I’d like to be able to set up my Bitwarden Authenticator app(s) to require a PIN to get into the app, instead of biometrics. The PIN should allow at least 8 digits.
This is for defence in depth, a key principle in security. If for some reason an attacker is able to spoof my phone’s biometrics, I don’t want them getting into my Bitwarden Authenticator app too. Have a PIN or password will block them.
How to handle multiple incorrect PIN guesses (e.g., 5 wrong guesses): The only way to do this that I can see it to introduce a password to serve as a fallback. If I make 6 wrong guesses, the PIN will be disabled and I’ll have to enter the password. This is how the Bitwarden mobile apps work.
BTW, I would think that this password would be useful as a fallback for the biometrics unlock too.
The authenticator from Bitwarden is the only authenticator I know that only supports biometric to access the app. It also does not re-lock the app ever so as long as my screen is unlocked anyone with access can use the app.
Why does this app uphold to lower standards than the Bitwarden password manager ?
My main point however that I like to make: A LOT of people can’t use the biometric feature of their phone. Simply because their fingerprint sensor isn’t great and especially in combination with people over the age of 50 of 60 that tend to have less clear lines on their fingertips. My father for example is 69 and has barely any visible prints.
Not having an alternative or backup like a pincode seems like an unimaginable mistake to me. Please give this app some more attention. Give us a biometrics alternative or fallback and re-lock the app after 30 seconds or so.
Note: I adjusted the title from “Security: Allow PIN as alternative to biometrics for app login” to “Security: Allow alternatives for app login/unlock (PIN, other biometrics…)” to collect the essentially same requests under this hood.
@zilexa I moved your post into this existing feature request.
Hey all, and thanks for the feedback! Just wanted to update that you can now customize your session timeout on iOS and on Android you will be asked for biometrics each time.