Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can't unlock FF extension with biometrics anymore if Bitwarden is not unlocked #9333

Closed
1 task done
holdit opened this issue May 23, 2024 · 32 comments · Fixed by #9945
Closed
1 task done

Can't unlock FF extension with biometrics anymore if Bitwarden is not unlocked #9333

holdit opened this issue May 23, 2024 · 32 comments · Fixed by #9945
Labels
browser Browser Extension bug

Comments

@holdit
Copy link

holdit commented May 23, 2024

Steps To Reproduce

  1. Firefox + Bitwarden + option to unlock with biometrics enabled
  2. Open Bitwarden client (from app store), but don't unlock it
  3. Try to unlock the extension with your fingerprint

Expected Result

Until the Bitwarden client (installed via the app store) was updated to "2024.5.0", I could have the client running in the background locked, and when I used the browser extension, the "popup" window to use my fingerprint would come up and using it, the Bitwarden Firefox extension would unlock.

Not requiring the client to be unlocked was good, as there's no need for content to be available if we're just using the client to process browser extensions requests to unlock via biometrics.

Actual Result

Since the update to the 2024.5.0 client, the option "unlock with biometrics" on the Firefox extension stopped working if the Bitwarden client itself isn't unlocked.

The extension doesn't show an error or tells users what to do. The "popup" saying that Bitwarden is trying to unlock my vault never comes up and passing my finger over the reader doesn't do anything. The extension is never unlocked.

Screenshots or Videos

No response

Additional Context

No response

Operating System

macOS

Operating System Version

macOS 14.5

Web Browser

Firefox

Browser Version

Latest stable/beta/ESR

Build Version

FF extension: 2024.4.2; macOS client: 2024.5.0 (app store)

Issue Tracking Info

  • I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
@holdit holdit added browser Browser Extension bug labels May 23, 2024
@Krychaz
Copy link
Member

Krychaz commented May 23, 2024

Hello there,

Will you try uninstalling the application, removing any leftover data, powering off and on your device and re-installing? Does this issue still persist?

Guide to the leftover data: https://bitwarden.com/help/data-storage/#on-your-local-machine

@holdit
Copy link
Author

holdit commented May 23, 2024

Hi @Krychaz,

I've uninstalled both the mac client and firefox extension (and removed the leftover data, as instructed), restarted the machine, reinstalled them, and logged in to both.

The problem is still there. With the mac client (from the app store) open - but not unlocked - the extension initially shows the same "Awaiting confirmation from desktop" message as before:
1

But after a few seconds, nothing happens and "Awaiting confirmation from desktop" disappears:
2

It works if I unlock the mac client. Before this wasn't needed, only that the client was running in the background.

So it seems that some change in the mac client 2024.5.0 (or a change on the extension, not sure if that was updated. I'm using 2024.4.2) broke biometrics unlocking when the mac client isn't unlocked.

@holdit
Copy link
Author

holdit commented May 23, 2024

Just to be sure it wasn't just Firefox:

I've tested with Brave (Version 1.66.113; Chromium: 125.0.6422.76; arm64) and the same thing happened (extension version: 2024.4.2). Biometrics unlocking only works if the mac client vault is unlocked.

With Safari, the "popup" comes up, but it doesn't unlock the extension. Works fine if I unlock the mac client.

So it affects Firefox, Brave, and Safari.

@BurntToasters
Copy link

BurntToasters commented May 23, 2024

Can confirm this happens to me as well but on Windows 10 22H2 build 19045.4291 with Firefox 126.0 and Brave 1.66.113 With the new Bitwarden desktop app (2024.5.0). The extensions are running version 2024.4.2. I used revouninstaller to fully remove the previous version of the desktop and and installed the new one and it still has the same issue.

@EagleonePrimo
Copy link

Same here
Windows 11 23H2 Build 22631.3593
Chrome 125.0.6422.77
BW Client: 2024.5.0
BW Extensions: 2024.5.0

@Tipoff4317
Copy link

Seems this is now the expected "interim" behavior. BW employee responded in this reddit thread:

https://old.reddit.com/r/Bitwarden/comments/1cyw9sp/extension_202450_always_requires_desktop_app_to/

@holdit
Copy link
Author

holdit commented May 24, 2024

If only there was a place to warn users about these changes... I don't know, the changelog for example. I guess that's reserved to more important stuff, like the very descriptive "- Bug fixes".

