Currently, the vault timeout action does not apply to the pop out window. But this makes no sense as the pop out window is still the vault, just a different way of interacting with the contents of the vault. Additionally, the pop out window appears to remain unlocked because it’s assumed “active” regardless if it’s in use or not. However, this is not a reasonable or safe assumption because it’s easily layered beneath other windows and can be neither active nor remembered as present resulting in a rather consistent and obvious security issue.
Since the word “vault” describes the contents, not the view, it is most reasonable to lock the pop out view by the same means as the extension view. However, if this is not viable or desirable for some reason, then the pop out should at least have its own locking mechanism.
What benefits will this feature bring?
Security, which I believe is one of Bitwarden’s main goals!
I agree. I left my computer for an hour or so, only to come back to bitwarden open. I would prefer it to automatically lock even when a window is open.
To protect your data is as simple as to lock your computer whenever you leave it.
And to get back into the system as easy, fast and comfortable as possible get a USB fingerprint sensor like this one:
Thanks for the follow up everyone, I’ll check in with the team and provide a follow up, but I think this is a browser related issue and if it is, we could do a better job at indicating this.
If I pop out a new window on the extension and forget to close it, the Bitwarden extension does not lock. This is easy to do, and you may not realize that you haven’t closed the pop-up, leaving your account exposed.
This help section explains the problem. “However, it’s important to note that when the browser extension is popped out, it will not adhere to your chosen vault timeout settings.”
Full help article:
The Bitwarden browser extension includes a pop-out feature that allows you to reposition the client while using your internet browser. To pop out the browser extension, you need to select the appropriate icon in the extension interface 3, 7. However, it’s important to note that when the browser extension is popped out, it will not adhere to your chosen vault timeout settings.
I see this action," not adhering to vault timeout settings," as a significant vulnerability.