Bitwarden's passwordless authentication method lets you log into your web vault using the mobile app
Bitwarden has introduced a passwordless authentication method. It lets you approve the login request from the mobile app, let's find out more about it.
Bitwarden's passwordless authentication system
I should mention this right away, the passwordless authentication does not replace your master password. It's just a shortcut to allow you to sign in to your account in desktop browsers.
If you already use Bitwarden's desktop app, you may be aware that it lets you unlock the vault using Windows Hello and macOS Touch ID. The browser extension also supports these passwordless sign in options, but you need to have the vault unlocked in the desktop app for it to work. Similarly, the mobile apps support fingerprint unlock, and unlock with PIN code. The new authentication method extends the passwordless login experience by bringing in a secondary device into play.
(image courtesy: Bitwarden)
The big question is, is this method safe to use? Bitwarden says that its passwordless authentication requests are encrypted before they leave your device (end-to-end encryption). The vault has to be unlocked in the mobile app, before you can approve the login request. According to a support page on the company's website, login requests expire after 15 minutes if they aren't approved or denied.
When you try using the new authentication method, the mobile app and the web vault will display a sentence with random words, this is your account's fingerprint phrase. It should match the one on your other device, i.e. you should see the same phrase on the web vault and the mobile app's login request page. This helps you ensure that the sign in attempt is secure. The mobile app also gives you some additional information such as the type of device used (though it just mentions the browser), the IP address where you tried logging in from, and the time when the request was made. It's worth noting that this passwordless login method does not support the official browser extensions currently, it only works with Bitwarden's cloud server.
The setting to approve login requests is not enabled by default in Bitwarden password manager's mobile app. (refer to step 2 and 3 below). If you don't want to use it, you can just ignore it. The company is recommending its mobile app's users to enable the Unlock with Biometrics option (for fingerprint scanners and Face ID), or unlock with PIN code for a faster experience (than entering the master password to unlock the vault.
How to use Bitwarden's passwordless authentication option
1. Open the Bitwarden mobile app on your Android device or iPhone.
2. Go to the Settings page and look for an option that is labeled "Approve Login Requests".
3. Enable the option by selecting "Yes".
4. Visit Bitwarden's web vault in your desktop's browser.
5. Enter your email address in the username field.
6. Instead of signing in with the master password, click the option that says "Log in with device".
Note: The page will display your fingerprint phrase.
7. You should see a push notification on your phone, tap on it to open the Bitwarden app, and unlock the vault.
8. The app will display a page that is captioned "Are you trying to log in?". Check whether the fingerprint phrase matches the one on the browser page.
9. Tap the confirm login button, and the web vault should automatically sign you in to your Bitwarden account.
Tip: You may not see the Log in with device option on the web vault's sign in page. That's because the web vault hasn't synced your settings. As a workaround for this, you may want to try manually syncing your vault from the mobile app. The next step is to log in to the web vault once using your Master Password. Log out of your account in the browser, and go to the sign-in page again. You should now see the button to Log in with device. I think this step is required because of the two-factor authentication (2FA) system that's in place.
The latest version of Bitwarden password manager is 2022.11.0. You can download the Android app from the Google Play Store, GitHub and the iOS app from the App Store.
Thought's about Bitwarden's passwordless sign in method
Bitwarden's passwordless sign in system is quite convenient, but it is a tad slow, at least on my device. It takes a couple of seconds for the approve login page to appear after tapping on the notification. The announcement article states that users will need to enter their 2FA code after approving the login. I couldn't test this since the "login with device" option didn't appear for me without signing in with the master password. Since I had to input the 2FA code then, the credentials were already stored in the browser's cookies, that's why the passwordless authentication didn't prompt me to enter the 2FA code.
But, I think the 2FA step after approving the login maybe unnecessary. Think about it, your mobile app's vault needs to be unlocked to approve the login request, which is not possible without knowing the master password, or the PIN code, or the fingerprint ID. So there is already a second layer of security in place, why bother with a third one? It only slows down the process, especially if you use a third-party app for the TOTP codes.
I think Steam's passwordless sign in method is slightly better than this because Valve's mobile app lets you log in without entering the username and password, by scanning a QR code through the Steam mobile app. It cuts 2 steps: you don't need to enter the username, or wait for the push notification and tap on it. The Steam app also displays the location of the login attempt on the map, which is an added bonus. I recommend enabling the biometric authentication from the Steam Guard settings to protect your app from unauthorized usage.
What do you think about Bitwarden's passwordless authentication method?
For users, since one need not type passwords anymore, it leads to a better screen time experience. While for organizations, it will lead to fewer breaches and support costs.
Ashwin delievering high quality content as always. This is why I frequent ghacks daily
I have two Bitwarden accounts. First one is secured with 2FA with authentication key stored in second one with no 2FA enabled. All my data remains in first one and second one only exists so if ever I lost my device/smartphone which has Aegis installed, I would have a second way to get access back. This prompt method goes against that. Smartphone is a nasty little devil. You can lose it anytime. Hence I won’t be using this method anytime soon. This applies to all my accounts, not just Bitwarden. Plus an email arrives everytime a new device is used to sign-in anyway so I’m not missing out on security.
I do something similar, but instead of a second BW account I use a 2FA-less ProtonMail account.
Where do you store your 2FA key then in Protonmail?
If I ever had to use Protonmail, I would need to memorise password, right. Is this the case right now?
I also keep backup of my Bitwarden vault offline encrypted in multiple devices just in case.
I have an encrypted Aegis backup file which contains the 2FA key for BW and a couple of other crucial things. I send it to myself within ProtonMail. ProtonMail itself is protected by a long-ish passphrase which I’ve memorised, but has no 2FA for obvious reasons.
Thanks for the info. Actually your method is better because there are two points of failure instead of one in my case. So if Bitwarden goes down you’d have access to your mail account which probably is the most important.