We shouldn't have to learn about this via some random post on social media.

@mwisnicki
Copy link

If browser extension is older than desktop client then user gets no message, just a silent failure.
With newer extension at least there is an explanation.

@pascal-ws
Copy link

Same here
Windows 11 23H2 Build 22631.3593
Edge 125.0.2535.67 (Official Build) (64-Bit)
BW Client: 2024.5.0
BW Extensions: 2024.4.2

From the discussion at reddit above, what is the recommendation (if still wanting to use biometrics)? Is not locking the desktop app considered "secure enough"?

But Now either I have to keep desktop app unlocked all the time. which I don't feel conformable.
Or I have to first unlock desktop app and then unlock extension every time which I find quite inconvenient.

Please include an error message next time.

@holdit
Copy link
Author

holdit commented May 29, 2024

@mwisnicki is correct. The message is there on extension v2024.5.0 and 2024.5.1, but it still only says that the app needs to be "started". Well, the app is open... but it doesn't work as it also needs to be unlocked.

brave

The problem is that the Firefox extension is still on 2024.4.2 and even the Chromium extension didn't update right away.

Knowing that it takes time for extension updates to be approved - especially on Firefox - I still think these changes need to be better communicated.

I rely on the changelog to learn about changes. Since on macOS biometrics only works with the version from the App Store and I've updated, I can't go back. I'm stuck with this update, which was supposed to only have "bug fixes". Now I need to change the way I unlock the browser extension or keep the vault unlocked all the time.

@robwhess
Copy link

robwhess commented Jun 2, 2024

I'm also wishing this behavior hadn't changed. I'll also add, since I don't think anyone has mentioned it, that even though I have the BW client set to allow unlocking with Touch ID, it doesn't give me that option. So if I want to use the BW browser extension to fill a password when the client is locked, I have to go through these steps:

  1. Try to use BW extension, discover I can't use Touch ID because client is locked.
  2. Open BW client, discover I need to type my password because Touch ID isn't an option.
  3. Type my password to unlock BW client.
  4. Go back to browser. Use Touch ID to unlock BW extension.
  5. Now I can fill my password.

These may be two unrelated issues, but it's annoying to have to type my password in the client so I can use Touch ID to unlock the extension.

@pascal-ws
Copy link

These may be two unrelated issues, but it's annoying to have to type my password in the client so I can use Touch ID to unlock the extension.

Hey @robwhess, I think it's a good idea to start a separate issue for this. But, why is TouchID (I guess Biometrics in general?) not an option for you? My workflow is:

  • Open Extension (remember the issue)
  • Open Client App, Click on Biometrics
  • Use Finger to log in App
  • Click in Extension on Biometrics
  • Use Finger to log in Extension

Maybe it's a bug or misconfiguration in your app?

One thing to remember: You need to basically keep the Client App running and set it so that it only minimizes when closing and just "locks" itself for using biometrics, since it's recommended not to use it on first start of the app (for me that's right after starting my device), although there is an advanced option to even allow that. Then, when opening the App, it should give you the option for Biometrics.

Might depend on version and OS of course.

@robwhess
Copy link

robwhess commented Jun 3, 2024

Thanks for the input @pascal-ws. When I said Touch ID was not an option, what I meant was that the BW client doesn't give me the option to use Touch ID to unlock it, only password. This is despite having the "Unlock with Touch ID" setting turned on. I do also always have the BW client app running. It correctly always shows in the Mac menu bar. The issue is that when it locks itself, I can't use Touch ID to unlock it for some reason. Interestingly when the BW client app first starts (e.g. when I restart my machine), I can use Touch ID to log in (I also have the "Ask for Touch Id on app start" option enabled), but that's the only time I can use Touch ID with the client app.

@gdurys
Copy link

gdurys commented Jun 3, 2024

@robwhess It looks like #7150, no ?
I also have the touchId button disappearing.

@robwhess
Copy link

robwhess commented Jun 3, 2024

Thanks @gdurys. I hadn't seen that.

