The pop-out window should respect the vault timeout settings/actions (browser extension)

Feature name

Pop out window timeout lock

Feature function

  • What will this feature do differently?

Currently, the vault timeout action does not apply to the pop out window. But this makes no sense as the pop out window is still the vault, just a different way of interacting with the contents of the vault. Additionally, the pop out window appears to remain unlocked because it’s assumed “active” regardless if it’s in use or not. However, this is not a reasonable or safe assumption because it’s easily layered beneath other windows and can be neither active nor remembered as present resulting in a rather consistent and obvious security issue.

Since the word “vault” describes the contents, not the view, it is most reasonable to lock the pop out view by the same means as the extension view. However, if this is not viable or desirable for some reason, then the pop out should at least have its own locking mechanism.

  • What benefits will this feature bring?

Security, which I believe is one of Bitwarden’s main goals!

Related topics + references

Ref. Pop out new window not locking on timer

I agree. I left my computer for an hour or so, only to come back to bitwarden open. I would prefer it to automatically lock even when a window is open.

The pop out window is a truly useful feature in Bitwarden.

But . . .

I agree with the need to auto lock the pop out window.

It’s annoying that it essentially needs to be done manually, and scary how easy it is to leave it open.

To protect your data is as simple as to lock your computer whenever you leave it.
And to get back into the system as easy, fast and comfortable as possible get a USB fingerprint sensor like this one:

I know that this is not what you are asking for. But it is what you can do right now to protect your data.

Yep, I am already following this approach.

I found this too. Please fix. It might be a rare occurrence, but it leaves the vault unencrypted indefinitely.

Thanks for the follow up everyone, I’ll check in with the team and provide a follow up, but I think this is a browser related issue and if it is, we could do a better job at indicating this.

Wanted to circle back to see if any progress has been made here.
-Thanks

If I pop out a new window on the extension and forget to close it, the Bitwarden extension does not lock. This is easy to do, and you may not realize that you haven’t closed the pop-up, leaving your account exposed.

This help section explains the problem. “However, it’s important to note that when the browser extension is popped out, it will not adhere to your chosen vault timeout settings.”

Full help article:
The Bitwarden browser extension includes a pop-out feature that allows you to reposition the client while using your internet browser. To pop out the browser extension, you need to select the appropriate icon in the extension interface 3, 7. However, it’s important to note that when the browser extension is popped out, it will not adhere to your chosen vault timeout settings.

I see this action," not adhering to vault timeout settings," as a significant vulnerability.

@SeniorTech I moved your post into this existing feature request to the same topic.

Note: I updated the title from “Lock the pop out window” to “The pop-out window should respect the vault timeout settings/actions (browser extension)”.