If you’re debugging something odds are your coworker could easily open the Chrome dev panel and extract your Bitwarden encryption key, or install a keylogger to grab your “extra password”
If the answer is “but I trust my coworker” then why not trust them to not open your private secrets?
If Bitwarden implements this, it must use an extra layer of encryption to be useful to an adversary that knows anything remotely related to development.
LastPass extra protection only protects you from a tech illiterate adversary.
I just made a comment that if you don’t have the security consciousness to lock your OS before letting someone use your computer, (and revoke admin priveleges for their accounts) then two things are likely:
- Odds are, given a feature to increase security and decrease convenience, it will not be used if the person has shown reluctance to use similar features on their OS.
- Odds are, an adversary with a small amount of skill can circumvent the Bitwarden feature if the user is not using the OS feature.
I understand it “feels secure,” but the problem with adding features that feel secure, but aren’t, is that it creates a false sense of security.
Like I’ve said before, currently, OS user management is much more secure than LastPass extra protection.
If this feature were to be implemented, it would need to add a second layer of encryption from a second password (not your master password) to increase security at all.
Adding such a feature without such encryption should only be done with the explicit goal of making users “feel safe” while explicitly acknowledging that it doesn’t actually make 99.999% of users any more safe, and decreases the safety of any user that decides to stop using other security features of the OS etc. because of the added “sense of security”