The problem I found is that I can’t just setup 2FA for one system only so found that the 2FA fingerprint fails my needs as it locked me out of Bitwarden on work PC.
This is why a re-prompt is better because it means I can only go on high risk sites on primary PC only where I do have fingerprint reading capability. Fortunately was working remote today so my laptop is at home so I was able to log back on my home PC and disable 2FA so I could get logged into it on my laptop.
You can do something similar, by temporarily enabling a different 2FA method (e.g., email or a TOTP authenticator), and enabling the Remember Me option during two-step authentication the first time that you log in on your work laptop. You can then disable the temporary 2FA method, and be able to log in on your work computer (although you may have to repeat this process if you become logged out of Bitwarden on your work computer after 30 days have passed).
Alternatively, you can permanently enable TOTP as a 2FA on your account, but install the TOTP authenticator (with your Bitwarden TOTP key) on a device that you only have access to while at work (for example, on the work laptop).
Regardless, another issue with your configuration is that it seems you have set the “Vault Timeout Action” to Log Out instead of Lock. If you set the time-out action to Lock, then you can configure your primary PC to unlock with a fingerprint, and separately set up you work laptop to unlock with a PIN.
I am sorry, but even if some kind of finger-print reprompt feature were to be implemented, someone who accesses your computer (in person, or remotely by using malware) can easily get all of your “high risk” passwords while your browser extension is unlocked. All of your passwords (“high risk” and “low risk”) have already been decrypted and are stored in plaintext in the process memory anytime that your Bitwarden app or extension is unlocked. Thus, by exfiltrating a memory dump, an attacker will have all of your passwords; it is also not difficult to create a vault export without needing the master password or biometric factor. There simply is no substitute for keeping your vault locked as often as possible, plus having good operational security for your all of your devices (strictly controlling access, and being vigilant about malware defense).
If you simply want to prevent certain accounts from being accessed from your work computer, then there are better ways to achieve that (e.g., a second account, possibly coupled with the use of one or more shared collections).
Thanks is there a way to bypass having to click the button unlock with biometrics when I click unlock?
With facial recognition, the click demonstrates “authentication intent”. Intent can be imputed with a fingerprint scanner, but unknown if Windows Hello makes it possible for Bitwarden to distinguish between the two cases.
Totally agree. Needed.
I’m looking for this feature as well. If the app knows how to authenticate with biometrics and also offers a re-prompt feature, I don’t see why that feature shouldn’t be aloud to use biometrics as an authentication method.
Note: I slightly rephrased the title of this Feature Request.
(before, it was “Adding Biometric/PIN authentication with Master password re-prompt” – which IMHO sounded a bit like it could also mean “additionally to / together with the master password re-prompt”)
Recently, Bitwarden gained the ability to re-prompt the master password for chosen items. This feature request is about using a PIN rather than the master password to unlock an item. The Bitwarden app itself still needs to be unlocked with your fingerprint.
Reason: Biometric authentication is not really save, it took 20min to break the lock in 2019. You need a 2nd factor in case you loose your mobile or it gets stolen. Bitwarden on mobile doesn’t have a convenient 2FA. Using the master passwd as a 2nd factor is cumbersome. An additional 4 digit pin would be a good compromise between security and convenience.
In addition, it could make sense to re-prompt the master passwd after 10 consecutively failed pin codes
@kusi A very late “Welcome to the forum”!
I moved your post into this feature request, as your request was also about setting up a PIN as an alternative to the master password re-prompt (and the unlocking method you use is independent of that and you can choose any unlocking method as you like).
Several related threads have been merged, which have in common that they propose the use of a vault unlock method (e.g., biometrics, PIN, or password) as an alternative to master password re-prompt for protection of individual vault items. Therefore, the topic title was changed from “Adding Biometric/PIN authentication as an alternative for Master Password Re-Prompt” to “Re-prompt by unlock methods (alternative to master password re-prompt for individual item protection)”.
A mod notice with the following text has been added to the top of the thread, to clarify the scope of the merged feature request topic and to distinguish it from related feature requests:
This feature request topic is a combination of several related feature requests, each of which has proposed authorizing access to individually protected vault items by a vault unlock method (such as biometrics); this would be an optional alternative to the existing Master Password Re-Prompt feature. The feature request encompasses the possibilities of re-prompt authorization using either the enabled vault unlock methods, or separately configured methods that are similar to unlocking (e.g., separate biometrics, PIN, or secondary passwords).
This feature request is distinct from the following related request, which proposes the use of 2FA methods as an alternative to master password reprompt:
“Re-prompt by 2FA methods (alternative to master password re-prompt for individual item protection)”
For my most sensitive passwords, I select the “Master password re-prompt” option to ensure that nobody can view them using an already logged-in session.
On PC, this is not a problem since I have a keyboard and re-typing my master password is quick and easy.
On mobile (specifically iOS), this makes viewing the password very tedious since I need to re-type the master password using the iOS keyboard.
I would like to use Face ID to conveniently unlock these passwords instead of re-typing my master password. Without this, the “Master password re-prompt” feature is almost too annoying to use.
@Showcase3850 Welcome to the forum!
I moved your post into an existing feature request to the same topic.
On Chrome, whether on Mac or iPhone, I really like the security of Google Password Manager, which requires Touch ID authentication every time a password is autofilled. Can we implement the same feature in Bitwarden? Bitwarden only requires authentication when logging in, which I don’t find secure enough.
@kiddkevin01 A belated “Welcome to the forum!”
I moved your post into this existing feature request to the same topic. (as your request seems to match with “using biometrics as an alternative to master password re-prompt” for items, like this feature request is about)