Sign in using QR code without master password

Feature name

  • Sign in using QR code without master password

Feature function

  1. What will this feature do differently?
  • Allow users to Sign in and access their vault without the need for a master password.
  1. What benefits will this feature bring?
  • In case a user has to access the web vault in an emergency on a friends computer, typing the master password on that computer will not be safe.
    So it is better to log in to the web vault without entering the master password. Signing in with a QR code is convenient and safe to use.
  1. How will it work?
  • Go to the web vault.
  • Enter the email.
  • Click on generate QR code.
  • Open the mobile app and scan the QR code using the camera within the Bitwarden mobile app.

Related topics + references

  1. Are there any related topics that may help explain the need and function of this feature?
  1. Are there any references to this feature or function on other platforms that may be helpful?
  • A user with a Firefox account can sign in to their account on a PC by scanning the generated QR code using a smartphone.

This is what I meant, if anybody is confused.
After entering our e-mail, the web vault will generate a QR code(optional). A person has to scan this QR code with the Bitwarden mobile app. They should be signed in to the account on mobile with the account that the person want to access from the web vault. So master password will not be required.

Heavy Support on this, means of logging in , without typing master password is a big need for security , QR code is awesome, other option would be using fingerprint in an already logged device (such as your own phone) to approve login in another.

3 Likes

Signing in without a (monstrous) master password is a great option for me too.

1 Like

I’m sure there are many ways to implement this, but one that immediately comes to mind is to generate a ephemeral key pair, encrypt the vault’s master secret with the public key, then the QR code could be the private key. The Bitwarden service should be able to look up the private key’s finger print and offer up the encrypted master secret and the client can decrypt it and use it.

ECC keys are pretty small and should fit in a QR code. Probably want some sort of life time on these and probably a per account limit, possibly of one. So creating a new one will remove any existing ones.

1 Like

This process obviously requires the mobile App, so why not use a notification with a knowledge check (e.g. select “42” on your app) to verify the session you are authenticating. You can then use either a biometric or pin as a 2nd factor.

An example of this would be the Microsoft Authenticator app when using passwordless authentication on your MS account.

3 Likes

i mentioned MS auth before here, ita a good example of how it works, it could be approved by fingerprint, or simple clicking in ‘accept’ on your unlocked mobile app

Good point about noting that this would be an online process. But you can’t just authenticate the session, you also have to transfer the secret, which bitwarden does not have. You definitely do not want the secret transferred unencrypted. The existing session will need some way to transfer to and decrypt the secret on the phone.

I really like the idea of accepting a sign in from a mobile device without having to scan the QR code. This sounds more convenient.
Authy has this system implemented and makes multi device sign in a breeze.

I have used this number token method of signing in with my Google account. Great idea!

Yes, Authy does have this, but you still have to enter in your password manually.

You still need a secure way to communicate your secret between the two devices in a way that an intermediate cannot read it.

In order to transfer your secret securely, you have to encrypt it… with a secret… then you have to transfer that secret securely. Turtles all the way down.

The QR code is something local that cannot be eavesdropped by someone remotely, they must physically be in line of sight.

An alternative process that is closer to your suggestion.

  1. Authenticated device uploads ephemeral public key
  2. Unauthenticated device enters in username+2fa
  3. Unauthenticated device uploads its own ephemeral public key
  4. Authenticated device displays the fingerprint of the unauthorized’s public key
  5. The end user compares the values and accepts them if they look the same
  6. Secret is encrypted and sent to the unauthorized device

Off the top of my head, a variation of this method should be nearly perfectly secure assuming the devices can generate enough entropy for strong ephemeral keys. And it comes down to the user properly validating the fingerprint.

If the end user didn’t properly validate this fingerprint, if Bitwarden’s servers were to become compromised, it is possible for the attacker to man-in-the-middle and possibly generate a key with a similarly looking fingerprint.

I registered using my phone number and I never entered any password. I did set a password for encrypting my backup, but thats optional.

When I entered my phone number, Authy asked me to verify the login from a trusted device. No password needed.

I think a feature like this is more convenient than using a temporary master password. Of course, there may be situations where a user doesn’t have their mobile device with them.
Signing in with a trusted device/QR code is a must have feature, its safe and convenient. Hope the Bitwarden team will add this to the 2021 roadmap.

1 Like

In my case, master password consists of 6-letter word (remembered) + 72 random digits (stored on computer). I had to re-enter the whole password on each of my devices. So it would be much better if there was login using QR code scanning.

1 Like

Feature name

  • login with qrcode

Feature function

  • What will this feature do differently?
  • Remembering passwords is not easy, so I try to login via form filling. this option to remember the password is not secure. a secure way to login would be with qrcode, from that moment I confirm on my cell if I want to access the web version. the qrcode has a response time, if you are inactive, you are logged out. something similar to Whatsapp/Google.
  • What benefits will this feature bring?
  • More security and user experience.

scenario

  • Open Bitwarden on your phone
  • Point your phone to this screen to capture the code

references

Were you aware that Bitwarden already supports a variety of two-factor authentication methods that are more secure than this?

https://bitwarden.com/help/article/setup-two-step-login/

1 Like

some interesting ideas

I am not saying it is not valid. I am only wondering why it is needed. :smiley:

1 Like

whatsapp is not zero-knowledge encrypted. Authenticating via QR is trivial. The problem is figuring out how to transfer the master secret in a secure way.

1 Like

What do you think of this idea?