TouchID for macOS is a neat feature.
There is one concerning macOS behavior, when TouchID window pops out, press Enter or click Use Password... will fallback to macOS Account Password.
I’d like to see that behavior prevented, so if biometric with touch cannot be done (using external keyboard), it will fall back to vault master password, instead of .
Feature function
What will this feature do differently?
Prevent macOS password to unlock vault when TouchID enabled.
What benefits will this feature bring?
More secure vault from anyone that know the macOS device owner’s Account Password.
Remember to add a tag for each client application that will be affected
Done
Hi all,
I also noticed this. Apparently, this doesn‘t happen on 1Password where it falls back to the 1P Master password when TouchID fails or cannot be used. Maybe it‘s due to the different way of integration of TouchID that it defaults to the normal macOS behaviour here?
Best,
Robert
This is making the touch id unusable for me, since I have a very simple password on my macbook, so that my family members can use it too. But don’t want them to access my bitwarden passwords too
I recently noticed this, too. It would harden security tremendously if there was NO fallback, or it used the Bitwarden Password instead of the machine’s password.
@ybbond - I hope you don’t mind, but I edited your request topic so that it was more clear that you are asking for it not to fall back to the macOS password (rather than the BW account password).
I am speaking as non-maintainer, but I think anything to increase security is worth to do/add. I can understand if the main obstacle is increased bundle size / incompatibilities for other desktop OSes.
I’ll have to check with Oscar when he’s back, but the electron APIs are from their project, so we depend on either their updates, or them merging our PRs
As far to my knowledge the main issue is the lack of support in the existing electron APIs. systemPreferences | Electron We would need to reimplement the logic ourself in a native module, which is a bit more complicated than changing API.
Hopefully this issue will be addressed soon because it means that using TouchID is not secure unless I have a secure macOS device password. I think for many people that’s not practical, generally we have shorter passwords or PINs for device logins (6-8 chars) whereas my BitWarden password is 15+ chars.
I recently realised that if you add a new touchID fingerprint to macOS, you can use the new fingerprint to unlock Bitwarden without having to reauthenticate with your master password. This seemed like a big security flaw and while searching for it I found this post. In both cases I think the most worrying thing is that they are not obvious to users (or maybe I’m losing my touch ). So I’ve been using Bitwarden for over a year and the whole time someone could have have full access to my vault if they had access to my laptop and device password.
The first and easiest fix would be a clear warning when users enable TouchID. Currently you just check a box, scan your finger and assume all is well.
The ideal solution for me would be to prevent falling back to macOS device password AND detect if there have been any changes to stored fingerprints.
I love Bitwarden and really appreciate your work. I also understand that this is probably not a trivial fix, it must be leveraging baked-in macOS functionality and it might not even be possible to use the fingerprint sensor without these security tradeoffs.
Please can you comment on the possibility of these changes. In the meantime I need to make a choice between disabling TouchID and using a 15 character device login - I’m still deciding!
Couldn’t you just get around this entire problem by creating a second user account in the OS?
You could have a personal account with a strong password, and then a shared account with a weak one. Isn’t that pretty much the use case for OS user accounts in the first place?
Lots of parts of your device’s security could be compromised by having a weak password on your primary account, from the obvious (your files) to something more technical, if that account has administrator privileges. Wouldn’t it make more sense to separate out your personal information from the easy-to-access shared account?
You can partially address the issue that way, but for many of us it’s just not practical and presents its own security issues. In my case I don’t actually share my personal account with anyone.
My personal risk assessment is that a 6-8 character password is enough to protect my laptop, but for my password manager I use a 15 character password. As I mentioned, it would be irritating to have to enter such a long password to unlock my laptop. MacOS regularly asks you to reenter it even if you use touch id. But on a more serious level, I’m often in public places when using my laptop. The more times you enter your password in a public place, potentially with cameras that you are not aware of, the more risk there is of exposing your password. I’m extremely cautious on the rare occasions I enter my Bitwarden password in public, and that’s another reason that touch id is preferable, so even if you are being recorded your password is not exposed.
Anyway, those are just my personal thoughts, interesting to hear whether others agree or not.
I totally agree about this, it’s one of the things that is currently preventing me from fully switching to Bitwarden. Touch ID on the Desktop app is a fundamental feature for both safety and conveniency. But right now I don’t feel safe using it, also because a change of Touch ID does not require a re-prompt of the master password (I made a feature request about this here Desktop app: Detect changed biometrics/fingerprint and re-prompt for master password ).
Another agree here, and I don’t use biometric login for bitwarden on the desktop because of it. The threat model for my local machine account is very, very different from my cloud-hosted password manager.
I think, it is critical feature to work properly. The same way it works on Android or iOS. And it is really strange, that after almost 2 years of this Topic, it was not fixed. I really like Bitwarden and always recommend it as the best Password-Manager (it really is), but sadly not in this situation with fallback to Account Password. Thank you, Bitwarden-Team, for your great work, but please fix this issue, because it is big security concern for many users!
MacOS allows to store multiple keychains. Short of implementing the true fallback to the BW masterpass word like 1PW which would any of the following be “easier” to implement ?
offer a setting in Bitwarden to specify a custom keychain db ?
if (1) is not possible would be possible at least to use “default-keychain” instead of “login-keychain” ?
To give more color on (2) I did change the default keychain in my Mac as experiment using this command
I restarted the Mac and altho the default keychain was indeed the custom one (as opposed to login), BW is still prompting me to give the login password as fallback to Touch ID when unlocking the vault.
The last attempt I think I could make is to change from the command line the password of the login.keychain to differ from my user password and set it to the BW master pwd using
Didn’t realize this until I just saw this thread. Not good. Has anyone from Bitwarden at least provided a rationale or acknowledged they may change it to fallback to BW master pw? Upvoted.