The feature allows you to tell Bitwarden clients to automatically log the user out completely. Since the user is logged out completely, they will have to use 2FA in order to log back in again.
The scope of this request is for 2FA during the lock/unlock process, which is not solved with simply automatically logging the user out.
Description
2FA during unlocking process
I want to be able to set my BW clients to automatically lock at every X interval.
In order to unlock the clients, the process should be exactly as is, with the option to use biometrics/PIN/password/etc and with the addition of requiring 2FA or not.
A user can choose to use a PIN as well as a 2FA token, for example.
Feature summary
Keep the locking/unlocking process exactly as is, just add the option of requiring 2FA to unlock.
I currently use BW along with MFA through Azure/MS Authenticator. It requires an MFA request when connecting from an unknown browser but not when connecting from a known device. This is convenient but comes with the risk that a malicious or unsecure device could become approved and compromise a user’s passwords with no way of anybody knowing.
A nice feature would be the ability to require MFA authentication on every vault unlock (perhaps by sending an approval push notification to the mobile app). That way, if a user does something silly like approve the PC at their local library the risk is still minimal since a potential attacker still wouldn’t be able to get past the MFA request.
Having device approvals expire over time and require re-approval could also be helpful on this front.
Currently we have the good option to log in with the master password and a YubiKey. This combination thwarts keyloggers, onlookers and anyone who steals one device and not the other.
I propose that the unlock feature provide the option to unlock using a PIN (short and at risk of onlookers, but still allowing only 5 attempts before logout) and the YubiKey. This combination would allow a fast unlock while still thwarting keyloggers, onlookers and anyone who steals one device and not the other.
Note: I am not proposing to unlock using the Yubikey alone, because the unlock also needs “something you know”. I am only proposing to allow the unlock operation to mimic the most secure login operation, except for using a short (and fast) PIN instead of the long master password.