Hey all, I wanted to jump in and provide an update on where Bitwarden is with this issue, as well as address some common themes in the comments.
First, an update. As @grb noted, we are researching ways to restore the previously supported behavior without downgrading the security of our implementation. We will let you know if this research leads to changes, but so far we’ve seen some encouraging results.
Second, a clarification as to why this change was introduced. The previous solution provided good security, and optionally let users who wanted more security turn off the ability to use biometrics after relaunching the app. However, the previous solution was also buggy, because the Windows API used sometimes led to the Windows Hello prompt not being focused when triggered from the browser extension, leading to a bad user experience. To fix this, Bitwarden switched to a different, less secure Windows API. To maintain user security we could no longer offer the ability to unlock with Windows Hello after app start.
Third, then, to users questions around “why not give us an option to choose our own security stance?" Bitwarden generally supports this! In this case, the API we were using and the way that Windows sandboxes apps meant that such an option would give any process running on your machine access to your encrypted vault data even when your vault was locked or the Bitwarden app was not running. You might as well use the “never” lock option.
I hope this helps clear some things up. As ever, thank you for the feedback and engagement!