clients
clients copied to clipboard
bitwarden
Biometrics requires authorization on every page load. Mac, Chrome & Safari
Steps To Reproduce
Running Mac OS Monterey 12.5.1 on Mac Studio M1 Max. Latest Safari release and version 105.0.5195.52 (Official Build) (arm64) for Chrome. Bitwarden Chrome version 2022.8.0. Desktop version 2022.8.1. Safari extension version 2022.8.0
With desktop app unlocked and both browser extensions unlocked as soon as I click to navigate to another page Bitwarden locks the vault. I click it to unlock with biometrics and it unlocks. As soon as I click a link it locks again. This makes it unusable with biometrics. Disabling biometrics has solved the problem for both Safari and Chrome
Expected Result
I would expect to unlock Bitwarden and have it respect the 4 hour timeout to lock the vault before requesting it be unlocked again.
Actual Result
I unlock the vault with biometrics and it immediately locks it after clicking a link in either chrome or safari.
Screenshots or Videos
No response
Additional Context
No response
Operating System
macOS
Operating System Version
Monterey 12.5.1
Web Browser
Chrome, Safari
Browser Version
105.0.5195.52 (Official Build) (arm64) Chrome
Build Version
2022.8.0 and 2022.8.1
@marcvig @mada199122
- Do both your desktop vault and your browser extension have this four hour timeout? Both can have separate timeouts for unlock
- Have you tried fully logging out and logging back in?
- Which settings do you have toggled in the following Preferences for desktop?
If all else fails I advise walking through this document meticulously: https://bitwarden.com/help/biometrics/
No my desktop vault (the app) has the time out vault set "on system sleep". For the browser extension instead I've tried to change different settings 1/4 hours as timeout but it always presents the same bug.
Yes I've tried to log out and log back in but It always present the bug.
My desktop app settings are the following...
@marcvig @mada199122
- Do both your desktop vault and your browser extension have this four hour timeout? Both can have separate timeouts for unlock
- Have you tried fully logging out and logging back in?
- Which settings do you have toggled in the following Preferences for desktop?
If all else fails I advise walking through this document meticulously: https://bitwarden.com/help/biometrics/
On my setup BOTH desktop and browser have the 4-hour timeout. I am aware they can be separate. As a test I changed the browser which is the only one that keeps locking, from "4 hours" to "On browser restart". This has solved the problem although at the expense of lower security requiring a full browser restart vs a passive 4-hour timeout.
Yes have tried logging out and back in on both desktop and browser but that doesn't change the behavior
So it appears it is the vault timeout setting that is tripping the wire and instead of timing out at 4 hours properly it times out immediately. I will keep the current "On browser restart" setting for a few days to be certain it doesn't lock out and honors that setting at all times but so far it seems to.
I am also going to test a custom timeout and see if that works. I tried it for a short time and that also seemed to fix it but I don't have enough time testing to make sure it survives Mac sleep or other scenarios. Will report back on the different timeout options later this week after both are tested fully.
thanks
Update on custom timeout test. Failed. Any time setting for timeout reproduces the immediate lock on every new page load for any website.
Now testing only "On browser restart". Will report back
Update on custom timeout test. Failed. Any time setting for timeout reproduces the immediate lock on every new page load for any website.
Now testing only "On browser restart". Will report back
“On browser restart” setting I can confirm does not exhibit this bug. The bug does indeed appear to be limited to any of the preset lockout times selected from the drop down menu or or custom timeout. Something in the timeout code must be triggering the biometric lock and bypassing the time check upon new page loads
Hey @marcvig,
Thanks for submitting this issue. I have been attempting to replicate on a similar setup with the latest version of BW app, browser extension, Chrome, and Safari, but was unable to do so. Only difference in setup is I'm on Ventura instead of Monterey. Can you confirm it's still occurring for you on the latest version of the apps?
If so, a couple follow-ups:
- Are you logged into one or multiple accounts on the desktop app?
- Is the desktop app closed to menu bar when you're navigating in the browser?
- Are there any specific steps you're doing on the browser to trigger it, or is it as straightforward as: boot up computer -> unlock desktop with biometrics -> open Safari/Chrome -> unlock browser with biometrics -> navigate to page -> wait for page load -> click on link on page to go to new page in same tab -> extension locks?
@bnagawiecki
I am now on Ventura as well and have not tested it with the 4-hour or any timeout setting since the upgrade.
I have just set it back to 4 hours and will see over the next few days if this bug appears. I also have the latest BW app and extensions. I enabled the 4-hour lock timer, and so far, it has not shown the locking bug. However, in the past, there have been a few times where it worked for a few hours, and then the bug returned, so I will see if the proper behavior continues and let you know if the bug still exists on Venture and the latest BW build. thanks.
@bnagawiecki I am still seeing BW locking out frequently on page loads and often within seconds with 4 hour lockout time set. This is on the same account for the chrome and desktop app not different accounts. It did this with the desktop app open.
#3 is correct how you described it. Log into both desktop and browser. Start browsing around and it locks on new page loads.
As the only workaround for now, I have reverted it back to lock only on closing of browser which is not very secure
@marcvig I'll let mine sit in your current state for a few days and see if I can get it replicate.
Is it still occurring for you on Chrome, Safari, or both?
@marcvig I'll let mine sit in your current state for a few days and see if I can get it replicate.
Is it still occurring for you on Chrome, Safari, or both?
@bnagawiecki
I've only tested it on Chrome so far.
@bnagawiecki I am still seeing BW locking out frequently on page loads and often within seconds with 4 hour lockout time set. This is on the same account for the chrome and desktop app not different accounts. It did this with the desktop app open.
#3 is correct how you described it. Log into both desktop and browser. Start browsing around and it locks on new page loads.
As the only workaround for now, I have reverted it back to lock only on closing of browser which is not very secure
I have the exact same behaviour. I've uninstalled Bitwarden and reinstalled it, same issue. For now i've reverted to only locking on browser quit.
