a known trusted device. From there, future logins, can be passwordless.

I don’t understand why you would prefer to be limited in this way. In either scenario you need to verify trust, it’s just a question of how. The feature seems pointless to me with this restriction. I’d rather just unlock a logged-in device directly rather than unlock some other device first and then use it to unlock this one.

Actually I stand corrected. it doesn’t have to just be a manual entry of the password. The phone could receive the request and a pop up occur to authenticate and sign in, you could then do biometric verification rather than manually typing the master password.

While this existing feature’s security & convenience, “log-in from another device”, is what won me over to BW as a premium user, I’d like to see BW actually due away with requiring a master password at all possibly tying auth to hardware key, biometrics, or other options and not just as 2fa.