Two Fingerprint Phrases? New Setup Worry

Ask the Community Password Manager
, ,
1

Hi Bitwarden Community!

We are new migration to Bitwarden, from LastPass! So far, so good.

But . . . I have had an odd experience with a fingerprint phrase. I see it. But then through the long-ish setup of Bitworden and Authy and a Windows desktop and an Android phone, using all of apps and Chrome interfaces – this happened:

At one point I was requested to approve something and the fingeprint was DIFFERENT from the original phrase.

I though “oh, okay, each device has its own fingerprint phrase”. So I approved whatever it was. And now don’t have any idea what I approved. (We haven’t really migrated yet or started putting in a lot of passwords so the risk now is zero. However, maybe later . . . )

But then after more reading (lots of reading) I started to think there is “only one fingerprint phrase”. So where did the other come from? What did I approve?

I’m concerned that (1) I don’t understand fingerprints and (2) I may have approved something I sholudn’t have and (3) maybe I should start all over and that strangely and surprisingly I’ve been compromised.

Could there be more than one fingerprint phrase associated with one account, deployed on a Windows desktop and an Android phone? Is there a way of figuring this out?

I read how lots of people are converting from LastPass (hurrah!) and that is is so simple. I thiink maybe you are not paying close enough attention. This is NOT because Bitwarden is not simple, but rather that security has a lot of details.

Thanks!

Plankton

2

Hello @Plankton and welcome to the community,

I can definitely understand your concern here, as you mentioned security and good zero-knowledge encryption is complicated and hard to get right.
The thought of compromise is scary and you are right to be cautious.

Do you know specifically at what point you saw the different fingerprint phrase?

You are correct that there is only one account fingerprint phrase.

Each Bitwarden account has a “fingerprint phrase” associated with it. Your account’s fingerprint phrase is permanent and composed of five random english words that appear in a specific order, for example:

alligator-transfer-laziness-macaroni-blue

While you can’t change your current account’s fingerprint phrase, you can delete the account and start a new one to generate a new phrase.

Perfectly fine, as said security is complex and even the experts don’t know everything there is simply too much to know. Hence why we pool our knowledge and all contribute to the wonderful community of open-source :slightly_smiling_face:

As mentioned there is only one account fingerprint phrase, but there are additional “Fingerprint phrases” used within Bitwarden, and likely was valid when you were setting up and login in to your devices.

  • If you try the passwordless log in with device feature, as shown in this blog post, you will be given a unique Fingerprint phrase which is used to confirm the passwordless login to your online web-vault.

  • Alternatively, if you are utilizing unlock with biometrics, particularly within the Browser extension this requires secure communication with the desktop client to allow for biometric support with your computer and browser.
    As noted in Step 2. of Enable for browser extensions

:information_source: Note

Optionally, check the Require verification for browser integration option to require a unique fingerprint verification step when you activate the integration.

Which will show another Fingerprint phrase when requiring verification between the desktop app and browser extension for biometric unlock. (Though I am unsure if this is a unique device Fingerprint phrase or EDIT: Which is a random phrase for each verification.)

So you may see several Fingerprint phrases used within Bitwarden, but you will only ever have your one Account Fingerprint phrase.

Though if you are still concerned, or chose to be additionally cautious you may chose to Deauthorize Sessions within your account.
Though you will know your risk tolerance best, hope this information helps to quell your worries.

2 Likes
3

Do you mean the phrase that comes with “login with device”?
That is not the account fingerprint phrase and you get a new one each time you use it.

1 Like
4

Any clue as to why I’m seeing different login fingerprint phrases when using login using device approval?

My account fingerprint is the same for all devices. However, the fingerprint phrase is ALWAYS different when attempting to login with device (although the IP address seems correct). I read another help article that explained the option to switch/rotate to a new certificate and I made sure to log out all terminals. Still no two devices show the same fingerprint phrase when using login with device.

All devices have latest Bitwarden versions running and I tried turning off my VPN and browser security for my Brave browser extension. Login device is iPhone 12 running iOS 16,5 and my three (3) desktops are running Ubuntu 22.04.2, using both Bitwarden apps and Brave browser extensions.

5

That account fingerprint phrase is the same and will always be the same across all clients, and is used to verify your account with another user such as when you are being added to an Organization for sharing. The Account’s fingerprint phrase will allow you to verify yourself with another person.

The fingerprint phrase you are seeing with Login with device is different and only fingerprints that login request you’ve made from one device to another and does not have anything to do with your account’s fingerprint phrase.

6

I’m having the same issue. I understand the ACCOUNT fingerprint phrase will not be shown and not used during normal login using device attempts. When I try to use the login with device option, the fingerprint phrase shown on the web vault login NEVER matches the fingerprint phrase that pops up on my mobile device. My web vault log in attempt shows this:

“Log in initiated
A notification has been sent to your device.
Please make sure your vault is unlocked and Fingerprint phrase matches the other device.”
Followed by the unique 5-word fingerprint

And my device will pop up with the login requested notification and have 5 completely different words for the fingerprint. If I’m supposed to be matching the fingerprint phrases between the devices, doesn’t it stand to reason they should actually MATCH when trying to log in?

7

That account fingerprint phrase is the same and will always be the same across all clients

Sadly, this is not correct in my experience

I just tried to migrate a family member to my bitwarden family account, but their desktop app is showing a different fingerprint phrase than the chrome plugin on their browser. The plugin shows the phrase matching the one expected by the member verification process. The desktop app shows a completely different fingerprint phrase.

8

Hi @Worry0414 and welcome to the community,

Do you know if you are running Desktop version 2022.4.0 or higher? Possibly the portable version of the Desktop client? If so then this may be related to an already known current issue.

I would encourage you to add your environment information in the related GitHub issue if you have any further details to provide. :slightly_smiling_face:

9

It also affects the AppImage version of the Desktop client.

10

I am also having a similar issue with mismatched fingerprint phrases. On my own desktop (using the Chrome extension) and my phone, my fingerprint phrases match, as expected

For my fiance’s account, she is getting different fingerprint phrases between her old laptop, and the new laptop she just logged into (both using the Chrome extension).

On the new laptop, logging into the Chrome or Bing extensions yield the same (new) fingerprint phrase. The Bing extension does NOT have access to our family Organization, but the Chrome extension (still with the new fingerprint phrase) DOES have access to our Organization.

Is this expected or is this a bug? Thanks for any help.