Currently we have an option to unlock with pin and biometric, however, we cant use hardware tokens like a yubikey as an unlock method. I propose we add unlock with webauthn and can have a checkbox to require the pin for the yubikey or not, so the user can simply press the physical button to unlock, while still enabling the feature of “Require master password on startup”.
This way unlocking is both easier and secure. And the attack vector would be limited to needing physical access
Also, there should be an option for “Forget master password token”, where you are prompted for the master password if:
A> if your device has gone to sleep.
B> Prefixed /configurable time , maybe X minutes/hours
Yes, I think it can be merged. However, I think the option to ASK for the yubikey pin should be optional while setting up with a checkbox . Similar to setting up a pin in the browser extension requiring master password on startup. So people can choose how they want to interact with it. Also another feature would be to logout after X time/ Screenlock, where the yubikey can login but requires pin auth as well.(extended validation) This way a person can walk away from their desktop / laptop and even if the laptop is stolen, but not shut down, the timeout /screenlock would force extended validation with pin.