Thanks, I’ve read that article. I’m asking why lock and timeout policy aren’t working according to my settings (and how I understand they should work). I’ve got 2FA set up (Authy) and a PIN set.
Given my settings (post 1) I would expect only to be prompted for my PIN every 4 hours to access either my web vault or the Chrome extension. Instead, I’m prompted for my master pswd every time I access either.
BTW, Master Password is not set to Enable in Authy.
Did you see this part in the article I linked above:
If you close your browser tab, you will be logged out of your web vault. Closing a single tab will not affect a browser extension. If you quit your browser, you will be logged out of both your web vault and browser extension.
I’m confused by this statement, as it does not match my experience. When I quit my browser (Chrome, Incognito mode) while logged in to the vault, the browser extension is locked but not logged out whenever I restart the browser. Possibly relevant Bitwarden settings: PIN unlock not enabled, Vault-timeout 30 min (not “Never”).
I’m wondering if this may be related to the following vulnerability that has been reported on Github for the Chrome web extension:
Thus, the behavior I’m seeing on Chrome may be the result of the Chrome browser extension being unable to log itself out.