TouchID on macOS: prevent fallback to macOS Account Password

I recently noticed this, too. It would harden security tremendously if there was NO fallback, or it used the Bitwarden Password instead of the machine’s password.

@ybbond - I hope you don’t mind, but I edited your request topic so that it was more clear that you are asking for it not to fall back to the macOS password (rather than the BW account password).

I spoke with @hinton about this before and if I recall correctly, we may need some additional electron APIs to prevent fallback.


I don’t mind :smiley: anything to make the issue clearer.

I am speaking as non-maintainer, but I think anything to increase security is worth to do/add. I can understand if the main obstacle is increased bundle size / incompatibilities for other desktop OSes.

1 Like

Is there a timeframe for adding the additional electron APIs to prevent fallback?

I’ll have to check with Oscar when he’s back, but the electron APIs are from their project, so we depend on either their updates, or them merging our PRs :slight_smile:

As far to my knowledge the main issue is the lack of support in the existing electron APIs. systemPreferences | Electron We would need to reimplement the logic ourself in a native module, which is a bit more complicated than changing API.

1 Like

Hi all, glad that you’re working on it. Is there any update so far? Because as of now, it means that I cannot use TouchID :frowning:


1 Like

Hopefully this issue will be addressed soon because it means that using TouchID is not secure unless I have a secure macOS device password. I think for many people that’s not practical, generally we have shorter passwords or PINs for device logins (6-8 chars) whereas my BitWarden password is 15+ chars.

I recently realised that if you add a new touchID fingerprint to macOS, you can use the new fingerprint to unlock Bitwarden without having to reauthenticate with your master password. This seemed like a big security flaw and while searching for it I found this post. In both cases I think the most worrying thing is that they are not obvious to users (or maybe I’m losing my touch :grimacing:). So I’ve been using Bitwarden for over a year and the whole time someone could have have full access to my vault if they had access to my laptop and device password.

The first and easiest fix would be a clear warning when users enable TouchID. Currently you just check a box, scan your finger and assume all is well.

The ideal solution for me would be to prevent falling back to macOS device password AND detect if there have been any changes to stored fingerprints.

I love Bitwarden and really appreciate your work. I also understand that this is probably not a trivial fix, it must be leveraging baked-in macOS functionality and it might not even be possible to use the fingerprint sensor without these security tradeoffs.

Please can you comment on the possibility of these changes. In the meantime I need to make a choice between disabling TouchID and using a 15 character device login - I’m still deciding!

1 Like

Couldn’t you just get around this entire problem by creating a second user account in the OS?

You could have a personal account with a strong password, and then a shared account with a weak one. Isn’t that pretty much the use case for OS user accounts in the first place?

Lots of parts of your device’s security could be compromised by having a weak password on your primary account, from the obvious (your files) to something more technical, if that account has administrator privileges. Wouldn’t it make more sense to separate out your personal information from the easy-to-access shared account?

Hey @ERF4

You can partially address the issue that way, but for many of us it’s just not practical and presents its own security issues. In my case I don’t actually share my personal account with anyone.

My personal risk assessment is that a 6-8 character password is enough to protect my laptop, but for my password manager I use a 15 character password. As I mentioned, it would be irritating to have to enter such a long password to unlock my laptop. MacOS regularly asks you to reenter it even if you use touch id. But on a more serious level, I’m often in public places when using my laptop. The more times you enter your password in a public place, potentially with cameras that you are not aware of, the more risk there is of exposing your password. I’m extremely cautious on the rare occasions I enter my Bitwarden password in public, and that’s another reason that touch id is preferable, so even if you are being recorded your password is not exposed.

Anyway, those are just my personal thoughts, interesting to hear whether others agree or not.

1 Like

I totally agree about this, it’s one of the things that is currently preventing me from fully switching to Bitwarden. Touch ID on the Desktop app is a fundamental feature for both safety and conveniency. But right now I don’t feel safe using it, also because a change of Touch ID does not require a re-prompt of the master password (I made a feature request about this here Desktop app: Detect changed biometrics/fingerprint and re-prompt for master password ).

1 Like

Another agree here, and I don’t use biometric login for bitwarden on the desktop because of it. The threat model for my local machine account is very, very different from my cloud-hosted password manager.


Hey @vena, there is a feature request so it would be really helpful if you give it a vote:

I think, it is critical feature to work properly. The same way it works on Android or iOS. And it is really strange, that after almost 2 years of this Topic, it was not fixed. I really like Bitwarden and always recommend it as the best Password-Manager (it really is), but sadly not in this situation with fallback to Account Password. Thank you, Bitwarden-Team, for your great work, but please fix this issue, because it is big security concern for many users!

There is also a GitHub issue on this topic. Maybe commenting there will rise awareness to this security problem.

Also related Reddit topic.

MacOS allows to store multiple keychains. Short of implementing the true fallback to the BW masterpass word like 1PW which would any of the following be “easier” to implement ?

  1. offer a setting in Bitwarden to specify a custom keychain db ?
  2. if (1) is not possible would be possible at least to use “default-keychain” instead of “login-keychain” ?

To give more color on (2) I did change the default keychain in my Mac as experiment using this command

security default-keychain -s <path_to_custom_keychain>

I restarted the Mac and altho the default keychain was indeed the custom one (as opposed to login), BW is still prompting me to give the login password as fallback to Touch ID when unlocking the vault.

The last attempt I think I could make is to change from the command line the password of the login.keychain to differ from my user password and set it to the BW master pwd using

security set-keychain-password /Users/$USER/Library/Keychains/login.keychain-db

but not sure if that’s safe ?

1 Like

Didn’t realize this until I just saw this thread. Not good. Has anyone from Bitwarden at least provided a rationale or acknowledged they may change it to fallback to BW master pw? Upvoted.

See this

If an attacker has the MacOS password then that attacker can add his/her fingerprints to the account so is there anyway to achieve what the OP wants?

The same implementation in iOS. There should be a system flag for when fingerprints are added/removed to reprompt for a password instead of biometrics(this occurs in many banking apps) - so if the fingerprints are altered, the vault disables TouchID login and requires a master password input.

The current implementation means that with your iOS 4 or six digit passcode, you can add a new fingerprint and use that to log into bitwarden, bypassing the need for a master password.