Is it possible to include “Trusted devices” feature in your future releases?
In the past I used LastPass and I could trust my Firefox browser on the PC and didn’t have to type my vault password every time I open the browser. That would expire after 30 days and I had to use 2FA app to log in again. I could achieve similar functionality in BW by setting the Vault Timeout to “Never”, but this is not secure way in my opinion.
Please consider the suggestion. I think many people would love to see that in Bitwarden also.
Thanks.
Didn’t know lastpast had a feature like that. Before giving an opinion, I want to clarify some things because I got confused. From what I read through the link you provided, this feature only skips the 2FA, but not the password. However, you claim it does skip both, similar to the “never” vault timeout on Bitwarden. Did I misunderstood something or read something wrong? Please explain.
Well, when the browser is not trusted, you have to first type in the Master Password and 2FA code. If you mark it as “trusted” it will prompt only for a new 2FA code every 30 days (no need to re-type the Master Password). I’m sorry if I caused any confusion.
Why don’t you just enable an unlock PIN? Maybe I have misunderstood what you want to do, but this sounds like it would be more convenient than generating and entering a TOTP code.
PIN has to be always typed in (every time the browser is restarted or system is locked), but I agree is a bit quicker. This functionality from LP I mentioned “remembers” the browser for 30 days and does not matter if the browser is restarted, PC turned off etc., when I come back, it won’t ask for a Master Password or a 2FA code (valid for 30 days). After 30 days, it will log out automatically and ask for a new 2FA code. In addition you can of course manage your trusted devices: disable or remove them etc.
When I am sure that nobody else would use my PC, why I need to type in anything if I don’t want to? If I trust my device to be secure? It’s a very convenient functionality in my opinion.
That is how it’s working in LastPass. Again, all is explained perfectly in the LastPass Blog link I provided in the first post
I have previously used lastpass as my passsword manager. The ‘trusted device’ option bypasses 2FA on the authorised device but you are still required to enter the master password. So if you were to log in from a non-trusted device you would be prompted for the 2FA code in addition to the usual password.
You can authorise a particular device (i.e bypass the 2FA requirementy) for a period of 30 days, when you will again be prompted for the 2FA code. Alternatively, you can choose to always ‘trust’ a particular device which will bypass the 2FA requirement permanently (or until you choose to deauthorise the 2FA bypass).
Personally I find this option very useful and something I dearly miss with Bitwarden. It seems to achieve a good balance between security and flexibility.
Bitwarden’s system for trusting devices is relatively similar already - after 30 days of inactivity, a trusted device will automatically become ‘untrusted’ and you will be required to perform 2FA at login.
So I am still not sure what this feature request is trying to improve - it would be helpful if someone could articulate this. Suggesting you just want Bitwarden to behave like LastPass isn’t helpful.
Hello David. Well, I think the bottom line is that the key word here is “inactivity”. In LastPass it was working in a way that even if you are active on your device, the log out was forced after 30 days and you had only type in 2FA code again in a browser.
Maybe I am missing something how to set it up, but with Bitwarden I can either set this to “Never” (which will never ask for 2FA or password, until a manual log out happens) or set it to specific time (like 1 hour) or browser restart / system lock.
That is not the same as LastPass offers
EDIT:
I see now you can set the time to custom (which was not there when I opened this request). I guess you can set it now as a workaround to 30 x 24 = 720 h
After my initial post I had a good read of the relevant help section of the Bitwarden help documentation which clearly shows the ‘trusted device’ concept has already been implemented. I was about to revisit my post to comment along those lines but looks like you beat me.
I’m considering the move from LastPass to Bitwarden, but as of yet, for personal use, I can’t find the trusted device instructions.
Exactly where in Bitwarden can I elect to see a list of the specific devices that I have trusted? If a specific device can be “trusted”, I would assume that “trust” could be enabled or disabled as the following LastPass table depicts can be done:
If the “trusted device” concept is implemented by Bitwarden, it may be for the paid version, or an Organization version, but I can’t find the same for personal, or family use.
Trusting a specific device and not having to re-insert a masterpassword & 2FA but every 30-days (e.g. PC using Firefox), was a real plus!
Not having that ability in Bitwarden is a deal breaker for Bitwarden. Too bad, because what I’ve seen so far of using Bitwarden for a few hours, looks quite good – i.e, Thus, I must be missing it, so, specifically where is the documentation for this:
What exact settings are enabled to do this? If the master password and 2FA is used and the browser is closed, will a request be made to trust this specific computer for 30-days? Thereafter, even if the browser is closed and the PC is shut down, will a master password and 2FA input NOT be needed until 30-days expire? If so, what must be enabled/disabled etc., to coerce Bitwarden to do this?
In the context of this thread, a device that is “trusted” by Bitwarden is one for which the 2FA requirement is waived when logging in. The master password requirement is not waived for “trusted” devices. You set a device as “trusted” by checking the “Remember me” option when supplying the 2FA during login. I’m not sure exactly how this is implemented, but Bitwarden does store a local cookie with a unique identifier, and also does some rudimentary fingerprinting (IP address, browser version, etc.) to identify devices that have previously been used to log in; thus, there is probably a flag somewhere that indicates whether 2FA has been waived for a particular device.
A related concept, is logging in vs. locking a device. Most Bitwarden users leave their Bitrwarden apps logged in (on devices that they, the user, trusts), but protect their vault contents by locking the vault. Locking the vault expunges all decrypted vault contents from the device memory, while the encrypted vault data remain stored in a local cache on the device. Bitwarden offers several options for unlocking the locked vault, including a PIN or biometrics (fingerprint, face scan, etc.). Thus, for devices where Bitwarden is logged in and locked, the data are safely encrypted, but you do not need to supply the master password and 2FA to access and decrypt the vault data.
Not having a list of trusted devices is not a problem then. I was using that as a graphic example of how LastPass was handling the issue. I certainly don’t want to be entering passwords/pins (Master, 2FA etc.) every time I close my browser on a PC that is homebound. But I want some semblance of security and as you described, I would have that, by: leaving the “Bitwarden Apps logged in, but protecting the vault contents by locking the vault”.
I’m happy to hear that I can do what I would prefer and feel (relatively) safe doing it. At least as safe as I was via LastPass.
I’m not exactly sure how to implement what I would like. But you’ve given me a good starting road map. I need to do some more reading, tinkering and tweaking and see what develops. If I have questions, I will return. My LastPass license expires March 4. So, I still have some time to close any loopholes and make a decision. Everything else using Bitwarden that I’ve seen and used, is working well. In fact, Bitwarden seems less weighty and more straight forward than LastPass and for me, that is a good thing.
Glad I could provide some guidance. If you have additional questions, I would recommend starting a new topic in the Ask the Community section of the forum.
I think we can “mimic” such functionality of LP by using “Vault timeout” option and set Custom value to 720 hours (1 month)? I think that could be a workaround to this, but to unlock BW you will need to still type in the Master Password instead of only 2FA code like in LP.
Closing this, as Bitwarden already has features that are functionally equivalent (even if not implemented to identically match Lastpass). Feel free to open a new feature request if you have some specific proposal on how to improve Bitwarden’s implementation (please limit feature request posts to one proposal per topic).
