Some features that may improve the experience

I’ve just started using Bitwarden, and as amazing as it is, there are some issues that annoy me. Below I listed some that I have stumbled upon during my short term of usage.

A save login details prompt that appears if the information doesn’t already exist in your vault. (That works automatically?)
In the android app, there is a setting in the autofill tab under additional options called “Ask to add login”. I assume that it’s meant to save the username/password you entered if it doesn’t already exist in the vault, but it doesn’t seem to work in mobile browsers. If I log into an app and the login details aren’t in my vault, it does ask if I would like to save them, but it doesn’t do it automatically and I have to fill everything in myself.
This is also an occasional issue on my desktop web browsers. Every now and then Bitwarden will forget to ask if I would like to save new login details.

Biometrics verification for autofill, like iCloud Keychain or Samsung Pass.
Keychain and Samsung pass have a feature I like that prompts the user to verify their identity with biometrics in order to use saved login info. Bitwarden has a similar feature where it asks for the master password, but I would find using biometrics much more efficient. It could be an optional setting that affects all saved logins.

Autofill for identity and cards.
Pretty self-explanatory. Fill in any payment form, or address form. Other password managers have such features, sadly it seems to be missing in Bitwarden.

A vulnerability checker that works in the background.
1Password has it, Dashlane has it, Proton Pass has it. It seems quite important to know if suddenly vulnerabilities arise or if your information made it onto the dark web, so performing the checks without a prompt from the user would be quite useful.

I’m not too sure if multiple requests per topic are approved of, so if not, do inform me and I’ll gladly split these up into different posts.

1 Like

Welcome, @Pinesicles to the community.

Appreciate the suggestions. It would really help to separate them into separate topics so that people can vote on individual suggestions. Plus, it makes it easier for others to offer feedback without confusion as to which they are responding.

1 Like

How about being able to quickly see which devices and IP addresses have accessed my web vault, and also a listing of failed attempts. Gmail shows recent login activity and Fastmail goes a step further and shows all failed attempts as well. This logging could be opt-in, which is how Proton does it.

As well, I’m anticipating some kind of moat function where I can restrict login attempts from geographical locations I haven’t whitelisted. Again this would be opt-in, and there would be a recovery code associated with it in case, for whatever reason, I need to access my vault from a blacklisted geographical location. Therefore, when enabling this feature the user would be implored to print out and backup a crucial recovery code, similar to enabling 2FA.

Now that I think of it, maybe simply using a Yubikey makes completely useless/irrelevant any such moat as I’ve described above. Seems to me that it does, so I don’t know why others have been so keen on that feature.

Anyway, always good brainstorming ways to improve the most crucial product I use. I trust the Bitwarden developers to continue to make optimal decisions.

One feature request per topic, please.

AWS and VPNs severely limit the value of Geofencing at the country/state/region level.

The other detail is that IP-based geofencing typically will identify the location of your ISP/POP, not your device. Back in the Sprint days, IP-based location often placed me 150 km away from my true location. GPS (and similar) location services are quite accurate, but are only accessible to the device, not a web server.

You hit it on the nose, Webauthn and TOTP both up the game enough that geofencing can be largely irrelevant.

Most likely, security theater. “Seems” like a good idea, rather than proposed, tested, peer reviewed and analyzed for cost-benefit. Personally, I don’t put much credibility into any authentication proposals not supported by NIST 800-63B.

1 Like