TouchID on macOS: prevent fallback to macOS Account Password

Feature name

TouchID for macOS is a neat feature.
There is one concerning macOS behavior, when TouchID window pops out, press Enter or click Use Password... will fallback to macOS Account Password.

I’d like to see that behavior prevented, so if biometric with touch cannot be done (using external keyboard), it will fall back to vault master password, instead of .

Feature function

  • What will this feature do differently?
    Prevent macOS password to unlock vault when TouchID enabled.
  • What benefits will this feature bring?
    More secure vault from anyone that know the macOS device owner’s Account Password.
  • Remember to add a tag for each client application that will be affected
    Done :slight_smile:

Related topics + references

TouchID request popup

Hi all,
I also noticed this. Apparently, this doesn‘t happen on 1Password where it falls back to the 1P Master password when TouchID fails or cannot be used. Maybe it‘s due to the different way of integration of TouchID that it defaults to the normal macOS behaviour here?
Best,
Robert

1 Like

This is making the touch id unusable for me, since I have a very simple password on my macbook, so that my family members can use it too. But don’t want them to access my bitwarden passwords too

I recently noticed this, too. It would harden security tremendously if there was NO fallback, or it used the Bitwarden Password instead of the machine’s password.

@ybbond - I hope you don’t mind, but I edited your request topic so that it was more clear that you are asking for it not to fall back to the macOS password (rather than the BW account password).

I spoke with @hinton about this before and if I recall correctly, we may need some additional electron APIs to prevent fallback.

2 Likes

I don’t mind :smiley: anything to make the issue clearer.

I am speaking as non-maintainer, but I think anything to increase security is worth to do/add. I can understand if the main obstacle is increased bundle size / incompatibilities for other desktop OSes.

1 Like

Is there a timeframe for adding the additional electron APIs to prevent fallback?

I’ll have to check with Oscar when he’s back, but the electron APIs are from their project, so we depend on either their updates, or them merging our PRs :slight_smile:

As far to my knowledge the main issue is the lack of support in the existing electron APIs. systemPreferences | Electron We would need to reimplement the logic ourself in a native module, which is a bit more complicated than changing API.

1 Like

Hi all, glad that you’re working on it. Is there any update so far? Because as of now, it means that I cannot use TouchID :frowning:

Thanks,
Robert

Hopefully this issue will be addressed soon because it means that using TouchID is not secure unless I have a secure macOS device password. I think for many people that’s not practical, generally we have shorter passwords or PINs for device logins (6-8 chars) whereas my BitWarden password is 15+ chars.

I recently realised that if you add a new touchID fingerprint to macOS, you can use the new fingerprint to unlock Bitwarden without having to reauthenticate with your master password. This seemed like a big security flaw and while searching for it I found this post. In both cases I think the most worrying thing is that they are not obvious to users (or maybe I’m losing my touch :grimacing:). So I’ve been using Bitwarden for over a year and the whole time someone could have have full access to my vault if they had access to my laptop and device password.

The first and easiest fix would be a clear warning when users enable TouchID. Currently you just check a box, scan your finger and assume all is well.

The ideal solution for me would be to prevent falling back to macOS device password AND detect if there have been any changes to stored fingerprints.

I love Bitwarden and really appreciate your work. I also understand that this is probably not a trivial fix, it must be leveraging baked-in macOS functionality and it might not even be possible to use the fingerprint sensor without these security tradeoffs.

Please can you comment on the possibility of these changes. In the meantime I need to make a choice between disabling TouchID and using a 15 character device login - I’m still deciding!

Couldn’t you just get around this entire problem by creating a second user account in the OS?

You could have a personal account with a strong password, and then a shared account with a weak one. Isn’t that pretty much the use case for OS user accounts in the first place?

Lots of parts of your device’s security could be compromised by having a weak password on your primary account, from the obvious (your files) to something more technical, if that account has administrator privileges. Wouldn’t it make more sense to separate out your personal information from the easy-to-access shared account?

Hey @ERF4

You can partially address the issue that way, but for many of us it’s just not practical and presents its own security issues. In my case I don’t actually share my personal account with anyone.

My personal risk assessment is that a 6-8 character password is enough to protect my laptop, but for my password manager I use a 15 character password. As I mentioned, it would be irritating to have to enter such a long password to unlock my laptop. MacOS regularly asks you to reenter it even if you use touch id. But on a more serious level, I’m often in public places when using my laptop. The more times you enter your password in a public place, potentially with cameras that you are not aware of, the more risk there is of exposing your password. I’m extremely cautious on the rare occasions I enter my Bitwarden password in public, and that’s another reason that touch id is preferable, so even if you are being recorded your password is not exposed.

Anyway, those are just my personal thoughts, interesting to hear whether others agree or not.

1 Like

I totally agree about this, it’s one of the things that is currently preventing me from fully switching to Bitwarden. Touch ID on the Desktop app is a fundamental feature for both safety and conveniency. But right now I don’t feel safe using it, also because a change of Touch ID does not require a re-prompt of the master password (I made a feature request about this here Desktop app: Detect changed biometrics/fingerprint and re-prompt for master password ).