Should Chrome extension be aware of two-factor authentication? about clients HOT 17 CLOSED

This issue is still present. I'm running the Bitwarden free Chrome extension 1.29.0 with Google Chrome 68.0.3440.106 on Xubuntu 18.04.1, and I've just observed this, too: I enabled 2FA with Authenticator App (Authy):

but the extension only asks for the authenticator code if I explicitly log out. Even if I reboot my laptop, when I next open Chrome, the extension allows me to log in with just my master password.

I get the impression that the extension never logs out unless told so explicitly: even if Chrome is killed, the extension only locks. I guess this is the root cause.

If the extension is the primary access to Bitwarden, this issue renders 2FA ineffective, since it only kicks in after explicit logout.

from clients.

What is happening with this issue? Still an issue with Chrome plugin, I log out in the plugin, close Chrome, reboot, open chrome and I'm able to log into my vault with the plugin only using password (does not prompt for 2fa). This is nonsense. Big security flaw here.

from clients.

I have the same issue. Chrome extension, not automatically asking for 2nd factor when login.
Proposing a simple fix. When the extension "locks" dont call the lock code but call the "log-out" code. When you log-out of the plug-in, and want to log back in, the plug does ask for the functionality.

from clients.

unsure why that commit is referencing this issue @Hinton

from clients.

This sounds like an issue since enabling two factor authentication is suppose to force log you out the next time the extension reaches out to the server (via an update or sync for example). You mentioned that you edited an entry in the extension after enabling it, which is a server call. I will have to investigate.

from clients.

same with firefox extension and also the linux bitwarden client? I've enabled 2-factor on a different machine but on linux I can still login and vault sync works. Seems like a bug to me

from clients.

I agree that the Chrome extension should ask for 2FA after lock (as well as after logout).
Alternatively, add an option to the Chrome extension to logout after a period (rather than only auto lock).
The fact that Bitwarden doesn't force 2FA after auto lock puts Bitwarden behind LastPass for 2FA security.

from clients.

any update on this? 2FA is only asked if I explicitly log out out from my browser extension.

from clients.

Same thing happens on MacOS 10.15 and Safari. Quitting browser does not prompt for 2FA code. Even if computer gets restarted, 2FA code is not prompted either. The code is only asked if I explicitly choose to log out. It also would be nice that once the vault is locked it could be unlocked using the 2FA code

from clients.

Same happens in Edge, 2FA is only pressent when you first log-in. But the 2FA OTP is not requested when you "unlock the vault". The 2FA OTP will only be required if you go to the settings and log-out.

from clients.

Having the same problem on Chromium. 2FA is enables and works when I login to the Bitwarden website but 2FA is not asked for when logging into Bitwarden extension unless I manually signout first. This is a big security problem imo, the whole point of 2FA is to add a second layer of protection to all login fields.

from clients.

I would like to be able to set it up so when my browser is closed Bitwarden is logged out so therefore I would need to type in my password and 2FA again.

from clients.

I have this issue on firefox 72 as well as with the android app

from clients.

@jacobrreed Hmm, not sure what happened there. Fairly certain all I did was sync my local fork with upstream. Possibly a mistake in my git client or a weird behavior in the github ui.

from clients.

It would be really nice if once the vault is locked (after a timeout for example) it could be unlocked using a 2FA code rather than a fixed PIN code.

from clients.

Hi @vatjjar,
We're cleaning up our repositories in preparation for a major reorganization. Issues from last year will be marked as stale and closed after two weeks. If you still need help, comment to let us know and we'll look into it.
Thanks!

from clients.

I still think we need this. I would like on every shutdown/restart of my laptop I have to enter my 2FA.

from clients.