Thanks Dan - this is a great new feature. Can’t wait for the new Android app to drop on the Play Store to try this out. And hopefully, passwordless login will extend to other clients, as well!
Thanks for sharing all, definitely more to come!
You might want to look into the beta.
I’ve been running the beta without issues but ofc any feedback of stability is always appreciated. Once this hit the web-vault I was able to test this just last night and it works just as expected for login, then prompted for 2FA as always.
Also helpful from another post:
Hey all, this new feature is currently only available for web vault, with functionality to be expanded to other clients. To learn how to enable and use this feature, check out the https://bitwarden.com/help/log-in-with-device/ Help Center article.
Currently you will want to enable ‘allow sync on refresh’ (to improve seeing approval requests) and ensure that you are logged into the account on mobile that you are trying to authenticate into on the web vault. This functionality will be improved/expanded in a future release.
Maybe Im getting this wrong but
" Now that you’re ready, head to the Bitwarden web vault, and enter your account’s email address. On the next screen you will see a new option to Log in with device . Selecting this will send a push notification to your Bitwarden mobile app for approval"
So to log into my vault all I would need is the email address?
Hey @Cefn currently, you’ll be able to accept the approval request on your device and then enter any 2FA such as a TOTP code.
There is additionally a fingerprint phrase visible on both devices for enhanced security.
Currently this is available for the web vault, with more clients to follow. Be sure to be logged into the appropriate account on mobile if you have multiple (this will be expanded/improved in a future release).
I tested login without a password. It’s OK, but it could be even better!
Currently, only the confirm/reject login button pops up in the phone app. Bitwarden as an application that cares about security should ask for a fingerprint scan, for example. I use my fingerprint to unlock Bitwarden on my phone and it would be great if you need to scan your finger on your phone (or use another PIN-type unlocking method) when logging in without a password.
The second thing is that not everything is translated into Polish yet.
Overall, this option is great. Can’t wait for it to be available on all clients. Please just add verifications when confirming login and it will be EXTRA!
Sorry for my english, i’m using google translate
Can I chime in with something of concern with this feature.
Firstly, 2FA. At a fundamental level relies on 2 SEPARATE things for security. Something you know and something you have. Something you know is a password or pin and something you have is the device.
So you login to a website and plug in your password. Good. The website then queries or sends something to your device to confirm the action.
BUT how do most websites allow you reset the password? You do it by a Forgot Password which resets the password and to confirm it is you it sends the second part of the 2FA.
But why couldn’t you do this EVERYTIME?. You would have single factor authentication
Now what about with an encrypted token that you store on the device. No password no flawed 2FA
So what you have achieved is to move your security from the website to your device.
Remember once you open the vault you have access to all your security information for you bank, your porn sites…everything.
Now the device. Its usually a phone and has a feature where it locks every 5 minutes right (5 minutes, in your dreams you listen to music or are expecting an urgent call so it is unlocked for 1 hour)and when it recognizes your face/fingerprint it unlocks.
No one can break into your phone right? If you lost or misplaced in then in that 5 minute window it is totally unsecured.
But you arrange it so that the token MUST operate along side face recognition or fingerprint right. But somebody picked up your phone during that 5 minutes and the first thing they did was add their fingerprint or face to the phone.
Now I am not suggesting this is not a good and worthwhile feature, but we should question whether it is anymore secure than a long master password. It is certainly less onerous but there are broader implications.
I believe the move to 2FA was actually a backwards step in the way most websites implement it. It muddied the waters as to who is responsible for security, the website or the user.
It was fine when you logged on and worked from your desktop but once you did everything on ONE device it actually made the security situation so much worse.
There is no simple answer. But we should always be aware of the shortcomings or implications of what/how we do security.
We suddenly need to be super careful about the phone. If we did that in the first place we wouldn’t need a password manager, we could just store long passwords on our phone in plain text.
If you are that paranoid about 2FA (which is a good thing, don’t get me wrong)…
Perhaps you should get something like a Yubikey… And disable all the less secure 2FA options, of course.
The point of my post was to point out that 2FA is not that much of a security improvement on straight passwords because of the way it is implemented. (In fact it may be a lessening of security.).
By the same token, zero trust authentication by its very nature, improves the security of the TRANSMISSION of data. That itself mitigates against man-in-middle attacks, but that in itself does not improve security if it simply authenticates flawed 2FA.
On Yubikeys i always wonder what the PRACTICAL implications are. If you need the key to open (for instance) a password manager it means you need to carry the key. Where would most people carry the key? Why in the case/bag with their phone/device. Perhaps have a blue tooth Yubikey type device…NO!
So now you have separated the something you know and something you have into 2 devices but if they are kept together it makes the situation infinitely worse were you to lose the phone/device.
There is no easy foolproof answer for security of websites. We must guard against the temptation to suggest this or that implantation of some new buzz word will tick all the boxes.
What we must understand is solutions that on the surface looks the goods may not, in practical terms, actually improve matters, instead give us a false sense of security. 2FA is a real world example.
Does this work on the self hosted version is it to come?
Most likely appears so, though self-hosted server updates tend to lag behind the cloud release updates usually a few days to a week or so to ensure any bugs are worked out and provide stability for self-hosted users.
I believe this is the PR to update the self-hosted repo to be inline with the
Is it possible to completely disable this on an account? As in no button or option to use another bitwarden device to log in.
Hello @floof and welcome to the community,
Currently the feature is opt-in and requires an already authenticated and logged in device to first select the option to enable Approve login requests.
At the time though, there is not an option I can see to opt-out or fully disable the feature for an account.
Hey @floof if using an organization with SSO enabled, the functionality will not be available.