clients icon indicating copy to clipboard operation
clients copied to clipboard
verified publisher icon bitwarden

Desktop: app re-locks itself 5 seconds after initial login with Windows Hello

Open patrickhlauke opened this issue 3 years ago • 3 comments

Steps To Reproduce

  1. Make sure Bitwarden desktop is not running
  2. Open Bitwarden desktop
  3. Windows Hello prompt is fired
  4. Pass the Windows Hello challenge (show your face to camera, use fingerprint scanner, enter PIN, etc)

Expected Result

After passing the Windows Hello challenge, Bitwarden is now unlocked

Actual Result

While Bitwarden is initially unlocked, a few seconds later it seems to auto-lock again, requiring the user to re-login again.

This only happens on a fresh start of Bitwarden. It also seems that on subsequent full restarts of the Bitwarden desktop app (fully exiting it, then restarting it) it sometimes happens, and sometimes doesn't. Wasn't able to determine if there's some additional factor here.

Screenshots or Videos

https://user-images.githubusercontent.com/895831/180220232-94e9d6fb-fb48-4844-94e3-3bb64fa774a7.mp4

0:00 starting up Bitwarden desktop app from scratch 0:02 Windows Hello prompt 0:05 Bitwarden desktop is unlocked 0:11 Bitwarden auto-locks again

Additional Context

No response

Operating System

Windows

Operating System Version

10 Build 19044

Installation method

Direct Download (from bitwarden.com)

Build Version

2022.6.2

patrickhlauke avatar Jul 21 '22 11:07 patrickhlauke

I just checked, and this auto-locking after 5 seconds behaviour doesn't seem to happen when I bail out of Windows Hello and just type in my password instead. Wonder if the difference here is that with Windows Hello, after logging in, the Bitwarden window is not the active/focused window (and maybe some logic kicks in with the auto-locking when not active, and there's some internal timer that hasn't been reset when first logging in via Windows Hello)?

patrickhlauke avatar Jul 22 '22 08:07 patrickhlauke

Hello @patrickhlauke, thank you for taking the time for reporting this. We tried to reproduce this issue in the last version (2022.8) and we couldn't. Could you please try updating and checking again?

ataruselli avatar Aug 11 '22 15:08 ataruselli

Updated to 2022.8 the other day, and confirming that it's still happening.

Note that this behaviour only happens on a fresh start of the app, and even then only if the app was already auto-locked when the app was last open (as said, I suspect - without looking at the code - that this is somehow tied to an internal timer/clock in the app, and that when first logging in via Windows Hello, it doesn't reset that timer ... and then 5 seconds after that Hello login, it thinks it needs to time out / autolock again).

Oh, and I assume this behaviour also depends on having the auto-locking enabled to reproduce it.

patrickhlauke avatar Aug 11 '22 15:08 patrickhlauke

my coding skills are not the best, but having had a look over some of the codebase, my hunch about what is happening here is:

when first logging in with Windows Hello (compared to regular login using the regular master password field), the lastActive value is perhaps not being updated?

so the app logs me in, and then as soon as the first check of "is the lastActive value older than the vaultTimeout" happens, it only remembers the very last time I was active on the previous run of the app, which then clearly fails and then initiates the auto-locking of the app.

on the second go around, the lastActive value is now correct (because I either typed something into the regular master password field, or I clicked on the "Unlock with Windows Hello" button explicitly), so once I log in a second time, it's not a problem anymore.

so what's missing currently is setting lastActive to the current time/date when logging in via Windows Hello/biometric - or even just automatically when the app is loaded for the first time from a cold start. i'm guessing somewhere after the successful biometric login, or on the first cold start, it needs to execute/rattle the recordActivity() method (but my coding skills are admittedly too weak to work out where/how) /cc @Hinton @djsmith85

patrickhlauke avatar Aug 13 '22 10:08 patrickhlauke

@patrickhlauke,

Thanks for the clarification!

I was able to reproduce the bug. I'll raise the issue internally for prioritization. Thanks for bringing this to our attention!

bnagawiecki avatar Aug 29 '22 14:08 bnagawiecki

great stuff, thanks @bnagawiecki

patrickhlauke avatar Aug 29 '22 15:08 patrickhlauke

I find that the same things seems to happen with the browser plugin. Given that it uses the Bitwarden desktop application, I suspect it is a similar issue. Furthermore, I have heard that it also happens on a Mac, though I'm not certain about this as I don't use it for my daily driver.

matthewknill avatar Sep 24 '22 05:09 matthewknill

Hello. I seem to experience the same problem running 2023.1.1. Is there any idea of when this is planned to be fixed?

deanhumphreys avatar Jan 31 '23 09:01 deanhumphreys

I'm also experiencing this behavior. Glad to see it is a confirmed bug. Now waiting for the fix...

lzandman avatar Feb 02 '23 13:02 lzandman

i am getting this annoying issue too. login with fingerprint on desktop, then get ready to login with fingerprint on browser extension, and the desktop app kicks me out and ask me to login again

smcp415 avatar Feb 08 '23 01:02 smcp415

@djsmith85 glad to see my diagnosis of the problem seemed correct :)

patrickhlauke avatar Mar 10 '23 21:03 patrickhlauke