I see on my Samsung S8+ that I am able to log in to the vault with a newly created fingerprint. I consider this as a serious security risk. Both my paypal app and my banking app detect that fingerprints are changed on the phone and I have to log in with password before I am allowed to use fingerprints in those two apps.
So the feature request is to disable fingerprint authentication if it is changed in the Android OS (new fingerprints added or fingerprints modified)
Funny coincidence. Just a minute ago, I replied to an older request for that feature! The same problem exists on iOS.
This is really important in my opinion!!
As far as I know, it’s possible only to unlock the vault with the fingerprint, and not to log in.
And as I mentioned before, the system uses OS native biometric framework. Nothing much that can be done here. (But a lot of coding.)
It is in fact easy to fix. You can check when the fingerprint in the OS was last modified and compare this with the last unlock time of bitwarden. My bank app and the paypal app is already doing it this way.
If you don’t do this, the security of Bitwarden is reduced to whatever the unlock code of the phone is and this could be a four number pin.
I think @stigvi is right. It is not just about logging in to Bitwarden. And its not the same feature that I asked for in an earlier post (that Bitwarden should scan its own fingerprints). Its about the fingerprints that are saved within the OS framework. When you create a new fingerprint within your OS framework you can use it right away to unlock Bitwarden.
The feature asked for would be to detect newly created fingerprints since the last locking of the vault and to disable the “unlock with fingerprint” option in case a new fingerprint was saved on the system. You first would have to enter your password to enable that option again.
Unfortunately, I don’t have the knowledge to contribute code for that feature… But I can imagine that such a check is not too complex in terms of coding, right?