Biometrics on BW for Chrome not working requesting PERMANENT unlock of BW for Windows #9539
Comments
|
I concur this is a major issues. Having the need to unlock the BW desktop client to be able to use Biometric (after the app and the browser extension have been already connected) is a major usability impairment which defeats the whole purpose of having a browser extension. Additionally I add that the same issue also happens with Bitwarden Chrome extensions on MacOS. I'm not sure if a new issue is needed since the issue is exactly the same as the one reported above. Please advise. 
|
|
I seem to be having the same issue on Firefox on Windows 11. In my case, clicking the "Unlock with Biometrics" option in the browser extension causes "Awaiting confirmation from desktop" to flash briefly but the Windows Hello prompt never appears. It will only work if I unlock the desktop client first. |
|
Your issue is similar. The problem seems to be due to the BW desktop. This is a big issue: not only does it break the user's process of using BW (no Windows Hello), but it is also a major security issue (force having BW unlocked to do your daily work). |
|
I'm so damn sick of this issue. Guys.. just fricking fix this already.. it's been months and it's just such a damn annoyance. This situation (or similar) has been reported so many times.. Why is there no real acknowledgement of the issue? I like BitWarden but why the hell do I pay for it if this can't be fixed after a year already? |
|
@kspearrin: perhaps, it might be worth involving a direct member of BW team to raise awareness of this issue? Although I might grasp the complexity of the issue - having to work with OS-specific API / security restrictions - this has a major impact on browser extension usability and overall BW customer experience. |
|
@oeloo I would also adjust the issue Title as this thread might be used as a general issue that encompass more OSs and Browsers (the root cause might actually be the same). |
|
@alex-ioma This should be the role of the BW dev team community. |
|
Hi all, I promise we're aware and looking into flow improvements. I've outlined our current plan below, and feedback is welcome. This change is actually a short-term response to a detected security issue where biometric authentication from the browser could cause user keys to persist in desktop memory for an extended period. The method we have of preventing long-lasting retention of sensitive data is by forcing the application to crash and restart, which we internally call process reload. It's very destructive, though, and needs to be handled by the Desktop client directly, not whenever the browser asks for a key. The short term "solution" here was to allow the Desktop to handle user sessions as it was designed to do by needing to be unlocked prior to handling sensitive data. That way, process reload will ensure the data is disposed of automatically when the user locks or logs out of the Desktop client. I totally understand that this is a frustrating user flow change, but it was done to ensure that sensitive data is managed appropriately. To clarify, you do not need to keep the Desktop application unlocked the entire time you use the browser, it only needs to be unlocked when you do the key exchange. I realize that that may mean unlocking twice, for now. In light of that, does anyone see a security vulnerability? I take those very seriously, but I believe this actually minimizes risk. Planned approachThe planned long-term approach for browser biometric authentication right now is to unlock the desktop client at the same time as the browser client when performing biometric authentication with the browser. That way, the user's session is managed appropriately in both the desktop and the browser. It also removes the need to separately authenticate in each client. |
|
@MGibson1 - Can you provide a timeline or expectation of when this is going to be resolved? The announcing of Apple's new Password Manager has me on the fence as to whether I'll stick with BitWarden upon that release. I value security.. it's my #1 priority... but at the same time, deep integration and ease-of-use is very important. |
Thank you for detailed explanation. But how it is done in Safari browser where all works - I can unlock BW without unlocking desktop client. |
|
hello, It becomes more of a risk if it becomes too complicated for users and they go back to using simple passwords or sticking them under the keyboard. |
This workflow process, even temporarily, is not acceptable for users: not only is it cumbersome to explain this weird workflow to many users (it looks so weird), but even if they start doing it, it is a pain to do and a time lost.