@Xytronix
Copy link

Issue occurs on Arc as well, do hope for a solution.

@sylveon
Copy link

sylveon commented Jun 13, 2024

Can repro with Edge on Windows

@X4V1
Copy link

X4V1 commented Jun 14, 2024

The issue is still present in 2024.06

@zexpe
Copy link

zexpe commented Jun 14, 2024

With Safari, the "popup" comes up, but it doesn't unlock the extension. Works fine if I unlock the mac client.

So, I've been having the same behaviour too both on the latest and previous releases of Bitwarden. However, I've noticed that if I use Touch ID when the "popup" comes up it doesn't work, but if I instead enter my computer password in that "popup" (not the Bitwarden master password in the extension itself, which also works, obviously) - then it works to unlock the browser extension. Odd... you'd expect biometrics and computer password to offer the same authorisation behaviour.

@zexpe
Copy link

zexpe commented Jun 14, 2024

Actually, just tried this again... what's actually happening is that regardless of whether I use Touch ID or I use the computer password, it will unlock the extension but only if I click away from the extension and then click for a second time. Very weird. Also it then locks again after a short while... but doesn't show the lock icon.

@rumenavramov
Copy link

rumenavramov commented Jun 15, 2024

Seems this is now the expected "interim" behavior. BW employee responded in this reddit thread:

https://old.reddit.com/r/Bitwarden/comments/1cyw9sp/extension_202450_always_requires_desktop_app_to/

I opened a ticket with support and they responded the same way - this is the expected temp behaviour. Sadly, the docs are not updated to reflect that and I agree that this change should have been announced somehow. They also said that they are trying to come-up with a better approach that will maintain security while providing the convenience of the old behaviour.
Additionally, the code to have a proper error message should have been pushed to the browser extension before the behaviour was changed, because the extensions are always behind the desktop app due to the approval process they need to pass with every new release.

@holdit
Copy link
Author

holdit commented Jun 20, 2024

Finally, a useful message. Add-on v2024.6.2:

message

@zexpe
Copy link

zexpe commented Jun 20, 2024

Actually, just tried this again... what's actually happening is that regardless of whether I use Touch ID or I use the computer password, it will unlock the extension but only if I click away from the extension and then click for a second time. Very weird. Also it then locks again after a short while... but doesn't show the lock icon.

I get the same behaviour in 2024.6.2. It appears to not unlock with biometrics, but if I tap away and then tap the extension again then it's unlocked...

@X4V1
Copy link

X4V1 commented Jul 2, 2024

any update ?

@RamseyKal
Copy link

Would love this behaviour changed to how it was before!
There was no security issue before, from what I can tell, so I hope they can revert this or resolve it.

@mzq592
Copy link

mzq592 commented Jul 10, 2024

This change makes "unlock with biometrics" in browser pointless.
There are two scenarios:

  1. Keep desktop locked. Unlock in desktop app and then unlock in extension.
  2. Keep desktop app unlocked. Then unlock in browser when I need to enter a password.

In case 1, why do I need to unlock twice with the same biometrics?
In case 2, anyone who can access my laptop can view my password in the desktop app, which makes the second authentication in browser pointless.

@abinthomas744
Copy link

#9945 and #9539

They claim to have fixed it in these issues

@mzq592
Copy link

mzq592 commented Jul 10, 2024

#9945 and #9539

They claim to have fixed it in these issues

Great! I'll wait for the PR to be released then.

@abinthomas744
Copy link

Yeah, This issue has been an unnecessary pain for a while now.

I hope they check and release it soon.

@trmartin4
Copy link
Member

Hello,

This has been addressed with #9945 and this has been merged to main. Since this has been resolved, I will be closing this ticket. We are currently in testing for our next release, which will include the change to handle the scenario. We cannot commit to an exact release date, as we want to make sure our release candidates are put through proper regression and review prior to release.

@holdit
Copy link
Author

holdit commented Aug 23, 2024

Seems to be working now and it's even mentioned on the changelog. Much better. Thank you to everyone involved.

@abinthomas744
Copy link

🎉Thanks for all the hardwork, it was a really annoying problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
browser Browser Extension bug
Projects
None yet
Development

Successfully merging a pull request may close this issue.