Remember me checkbox, verification code, authenticator app, not lasting for 30 days, 2FA

using chrome browser, logging into vault.
I enter user login (email addr),
then password,
then the 6 digit verification code from authenticator app (google auth app on),
and I CHECK the checkbox labeled “Remember Me” (for 30 days).

The next day, from the same device, from the same browser profile, etc., I need to check that box AGAIN. It does not remember me.

So how does this work?
Is it a cookie set in the browser?
Is it a data bit set on the bitwarden server?

If I login to my account from a DIFFERENT computer ( or my mobile smartphone device), does this “Remember Me” data for my other computer device get removed on the bitwarden server and I need to start all over again? i.e. is this “remember me” only able to store 1 trusted device, and it gets removed / reset when logging in using a different device? Can BitWarden not remember multiple trusted devices for my account login?

If this is true, do I need to submit a suggestion for future versions?

Remember me only applies to TOTP, not the password. And yes, incognito mode or deleting cookies will cause your extension to look like a new device.

1 Like

To add to the explanation provided by @DenBesten above:

The “remember me” function can be used on multiple devices, and on multiple Bitwarden instances (apps, browser extensions) that are installed on the same device. For each app/extension on each device, the “remember me” checkbox has to be set individually, and will act independently of the others.


P.S. The recommended way to configure Bitwarden apps/extensions is to set the “Vault Timeout Action” to Lock (not Logout), and to select the shortest vault timeout interval that is compatible with your work habits (the idea being to keep the vault locked at all times when it is not being actively used). In addition, most users fins it convenient to enable the feature that allows you to unlock using biometrics or using a “PIN” (an alternative password, which can be shorter than your master password). If you follow these recommendations, then the behavior of the “remember me” feature becomes much less important (since you will rarely need to repeat the login process).

Maybe I do not understand, if you are saying the remember me applies only to the temporary 1 time password, which is generated by the google auth app, and that temp 1 time pwd (6 digit code) expires in 60 seconds, then how can the "Remember me be expected to last for 30 days?

thanks. i already had Vault timeout set to Lock, but timeout was set to 15 minutes. I changed it to use a custom value of 23 hours, since this "Remember me function does not remember me, and forces me to use the google auth app to get afresh 6 digit code to finish the unlock (login) process.

What @DenBesten meant was that checking “Remember me” causes the 2FA requirement to be waived for that device/app/extension. Next time that you log in on that device/app/extension, you will not need to supply 2FA (which in your case, is apparently a TOTP code, according to what you wrote previously).

 

I don’t understand how you are getting logged out of the browser extension, if you have in fact set the Vault Timeout Action to “Lock”, as you said. You should not need to log in again, with a few exceptions.

A 23-hour timeout period is IMO much too long.