1Password has been using this approach since at least 2019: unlocking the 1Password desktop application also unlocks the 1Password Chrome add-on (and vice-versa). |
|
Security is of course very important, but this change renders unlocking via Windows Hello useless to me, as it's faster to type in the master password and be done with it. Not to mention that I migrated from LastPass to BitWarden (and am also paying $10/year) solely because of the Windows Hello feature. |
|
I hope the "long term" plan is for next week because it's damn annoying to open Bitwarden app before I can log in anywhere. If at least the browser plugin could make the BW app unminimize/popup that would be of great help already. thank you |
|
I can't believe how much everyone complains that the Bitwarden team has discovered a vulnerability and is trying to fix it, in their own interests as well as in those of their users, just because it inconveniences them a little for an indeterminate period of time. When proprietary companies don't do their job when it comes to keeping their users data safe, it often ends in scandal and instantly brings the company into disrepute - witness LastPass, which was the target of password thefts last summer. It seems to me that Bitwarden has every reason to take precautions, especially as flaws of this type are not necessarily exploited as everyone thinks. A vulnerability can be misused, sometimes in ways we hadn't even considered, and when it is, it's often a real mess. |
|
@0ldb34r I believe you should put yourself in the shoes of business users where IT team has to manage user discontent : not only IT support was not aware of this very impacting and tickets are piling but they are now in a situation where they have to explain non IT users that they need to open BW desktop app to unlock then open browser extension to unlock and do that X amount of time a day. |
|
@cpainchaud Except that there are other ways of doing this, which are just as secure: using a PIN code while waiting for the problem to be dealt with, for example. |
|
@0ldb34r you do underestimate users stupidity : if it's too inconvenient, they will go back to post-it notes or whatever software they find on Google. That's real life. I am here to make sure that they (BW) understand that it's not something they can wait for next year. |
|
@0ldb34r This security issue was already discovered by 1Password in 2019 and solved. So we could have expected this to be found by BW before June 2024. Then we need to talk about the urgent solution brought by the BW team: it is questionable to force users into such a weird process. This process is a security flaw that is more dangerous than the initial problem: initially, the hacker needed high computer knowledge to use the issue, whereas now the potential hacker does not need any computer skill since many user vaults will have to stay fully unlocked for much much longer. |
|
Can we please have a rough estimate of how long will it take for this issue to be resolved? |
i don't like the lack of communication about this, of course security fixes should land fast, but then notify me in the app with a little info icon that the functionality changes, i wasted time by trying to figure out what happened and finding this issue |
|
@masterflitzer I only regret that there's so much obvious anger towards the Bitwarden team on this subject. |
|
Noticed this behavior on both Windows and macOS, assumed it was just another bug... |
|
Do you have any idea when it gonna been merged ? |
|
I've upgraded to the latest 7.1 update both desktop and browser extension, but the issue is still there. anyone else facing the same issue? |
|
PR #9945 has still not been merged. Looks like the most recent activity was July 22, and there is one pending review. |
|
Prioritize this one please, huge impact on user experience. |
|
I know that the problem is being worked on, but after all these weeks/months, I have to give my opinion on it. It's very frustrating if you actually value security. I normally lock my Bitwarden container as soon as my PC is locked (I'm not at the PC). I now only lock Bitwarden when I shut down the PC because it's so incredibly tiring to always unlock the desktop app first in order to then unlock the browser extension as well. With every update, I hope that this behavior will be stopped. |
|
I fully agree with this, the decision of the Bitwarden team toward this security problem is short-sighted. Technology is not the only thing in a well-secured system, breaking the security process of all Bitwarden users for a small security hole that can only be abused by very advanced technical gurus is stupid. Like many other BW users due to this bug, I have no choice but to leave my wallet permanently unlocked. Now every person, even with absolutely no technical knowledge can hack my account. Before the decision of BW, maybe just a dozen individuals had the high technical knowledge to hack BW accounts, now they are a billion people that could potentially hack my BW account. At least empower the end user with an option to let him decide what he considers the safest option. |
To be fair, you do have other choices... for example, disabling biometric unlock and instead unlocking with a short PIN would be a much better work-around than simply leaving your vault permanently unlocked. |
|
Looks like this pull request was merged yesterday, hopefully the fix will be in the next update? |
it seems that the fix was implemented in the desktop app, correct? |
|
Yes, my understanding is that the desktop app will now be able to unlock the extension without unlocking itself, which allows it to work around some sort of key storage issue. |
|
I tested. To workaround the issue, revert the desktop app to 2024.2.1 and avoid 2024.7.1, i.e. only update after a newer desktop has been released. |
|
Hello, As you have identified, this has been addressed with #9945 and this has been merged to |
|
Updating to Desktop v2024.8.0 has resolved this issue for me. Still running 2024.7.1 on Firefox plugin. |
|
Same here! Thanks to the devs |
|
Thanks for all your efforts BW! ❤️ |
|
Finally! Thanks to the developers. Quick work after all! |
|
Thank you devs! 🖤 |
|
Thanks for the fix 👍🏻 |
|
Thank you for the fix! Add to this can we get browser extension to prompt if we enabled biometrics? Current workflow we have to click on extension or use hotkey to bring UI up and click on "Unlock with biometrics". Hopefully we can have this QOL change sometime. |
|
@bitwarden Team, Thank you for the fix, it is working perfectly. |
|
Thank You very much to the team for this fix, it had been bugging us a lot for a while now |
|
not working for me on my mac M1 running Sonoma 14.5 |
|
Try updating the extension and app to the latest version. |
|
been working well for a few weeks now. |
|
It seems to work great besides a use-case: To be fair, I did not tested the above case for a month as I was forced to switch to "1 min" for the above reasons. I'm checking now and will open another issue if this is still the case. |
|
Confirmed. Problem solved. Working well also with Vault Timeout "Immediately". |
and others
Steps To Reproduce
Expected Result
Bitwarden Chrome extension should open you vault so that you can enter your credentials on the websites you want.
Actual Result
You get the error:
"User locked or logged out
Please unlock this user in the desktop
application and try again."
Screenshots or Videos
Additional Context
If BT for Windows is unlocked when using biometrics on BW for Chrome, you can unlock BW for Chrome extension. BUT this completely defeats the purpose of BW for Chrome extension.
Furthermore if you have to keep unlock BW for Windows to use BW for Chrome, it is a major security issue.
Operating System
Windows
Operating System Version
11
Web Browser
Chrome
Browser Version
Version 125.0.6422.142 (Official Build) (64-bit)
Build Version
Extension=v2024.5.2 Windows client=2024.5.0
Issue Tracking Info
The text was updated successfully, but these errors were encountered: