App only requires Touch/Face ID for the initial opening

spuk- commented 5 months ago

Steps To Reproduce

Go to the app settings tab
Enable "Unlock with Touch ID"
Press the home button to exit Authenticator
Tap on the Authenticator app to enter it again without requiring Touch ID

Expected Result

The app should require Touch ID to be opened.

Actual Result

The app is opened without requiring Touch ID.

The app only requires Touch ID when the app is reopened after being closed (i.e. Double press the home button for the apps list and push it off the screen for closing it).

Screenshots or Videos

No response

Additional Context

No response

Build Version

2024.6.1

Environment Details

Device: iPhone SE 2022
iOS: 17.5.1

Issue Tracking Info

[X] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

RobertD502 commented 5 months ago

I'd like to add that the same behavior is seen with Face ID.

Version: 2024.6.1 (45)

samholmes commented 1 month ago

I just submitted this feature request to support. I'd like to further add this request:

Touch/Face ID is required to view a raw TOTP key.
Touch/Face ID is required to export data

This further limits attackers from somehow getting access to a user's TOTP keys discretely if the user were to make the mistake of leaving the Authenticator app open and unlocked. An attacker couldn't sweep a user's TOPT data discretely with the intention to brute-force their accounts later on. The worst an attack could do in that event is attempt to brute-force their individual accounts in the moment they have access to opened app.

bitwarden / authenticator-ios