Trusted devices expire after 30 days

Hi Bitwarden Team,

Is it possible to include “Trusted devices” feature in your future releases?
In the past I used LastPass and I could trust my Firefox browser on the PC and didn’t have to type my vault password every time I open the browser. That would expire after 30 days and I had to use 2FA app to log in again. I could achieve similar functionality in BW by setting the Vault Timeout to “Never”, but this is not secure way in my opinion.
Please consider the suggestion. I think many people would love to see that in Bitwarden also.
Thanks.

This is it basically in LP: New in Security: Expiring Trusted Devices after 30 Days - The LastPass Blog

Best regards,
Kuba

Didn’t know lastpast had a feature like that. Before giving an opinion, I want to clarify some things because I got confused. From what I read through the link you provided, this feature only skips the 2FA, but not the password. However, you claim it does skip both, similar to the “never” vault timeout on Bitwarden. Did I misunderstood something or read something wrong? Please explain.

Hi Nik.

Well, when the browser is not trusted, you have to first type in the Master Password and 2FA code. If you mark it as “trusted” it will prompt only for a new 2FA code every 30 days (no need to re-type the Master Password). I’m sorry if I caused any confusion.

Why don’t you just enable an unlock PIN? Maybe I have misunderstood what you want to do, but this sounds like it would be more convenient than generating and entering a TOTP code.

1 Like

PIN has to be always typed in (every time the browser is restarted or system is locked), but I agree is a bit quicker. This functionality from LP I mentioned “remembers” the browser for 30 days and does not matter if the browser is restarted, PC turned off etc., when I come back, it won’t ask for a Master Password or a 2FA code (valid for 30 days). After 30 days, it will log out automatically and ask for a new 2FA code. In addition you can of course manage your trusted devices: disable or remove them etc.
When I am sure that nobody else would use my PC, why I need to type in anything if I don’t want to? If I trust my device to be secure? It’s a very convenient functionality in my opinion.

That is how it’s working in LastPass. Again, all is explained perfectly in the LastPass Blog link I provided in the first post :slight_smile:

I also come from Lastpass and used this functionality. It is more secure and still user friendly.

A quick solution for BW could be to add an option in timeout to 14 or 30 days.

Would that be possible?

2 Likes

I have previously used lastpass as my passsword manager. The ‘trusted device’ option bypasses 2FA on the authorised device but you are still required to enter the master password. So if you were to log in from a non-trusted device you would be prompted for the 2FA code in addition to the usual password.

You can authorise a particular device (i.e bypass the 2FA requirementy) for a period of 30 days, when you will again be prompted for the 2FA code. Alternatively, you can choose to always ‘trust’ a particular device which will bypass the 2FA requirement permanently (or until you choose to deauthorise the 2FA bypass).

Personally I find this option very useful and something I dearly miss with Bitwarden. It seems to achieve a good balance between security and flexibility.

Bitwarden’s system for trusting devices is relatively similar already - after 30 days of inactivity, a trusted device will automatically become ‘untrusted’ and you will be required to perform 2FA at login.

So I am still not sure what this feature request is trying to improve - it would be helpful if someone could articulate this. Suggesting you just want Bitwarden to behave like LastPass isn’t helpful.

Hello David. Well, I think the bottom line is that the key word here is “inactivity”. In LastPass it was working in a way that even if you are active on your device, the log out was forced after 30 days and you had only type in 2FA code again in a browser.

Maybe I am missing something how to set it up, but with Bitwarden I can either set this to “Never” (which will never ask for 2FA or password, until a manual log out happens) or set it to specific time (like 1 hour) or browser restart / system lock.

That is not the same as LastPass offers :slight_smile:

EDIT:

I see now you can set the time to custom (which was not there when I opened this request). I guess you can set it now as a workaround to 30 x 24 = 720 h :wink:

After my initial post I had a good read of the relevant help section of the Bitwarden help documentation which clearly shows the ‘trusted device’ concept has already been implemented. I was about to revisit my post to comment along those lines but looks like you beat me.