Bitwarden's desktop app now supports passwordless login for web vault
Bitwarden introduced its passwordless login method a couple of months ago, for its mobile apps. Now, the password manager has expanded the new web vault login experience to its desktop app.
Hackers recently targeted Bitwarden users by placing phishing ads in Google results. You should pay attention to the URL of the web page that you're on, to ensure you are on the password manager's official domain.
How to enable passwordless login in Bitwarden on desktop
1. Open the Bitwarden desktop app on your PC.
2. Unlock your Vault using your master password.
3. Go to the File > Settings page.
4. Click the checkbox next to the option that says "Approve Login Requests".
5. Switch to your web browser, and access the Bitwarden web vault https://vault.bitwarden.com/
6. Enter your email address in the username field.
7. Click the continue button, and the page will prompt you to enter your Master Password. It also has an option to "Login with Device". (1st screenshot)
8. Select the option, and the page will display a message that reads "Log in initiated", and says that a notification has been sent to your device. It also shows a fingerprint phrase, which is a combination of random words.
9. Switch out to the Bitwarden desktop app, and you should see a pop-up window that gives you the details of the login attempt. This push notification lists the IP address where the request was made from, the time, and the browser used for signing in. The fingerprint phrase is also displayed in this panel. You can use this information to check whether it is a legitimate login attempt or not, i.e. if it is from your device or elsewhere.
10. Click the confirm login button to allow the passwordless login attempt. Or, hit the deny login button to block access to your account.
Note: The process to enable the log in with device option on the Bitwarden mobile app for Android and iOS is slightly different. You should follow my previous article to get it working.
You will be prompted to enter the 2FA code if you have enabled (and you should) two-step login for your Bitwarden account. Not seeing the option to log in with device option in your browser? You should update the Bitwarden desktop app and try again. It is also worth mentioning that the button will only appear on browsers that you have logged into before, i.e. it works on recognized devices only.
Some people may argue that this is a disadvantage. Let's say you want to access your Bitwarden vault on a friend's computer or a system that you don't normally use. It could be safer to not type your master password to prevent key logging attempts. But, is it really safe to access your vault on a device that may or may not be secure? I think that's the logic behind Bitwarden's implementation of only allowing recognized devices (and browsers) to use the passwordless login feature.
Is this passwordless login method secure? How does it work?
As outlined in the above diagram, the web vault sends an encrypted authentication request to the device with the Bitwarden app. The latter sends the outcome (approve/deny), which is also done via the same end-to-end encrypted communication method (public + private key pair). Bitwarden says that this is a zero knowledge encryption method. Refer to step 2 in the above guide, you will need to have the vault unlocked on your desktop to approve a login request made on the web, that's an added layer of security, as are the fingerprint phrase and the 2FA verification.
Essentially, Bitwarden's passwordless login reduces the requirement of unlocking your vault multiple times on your devices. For example, normally, you would enter the master password to unlock your vault in the desktop (or mobile) app. When you want to access your account via the web vault or the browser extension, you would have to enter the password again. With the passwordless login method, you only need to enter the password once (in the desktop or mobile app). It is somewhat similar in terms of using Windows Hello and TouchID, but passwordless login is simpler and does not require special hardware (like a fingerprint reader).
Bitwarden recently introduced support for Argon2 KDF iterations, which is more secure than PBKDF2. Learn how to enable it to protect your account further.
What happens if you lose access to a device?
You won't be locked out of your vault. The passwordless login system, is as the name suggests, a different way to log in to your account. So in the unfortunate event where you cannot access your phone, you can still use your master password to unlock the vault via a web browser, or via another device where you used it on previously.
It's up to you to decide whether you want to use the feature or not, it's not enabled by default. The option is not available for the web extensions for browsers yet. The official announcement can be found here.
Have you tried Bitwarden's passwordless login?Advertisement