Understanding Unlock vs. Log In

[rupertpaulson]

I have a question regarding "Understanding Unlock vs. Log In"
https://bitwarden.com/help/article/unlock-with-pin/

PINs can only be used to unlock your Vault, you will still be required to use your Master Password and any enabled Two-step Login method when you log in. If you’re not sure of the difference, scroll down to Understanding Unlock vs. Log In.

Unlocking can only be done when you’re already logged in. In other words, only when your Vault data is already stored (encrypted) on your device. Because your Vault is already downloaded and your decryption key stored in memory:

1. You don’t need the decryption key derived from your Master Password, so you’re free to use other access methods, like PIN codes and biometrics.

I could imagine that this description of the locked state is misleading, as the memory is normally purged in the normal locked state. Therefore, the Master Password is not only needed for the login process but also for unlocking the vault as the decryption key isn't stored in memory. If I'm not mistaken, there are probably two different locked states, and maybe this should be pointed out here, the normal locked state (as described in the White Paper) and a PIN lock or less secure locked state. In the latter the decryption key has to be kept in memory as unlocking the vault doesn't involve the master password, which would be needed to decrypt the symmetric key from the file system and load it to memory.

As far as I understand it, there are rather three different states involved if "Unlock with PIN" is used:

1. Login with Master Password: Authentication process (including 2FA) to receive encrypted data from server (Fallback after 5 failed PIN attempts)
2. Unlocking (from normal locked state) with Master Password: All data purged from memory (Fallback from PIN lock after app restart if default option is used)
3. Unlocking (from less secure state) with PIN: encryption key is kept in memory even though the vault is locked

White Paper:
We do not keep the Master Password stored locally or in memory on the Bitwarden Client. Your encryption key (Symmetric Key) is kept in memory while the app is unlocked. This is needed to decrypt data in your vault. When the vault is locked, this data is purged from memory.