Unlock vault with biometrics *and* PIN together (for increased security on the mobile app)

Feature Requests Password Manager
1

Hey everybody!

Can we have the option to select more than one authentication method?
For example, to have bitwarden ask for a PIN code after successfully authenticating with a fingerprint.

Thanks,
Michael

2

Feature name

  • Unlock mobile app vault with biometrics and PIN together

Feature function

  • The mobile app vault can currently be unlocked with biometrics or a PIN. This feature would add an option in the settings to require both biometrics and a PIN to unlock the vault, instead of only one or the other.
  • This feature would bring greater security to the mobile app with only a slight increase in inconvenience. This would theoretically improve security in situations such as: phone being stolen, crossing an international border, attacker shoulder-surfing in public. The combination helps reduce the mutually exclusive weaknesses of biometrics and PINs.
  • This option could be accessed in Settings>Security after the “Unlock with [biometrics]” and “Unlock with PIN Code” options, with the vault timeout options working in the same way.

Related topics + references

Thank you for your time and for the great product that is Bitwarden.

3 Likes
3

Feature name

  • “Simple” 2FA Option for Biometrics on Android

Feature function

Feature adds additional layer of security on top of the Biometric, so a user can not be forced to unlock with a fingerprint / face only. Different than rebooting, since a user may not be able to reboot their device in time to clear the master pass.

  • Feature Adds: Enhanced Security

Feature Workflow

  • Assuming user has Biometric unlocked, for this example, we’ll use Android Fingerprint unlock.

  • User has already entered their Master Password to setup the session.

  • Currently: The user would unlock with their fingerprint (Biometric) and then be inside the vault.

  • Proposed: The app now has an additional set of settings:

    • Setting: Enable PIN prompt on Biometric use

    • Setting: Set your PIN code (4-8 digits)

    • Upon using their fingerprint to unlock the vault, the user is prompted for this PIN code. The pin code is much quicker than a master password and adds that extra layer to the Biometric.

    • Entering an incorrect PIN 3 times should do the logoff function.

    • Alternatively, an incorrect PIN could open a shadow vault with dummy data, the user would be able to tell (they should be able to recognize their own data), but someone observing the phone would not.

Related topics + references

4

This would be extremely appreciated. I currently do not have biometric enabled on my device because it softens security overall - I would like password OR biometric+pin with the default to logged out (device restart, x hours) being password and prompt on password being biometric+pin.

5

I see this as an excellent enhancement.

In my case, I’d like to be able to use biometric unlock + hardware key via NFC to unlock.

Any chance this can make it onto the development slate?

6

I very much support this feature request!

As you said, this really “helps reduce the mutually exclusive weaknesses of biometrics and PINs.” Unfortunately I’m left typing my password every time which is a huge pain, but I don’t believe biometric or a pin are secure enough on their own.

It’s unfortunate that Android/iOS doesn’t natively allow this, but I imagine it would be reasonable enough for Bitwarden to use the OS’s biometric then implement their own PIN unlock if need be.

As a minor correction, GrapheneOS hasn’t added this feature, it’s just a topic that’s been discused but not implemented. (Though it looks like it may happen soon)

7

Hello!

I completely support this feathure in security options.
The master password, as well as the PIN code, can be spied on, a finger can be placed without the will of the account owner. But both requirements together to open a session reduce the risk of access by persons who have the ability to physically access the device.
I’m sure it’s easy to implement.
I don’t need to enable two-step authentication, which only helps against remote login attempts and creates additional inconvenience for me.
I asking a developer to add double unlock using biometrics and pin code together to access the bitwarden.

Best regards

8

Hi. My bank gives an option for biometry and short pin login simultaneously (first fingerprint then pin). It would be cool if bitwarden app was the same capability. It gives additional security leyer and is convenient for end user. Also I think it would be easy to implement.

9

Note: I now merged three other Feature Requests (FRs) requesting the same thing with this one here.

@Pieselos You wrote “login” - but currently, there is neither a way to login to the Bitwarden mobile apps with biometrics nor with a PIN alone - let alone with both -, so I think you meant “unlock”. (as locking and unlocking would be the main way to access any BW app)

If you want to be able to use biometrics for login to the BW apps, I would suggest to have a look at this FR: Sign into Bitwarden with a passkey / "Login with passkeys" (for all BW apps) (with a passkey, you would be able to use biometrics, depending on where you store the passkey)

PS: I added “(for increased security on the mobile app)” to the title of this FR.

10

I would not use the feature, it would be a disaster.

I tend to be a bit clumsy. The thumbprint works most of the time, but sometimes my positioning is a little off and I find myself in in an enforced 1min lockout period. That is when I resort to using a pin.

For those who want the Biometrics AND PIN option. As long as it is an option, ok. However, I want to use the Biometrics OR PIN option.

11

Yes sry I ment unlocking. I want to have option for both biometrics and pin now there is OR but I want AND

1 Like