Bitwarden desktop app allows laptop password to unlock vault

[Jack15911]

Steps To Reproduce

1. Go to MacOS BW Desktop app and login/unlock
2. Ensure Firefox browser extension in Account Security has clicked "Unlock with Biometrics," and Desktop app Security has "Unlock with Touch ID" and "Ask for TouchID on app start."
3. Lock both instances, MacOS by using app menu bar, "Bitwarden/Lock Vault," and Firefox Bitwarden extension by selecting the vault initials in the upper right of the popup screen and selecting "Lock now."
4. Attempt to unlock the Bitwarden extension by choosing "Unlock with Biometrics." using fingerprint biometrics; a popup box will reject this approach because Desktop app is locked.
5. Attempt to unlock desktop app by choosing "Unlock with Touch ID" on the lock screen; this attempt does present you a TouchID screen.
6. Present an erroneous fingerprint three times; it will fail to open three times, but on the third, it will give you an option of using your laptop password. This will unlock your Desktop app vault, even if your laptop password is "abc123," or "ilovemycat."

Expected Result

Failed TouchID attempts should require Bitwarden Master Password, not a weak laptop password.

Actual Result

The Firefox extension fingerprint/TouchID failure process is good - it requires the Bitwarden Master Password. There is a different, weaker failure process for the Desktop app's TouchID fingerprint failure - the Desktop app will unlock with the laptop password.

Screenshots or Videos

No response

Additional Context

There are reasons for sharing a laptop password, including relatives and repair people, though they shouldn't have access to your Bitwarden vault. This failure mode also occurs with WiFi-Off, so Logging off every device would have no effect.

Operating System

macOS

Operating System Version

Sonoma 14.5

Web Browser

Firefox

Browser Version

129.0

Build Version

2024.7.1

Issue Tracking Info

• [X] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

[quexten]

Hi @Jack15911 , thank you for your report.

This behaviour is a platform limitation of electrons touchid implementation. Electron is the desktop application framework Bitwarden Desktop is based on.

However, one upcoming change to biometrics will be the transition to a newer version of Apple's keychain API, using a native (rust/objective-c) implementation. During this upgrade, the biometric unlock will be locked down to biometricCurrent, i.e the currently registered set of fingerprints (and probably companion, i.e apple watch). This will prevent the laptop password from being used for unlocking.

I will update this issue once those changes have made it into the client.