You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ensure Firefox browser extension in Account Security has clicked "Unlock with Biometrics," and Desktop app Security has "Unlock with Touch ID" and "Ask for TouchID on app start."
Lock both instances, MacOS by using app menu bar, "Bitwarden/Lock Vault," and Firefox Bitwarden extension by selecting the vault initials in the upper right of the popup screen and selecting "Lock now."
Attempt to unlock the Bitwarden extension by choosing "Unlock with Biometrics." using fingerprint biometrics; a popup box will reject this approach because Desktop app is locked.
Attempt to unlock desktop app by choosing "Unlock with Touch ID" on the lock screen; this attempt does present you a TouchID screen.
Present an erroneous fingerprint three times; it will fail to open three times, but on the third, it will give you an option of using your laptop password. This will unlock your Desktop app vault, even if your laptop password is "abc123," or "ilovemycat."
Expected Result
Failed TouchID attempts should require Bitwarden Master Password, not a weak laptop password.
Actual Result
The Firefox extension fingerprint/TouchID failure process is good - it requires the Bitwarden Master Password. There is a different, weaker failure process for the Desktop app's TouchID fingerprint failure - the Desktop app will unlock with the laptop password.
Screenshots or Videos
No response
Additional Context
There are reasons for sharing a laptop password, including relatives and repair people, though they shouldn't have access to your Bitwarden vault. This failure mode also occurs with WiFi-Off, so Logging off every device would have no effect.
Operating System
macOS
Operating System Version
Sonoma 14.5
Web Browser
Firefox
Browser Version
129.0
Build Version
2024.7.1
Issue Tracking Info
I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
The text was updated successfully, but these errors were encountered:
This behaviour is a platform limitation of electrons touchid implementation. Electron is the desktop application framework Bitwarden Desktop is based on.
However, one upcoming change to biometrics will be the transition to a newer version of Apple's keychain API, using a native (rust/objective-c) implementation. During this upgrade, the biometric unlock will be locked down to biometricCurrent, i.e the currently registered set of fingerprints (and probably companion, i.e apple watch). This will prevent the laptop password from being used for unlocking.
I will update this issue once those changes have made it into the client.
Steps To Reproduce
Expected Result
Failed TouchID attempts should require Bitwarden Master Password, not a weak laptop password.
Actual Result
The Firefox extension fingerprint/TouchID failure process is good - it requires the Bitwarden Master Password. There is a different, weaker failure process for the Desktop app's TouchID fingerprint failure - the Desktop app will unlock with the laptop password.
Screenshots or Videos
No response
Additional Context
There are reasons for sharing a laptop password, including relatives and repair people, though they shouldn't have access to your Bitwarden vault. This failure mode also occurs with WiFi-Off, so Logging off every device would have no effect.
Operating System
macOS
Operating System Version
Sonoma 14.5
Web Browser
Firefox
Browser Version
129.0
Build Version
2024.7.1
Issue Tracking Info
The text was updated successfully, but these errors were encountered: