Bitwarden's desktop app now supports passwordless login for web vault
Bitwarden introduced its passwordless login method a couple of months ago, for its mobile apps. Now, the password manager has expanded the new web vault login experience to its desktop app.
Hackers recently targeted Bitwarden users by placing phishing ads in Google results. You should pay attention to the URL of the web page that you're on, to ensure you are on the password manager's official domain.
How to enable passwordless login in Bitwarden on desktop
1. Open the Bitwarden desktop app on your PC.
2. Unlock your Vault using your master password.
3. Go to the File > Settings page.
4. Click the checkbox next to the option that says "Approve Login Requests".
5. Switch to your web browser, and access the Bitwarden web vault https://vault.bitwarden.com/
6. Enter your email address in the username field.
7. Click the continue button, and the page will prompt you to enter your Master Password. It also has an option to "Login with Device". (1st screenshot)
8. Select the option, and the page will display a message that reads "Log in initiated", and says that a notification has been sent to your device. It also shows a fingerprint phrase, which is a combination of random words.
9. Switch out to the Bitwarden desktop app, and you should see a pop-up window that gives you the details of the login attempt. This push notification lists the IP address where the request was made from, the time, and the browser used for signing in. The fingerprint phrase is also displayed in this panel. You can use this information to check whether it is a legitimate login attempt or not, i.e. if it is from your device or elsewhere.
10. Click the confirm login button to allow the passwordless login attempt. Or, hit the deny login button to block access to your account.
Note: The process to enable the log in with device option on the Bitwarden mobile app for Android and iOS is slightly different. You should follow my previous article to get it working.
You will be prompted to enter the 2FA code if you have enabled (and you should) two-step login for your Bitwarden account. Not seeing the option to log in with device option in your browser? You should update the Bitwarden desktop app and try again. It is also worth mentioning that the button will only appear on browsers that you have logged into before, i.e. it works on recognized devices only.
Some people may argue that this is a disadvantage. Let's say you want to access your Bitwarden vault on a friend's computer or a system that you don't normally use. It could be safer to not type your master password to prevent key logging attempts. But, is it really safe to access your vault on a device that may or may not be secure? I think that's the logic behind Bitwarden's implementation of only allowing recognized devices (and browsers) to use the passwordless login feature.
Is this passwordless login method secure? How does it work?
As outlined in the above diagram, the web vault sends an encrypted authentication request to the device with the Bitwarden app. The latter sends the outcome (approve/deny), which is also done via the same end-to-end encrypted communication method (public + private key pair). Bitwarden says that this is a zero knowledge encryption method. Refer to step 2 in the above guide, you will need to have the vault unlocked on your desktop to approve a login request made on the web, that's an added layer of security, as are the fingerprint phrase and the 2FA verification.
Essentially, Bitwarden's passwordless login reduces the requirement of unlocking your vault multiple times on your devices. For example, normally, you would enter the master password to unlock your vault in the desktop (or mobile) app. When you want to access your account via the web vault or the browser extension, you would have to enter the password again. With the passwordless login method, you only need to enter the password once (in the desktop or mobile app). It is somewhat similar in terms of using Windows Hello and TouchID, but passwordless login is simpler and does not require special hardware (like a fingerprint reader).
Bitwarden recently introduced support for Argon2 KDF iterations, which is more secure than PBKDF2. Learn how to enable it to protect your account further.
What happens if you lose access to a device?
You won't be locked out of your vault. The passwordless login system, is as the name suggests, a different way to log in to your account. So in the unfortunate event where you cannot access your phone, you can still use your master password to unlock the vault via a web browser, or via another device where you used it on previously.
It's up to you to decide whether you want to use the feature or not, it's not enabled by default. The option is not available for the web extensions for browsers yet. The official announcement can be found here.
Have you tried Bitwarden's passwordless login?
As a person that had his devices lost in the past and even had all data wiped out in unfortunate circumstances, I despise these security measures. I know my master password which is additionally secured with 2FA. Plus there’s a mail for every login attempt. I’m fine with my current setup. Truly hate these passwordless security measures, afterall you can lose your device unfortunately. The last thing you want then is unable to get access to your account.
Read the article and you’ll get a little more understanding how passwordless works. It doesn’t mean no authentication, it’s actually more secure than password/2fa combo. You’re not entering a password on the device. It’s sending a request to a device you are logged into and authenticated already using your long, strong, complex password along with your 2fa auth method asking for approval. If you lose your computer that was setup as “passwordless” and someone tries to access it via the “login with device” option, you’ll get a prompt and can just deny the request and they don’t get any access to your vault.
It’s not truly passwordless. You can use your master password to login even if you lose your device.
What if you lose access to your logged-in device? How are you going to approve upcoming login requests?
I know it isn’t truly passwordless and my point is about necessity of an already logged-in device for further login approvals.
Does this work for the chrome browser extension?
Quote: “The option is not available for the web extensions for browsers yet.”
Thx for the article. I’m little by little getting BW down after being a paid LP user for 14 years.
I surely expect more hacking attempts aimed at BW. Hopefully they learn from LP’s stupid attempts to not be forthcoming.