Comments (17)
This issue is still present. I'm running the Bitwarden free Chrome extension 1.29.0 with Google Chrome 68.0.3440.106 on Xubuntu 18.04.1, and I've just observed this, too: I enabled 2FA with Authenticator App (Authy):
but the extension only asks for the authenticator code if I explicitly log out. Even if I reboot my laptop, when I next open Chrome, the extension allows me to log in with just my master password.
I get the impression that the extension never logs out unless told so explicitly: even if Chrome is killed, the extension only locks. I guess this is the root cause.
If the extension is the primary access to Bitwarden, this issue renders 2FA ineffective, since it only kicks in after explicit logout.
from clients.
What is happening with this issue? Still an issue with Chrome plugin, I log out in the plugin, close Chrome, reboot, open chrome and I'm able to log into my vault with the plugin only using password (does not prompt for 2fa). This is nonsense. Big security flaw here.
from clients.
I have the same issue. Chrome extension, not automatically asking for 2nd factor when login.
Proposing a simple fix. When the extension "locks" dont call the lock code but call the "log-out" code. When you log-out of the plug-in, and want to log back in, the plug does ask for the functionality.
from clients.
unsure why that commit is referencing this issue @Hinton
from clients.
This sounds like an issue since enabling two factor authentication is suppose to force log you out the next time the extension reaches out to the server (via an update or sync for example). You mentioned that you edited an entry in the extension after enabling it, which is a server call. I will have to investigate.
from clients.
same with firefox extension and also the linux bitwarden client? I've enabled 2-factor on a different machine but on linux I can still login and vault sync works. Seems like a bug to me
from clients.
I agree that the Chrome extension should ask for 2FA after lock (as well as after logout).
Alternatively, add an option to the Chrome extension to logout after a period (rather than only auto lock).
The fact that Bitwarden doesn't force 2FA after auto lock puts Bitwarden behind LastPass for 2FA security.
from clients.
any update on this? 2FA is only asked if I explicitly log out out from my browser extension.
from clients.
Same thing happens on MacOS 10.15 and Safari. Quitting browser does not prompt for 2FA code. Even if computer gets restarted, 2FA code is not prompted either. The code is only asked if I explicitly choose to log out. It also would be nice that once the vault is locked it could be unlocked using the 2FA code
from clients.
Same happens in Edge, 2FA is only pressent when you first log-in. But the 2FA OTP is not requested when you "unlock the vault". The 2FA OTP will only be required if you go to the settings and log-out.
from clients.
Having the same problem on Chromium. 2FA is enables and works when I login to the Bitwarden website but 2FA is not asked for when logging into Bitwarden extension unless I manually signout first. This is a big security problem imo, the whole point of 2FA is to add a second layer of protection to all login fields.
from clients.
I would like to be able to set it up so when my browser is closed Bitwarden is logged out so therefore I would need to type in my password and 2FA again.
from clients.
I have this issue on firefox 72 as well as with the android app
from clients.
@jacobrreed Hmm, not sure what happened there. Fairly certain all I did was sync my local fork with upstream. Possibly a mistake in my git client or a weird behavior in the github ui.
from clients.
It would be really nice if once the vault is locked (after a timeout for example) it could be unlocked using a 2FA code rather than a fixed PIN code.
from clients.
Hi @vatjjar,
We're cleaning up our repositories in preparation for a major reorganization. Issues from last year will be marked as stale and closed after two weeks. If you still need help, comment to let us know and we'll look into it.
Thanks!
from clients.
I still think we need this. I would like on every shutdown/restart of my laptop I have to enter my 2FA.
from clients.
Related Issues (20)
- Username generator doesn't show the user the generated alias HOT 1
- 👉🏻 Hackear Instagram de Forma Segura e Eficiente (github)
- Extension closes instead of unlocking on enter key press
- Always error "Logout before server config update" when CLI run in systemd service HOT 4
- Can't set custom Vault Timeout HOT 3
- Multiple BW Icons on MacOS dock when using suggested apps HOT 1
- "Unlock" doesn't work on desktop app HOT 1
- Delay when Server is offline HOT 9
- Missing textures in desktop client HOT 2
- getShadowRoot Browser hangups HOT 5
- Password Fail After Yubikey Enrolement, Paid Sub, and Increase Iterations HOT 1
- Desktop release 2024.7.0 rolled back? HOT 4
- Infinite options in username generation for "Catch-all" option HOT 2
- Bitwarden covering select field that is not a password, preventing proper input HOT 2
- Firefox Extension does not "Remember email" when it is enabled HOT 1
- Biometric authentication for the extension has stopped working for more than a week HOT 1
- Biometrics not supported alert HOT 2
- Random password generators never shows the digits zero or one (0, 1) HOT 2
- Firefox extension shows verification code without reentering credentials HOT 1
- "Ask for Touch ID on launch" not working when "Start to menu bar" is enabled on macOS HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from clients.