I also noticed this. Apparently, this doesn‘t happen on 1Password where it falls back to the 1P Master password when TouchID fails or cannot be used. Maybe it‘s due to the different way of integration of TouchID that it defaults to the normal macOS behaviour here?
I am speaking as non-maintainer, but I think anything to increase security is worth to do/add. I can understand if the main obstacle is increased bundle size / incompatibilities for other desktop OSes.
As far to my knowledge the main issue is the lack of support in the existing electron APIs. systemPreferences | Electron We would need to reimplement the logic ourself in a native module, which is a bit more complicated than changing API.
Hopefully this issue will be addressed soon because it means that using TouchID is not secure unless I have a secure macOS device password. I think for many people that’s not practical, generally we have shorter passwords or PINs for device logins (6-8 chars) whereas my BitWarden password is 15+ chars.
I recently realised that if you add a new touchID fingerprint to macOS, you can use the new fingerprint to unlock Bitwarden without having to reauthenticate with your master password. This seemed like a big security flaw and while searching for it I found this post. In both cases I think the most worrying thing is that they are not obvious to users (or maybe I’m losing my touch ). So I’ve been using Bitwarden for over a year and the whole time someone could have have full access to my vault if they had access to my laptop and device password.
The first and easiest fix would be a clear warning when users enable TouchID. Currently you just check a box, scan your finger and assume all is well.
The ideal solution for me would be to prevent falling back to macOS device password AND detect if there have been any changes to stored fingerprints.
I love Bitwarden and really appreciate your work. I also understand that this is probably not a trivial fix, it must be leveraging baked-in macOS functionality and it might not even be possible to use the fingerprint sensor without these security tradeoffs.
Please can you comment on the possibility of these changes. In the meantime I need to make a choice between disabling TouchID and using a 15 character device login - I’m still deciding!
Couldn’t you just get around this entire problem by creating a second user account in the OS?
You could have a personal account with a strong password, and then a shared account with a weak one. Isn’t that pretty much the use case for OS user accounts in the first place?
Lots of parts of your device’s security could be compromised by having a weak password on your primary account, from the obvious (your files) to something more technical, if that account has administrator privileges. Wouldn’t it make more sense to separate out your personal information from the easy-to-access shared account?
You can partially address the issue that way, but for many of us it’s just not practical and presents its own security issues. In my case I don’t actually share my personal account with anyone.
My personal risk assessment is that a 6-8 character password is enough to protect my laptop, but for my password manager I use a 15 character password. As I mentioned, it would be irritating to have to enter such a long password to unlock my laptop. MacOS regularly asks you to reenter it even if you use touch id. But on a more serious level, I’m often in public places when using my laptop. The more times you enter your password in a public place, potentially with cameras that you are not aware of, the more risk there is of exposing your password. I’m extremely cautious on the rare occasions I enter my Bitwarden password in public, and that’s another reason that touch id is preferable, so even if you are being recorded your password is not exposed.
Anyway, those are just my personal thoughts, interesting to hear whether others agree or not.
I totally agree about this, it’s one of the things that is currently preventing me from fully switching to Bitwarden. Touch ID on the Desktop app is a fundamental feature for both safety and conveniency. But right now I don’t feel safe using it, also because a change of Touch ID does not require a re-prompt of the master password (I made a feature request about this here Desktop app: Detect changed biometrics/fingerprint and re-prompt for master password ).
Another agree here, and I don’t use biometric login for bitwarden on the desktop because of it. The threat model for my local machine account is very, very different from my cloud-hosted password manager.