Two Fingerprint Phrases? New Setup Worry

Hi Bitwarden Community!

We are new migration to Bitwarden, from LastPass! So far, so good.

But . . . I have had an odd experience with a fingerprint phrase. I see it. But then through the long-ish setup of Bitworden and Authy and a Windows desktop and an Android phone, using all of apps and Chrome interfaces – this happened:

At one point I was requested to approve something and the fingeprint was DIFFERENT from the original phrase.

I though “oh, okay, each device has its own fingerprint phrase”. So I approved whatever it was. And now don’t have any idea what I approved. (We haven’t really migrated yet or started putting in a lot of passwords so the risk now is zero. However, maybe later . . . )

But then after more reading (lots of reading) I started to think there is “only one fingerprint phrase”. So where did the other come from? What did I approve?

I’m concerned that (1) I don’t understand fingerprints and (2) I may have approved something I sholudn’t have and (3) maybe I should start all over and that strangely and surprisingly I’ve been compromised.

Could there be more than one fingerprint phrase associated with one account, deployed on a Windows desktop and an Android phone? Is there a way of figuring this out?

I read how lots of people are converting from LastPass (hurrah!) and that is is so simple. I thiink maybe you are not paying close enough attention. This is NOT because Bitwarden is not simple, but rather that security has a lot of details.

Thanks!

Plankton

Hello @Plankton and welcome to the community,

I can definitely understand your concern here, as you mentioned security and good zero-knowledge encryption is complicated and hard to get right.
The thought of compromise is scary and you are right to be cautious.

Do you know specifically at what point you saw the different fingerprint phrase?

You are correct that there is only one account fingerprint phrase.

Each Bitwarden account has a “fingerprint phrase” associated with it. Your account’s fingerprint phrase is permanent and composed of five random english words that appear in a specific order, for example:

alligator-transfer-laziness-macaroni-blue

While you can’t change your current account’s fingerprint phrase, you can delete the account and start a new one to generate a new phrase.


Perfectly fine, as said security is complex and even the experts don’t know everything there is simply too much to know. Hence why we pool our knowledge and all contribute to the wonderful community of open-source :slightly_smiling_face:

As mentioned there is only one account fingerprint phrase, but there are additional “Fingerprint phrases” used within Bitwarden, and likely was valid when you were setting up and login in to your devices.

  • If you try the passwordless log in with device feature, as shown in this blog post, you will be given a unique Fingerprint phrase which is used to confirm the passwordless login to your online web-vault.

  • Alternatively, if you are utilizing unlock with biometrics, particularly within the Browser extension this requires secure communication with the desktop client to allow for biometric support with your computer and browser.
    As noted in Step 2. of Enable for browser extensions

:information_source: Note

Optionally, check the Require verification for browser integration option to require a unique fingerprint verification step when you activate the integration.

Which will show another Fingerprint phrase when requiring verification between the desktop app and browser extension for biometric unlock. (Though I am unsure if this is a unique device Fingerprint phrase or EDIT: Which is a random phrase for each verification.)

So you may see several Fingerprint phrases used within Bitwarden, but you will only ever have your one Account Fingerprint phrase.

Though if you are still concerned, or chose to be additionally cautious you may chose to Deauthorize Sessions within your account.
Though you will know your risk tolerance best, hope this information helps to quell your worries.

1 Like

Do you mean the phrase that comes with “login with device”?
That is not the account fingerprint phrase and you get a new one each time you use it.