Require 2FA during unlocking process


Previous feature requests

This feature request, called “2FA when ‘unlocking’”, was closed with the implementation of the timed logout feature.

The feature allows you to tell Bitwarden clients to automatically log the user out completely. Since the user is logged out completely, they will have to use 2FA in order to log back in again.

Problem with existing feature

Logging out causes the client to delete the encrypted password store, and is not the same thing as locking and unlocking.

Locking is a lightweight process that doesn’t result in the deletion of your local encrypted datastore.

This Feature


The scope of this request is for 2FA during the lock/unlock process, which is not solved with simply automatically logging the user out.


2FA during unlocking process

I want to be able to set my BW clients to automatically lock at every X interval.

In order to unlock the clients, the process should be exactly as is, with the option to use biometrics/PIN/password/etc and with the addition of requiring 2FA or not.

A user can choose to use a PIN as well as a 2FA token, for example.

Feature summary

Keep the locking/unlocking process exactly as is, just add the option of requiring 2FA to unlock.


My use case:

Locked browser extension, require pin + Yubikey tap to unlock

I currently use BW along with MFA through Azure/MS Authenticator. It requires an MFA request when connecting from an unknown browser but not when connecting from a known device. This is convenient but comes with the risk that a malicious or unsecure device could become approved and compromise a user’s passwords with no way of anybody knowing.

A nice feature would be the ability to require MFA authentication on every vault unlock (perhaps by sending an approval push notification to the mobile app). That way, if a user does something silly like approve the PC at their local library the risk is still minimal since a potential attacker still wouldn’t be able to get past the MFA request.

Having device approvals expire over time and require re-approval could also be helpful on this front.