The feature allows you to tell Bitwarden clients to automatically log the user out completely. Since the user is logged out completely, they will have to use 2FA in order to log back in again.
The scope of this request is for 2FA during the lock/unlock process, which is not solved with simply automatically logging the user out.
Description
2FA during unlocking process
I want to be able to set my BW clients to automatically lock at every X interval.
In order to unlock the clients, the process should be exactly as is, with the option to use biometrics/PIN/password/etc and with the addition of requiring 2FA or not.
A user can choose to use a PIN as well as a 2FA token, for example.
Feature summary
Keep the locking/unlocking process exactly as is, just add the option of requiring 2FA to unlock.
I currently use BW along with MFA through Azure/MS Authenticator. It requires an MFA request when connecting from an unknown browser but not when connecting from a known device. This is convenient but comes with the risk that a malicious or unsecure device could become approved and compromise a user’s passwords with no way of anybody knowing.
A nice feature would be the ability to require MFA authentication on every vault unlock (perhaps by sending an approval push notification to the mobile app). That way, if a user does something silly like approve the PC at their local library the risk is still minimal since a potential attacker still wouldn’t be able to get past the MFA request.
Having device approvals expire over time and require re-approval could also be helpful on this front.
My master password is very long and tedious to input.
So, I use biometrics (fingerprint). On the other hand, Fingerprint alone doesn’t seem to be a fully robust method.
You already allow setting a PIN to unlock.
Could you please make a simple settings option on Mac to require both: pin AND fingerprint for unlock? Scanning a finger quickly and effortlessly and then smashing in a few digits is a painless but far more secure way.
I think that would be a great balance between convenience and security.
Currently we have the good option to log in with the master password and a YubiKey. This combination thwarts keyloggers, onlookers and anyone who steals one device and not the other.
I propose that the unlock feature provide the option to unlock using a PIN (short and at risk of onlookers, but still allowing only 5 attempts before logout) and the YubiKey. This combination would allow a fast unlock while still thwarting keyloggers, onlookers and anyone who steals one device and not the other.
Note: I am not proposing to unlock using the Yubikey alone, because the unlock also needs “something you know”. I am only proposing to allow the unlock operation to mimic the most secure login operation, except for using a short (and fast) PIN instead of the long master password.
I’m a long-time Bitwarden user and truly appreciate your commitment to open-source security and privacy.
I would like to suggest a feature that I believe would significantly improve the security of the Chrome extension: adding an optional OTP / 2FA step when unlocking the extension, after entering the master password (or PIN).
Currently, once the vault is unlocked (even with a PIN), there’s no secondary verification step. While the master password is secure, adding an OTP-based verification (such as via an authenticator app) would greatly enhance protection—especially in shared or semi-public environments where browser access may be less controlled.
It would be ideal to have this feature as optional (configurable in Settings), and to support common 2FA apps such as Microsoft Authenticator, Authy, or Google Authenticator.
Thank you for your great work and commitment to secure access. This small addition could bring a huge security benefit to all users who want that extra layer of protection.
I’d like to formally submit a feature request regarding vault security. While I currently use the “vault timeout action” set to logout after 2 minutes, I recently encountered a potential security issue that raised some concerns.
My laptop does not support biometrics — I rely solely on a PIN and the Master Password. Recently, there was an unauthorized attempt to unlock my vault, which highlighted the need for an additional layer of protection.
Feature Request:
Please consider adding an option for Two-Factor Authentication (2FA) — specifically, a One-Time Password (OTP) sent via email — as an additional security step when unlocking a locked or inactive vault, even if it remains decrypted in memory.
I understand the current design priorities and the concerns around usability, but for users who prioritize security over convenience, this would be a valuable optional feature.
This request is specifically for the Chrome extension, but could be beneficial across all Bitwarden instances.
Thank you for considering this request. I’d appreciate it if you could share it with the development team.
Explanation: we merge “duplicate” feature requests, as it doesn’t make sense to 1) have multiple same or similar feature requests as this 2) also would “scatter” votes for them. So the merging of same/similar requests also “centralizes” the votes, which should be also in your own interest.
I would just like to add my voice to the request to optionally allow requiring a second factor, such as YubiKey, when unlocking the vault with a PIN. Typing a PIN is much easier than typing a long and complex master password, but without 2FA it greatly compromises security. Thanks.
I fully support this request.
I have a long and complex MP and switched to biometrics unlock in my phone for convenience.
However, i feel very unsecure with this and would really like to see a feature to also being able to use 2FA in tandem with biometric or PIN for both ‘lock’ and ‘log out’ timeouts.
