**BUG REPORT** biometrics fails with safari browser extension.

[Snarj]

Steps To Reproduce

THIS IS A REPORT OF A BUG. CORE BIOMETRIC FUNCTIONALITY FAILS ON A MAJOR OS.

1. Go to Safari > Bitwarden extension > Settings
2. Toggle 'unlock with biometrics' to checked.
3. Lock or close/reopen browser to get login biometrics prompt
4. Fail to log in after successful biometrics authentication with error:

Expected Result

Successful unlocking of vault.

Actual Result

Failure to unlock vault with the exact error "Account missmatch The desktop application is logged into a different account. Please ensure both applications are logged into the same account." (yes including the typo)

Screenshots or Videos

No response

Additional Context

Tested OS macOS 13.3.1a (though all versions since at least macOS 11 have been affected) Safari version 16.4 (though again, this has been broken for several years) Bitwarden Desktop and Safari extension version 2023.4.0 (again broken for many versions though)

Broken across several physical machines including 2016 mbp 13, 2020 m1 air, and 2021 M1 Pro mbp.

Chromium browser extension works once desktop is running, but safari extension fails with or without Bitwarden desktop running.

This bug appears to affect a handful of others:

https://github.com/bitwarden/clients/issues/2522

https://www.reddit.com/r/Bitwarden/comments/11tj1wu/unlock_with_touch_id_on_mac/

Someone who closed this bug report with the explanation that GitHub is for bug reports [?] said the following:

I attempted to reproduce this and was unable to do so.

The bug still affects myself and others. You not being affected does not fix the bug.

I suspect that the desktop client is logged into a different account

This assumption is incorrect. This issue affects a single account, and it logs in successfully when using password, but fails when attempting biometric authentication.

and/or another application is interfering with the communication between the extension and the desktop client;

Ok, so... a bug.

I would test this in a different browser, such as Chrome, to check if it's isolated to Safari in order to know how to proceed.

It IS indeed isolated to Safari. Chrome, Edge, (and probably Firefox) extensions work fine with biometric authentication.

To be clear, I tested this with Bitwarden 2023.4.0, Safari 16.4, and macOS 13.3.1 (a) whilst the desktop client was logged into a single account and it worked as expected.

I have all the same versions and 100% failure rate, along with others as reported for quite some time now.

We use GitHub issues as a place to track bugs and other development related issues.

Glad to know this is in the right place.

If this persists, please write us back using our contact form, so we can continue troubleshooting: https://bitwarden.com/help/ and please include a link to this report in the message content.

Done as well.

Operating System

macOS

Operating System Version

11, 12, 13

Web Browser

Safari, Microsoft Edge

Browser Version

16.4

Build Version

2023.4

Issue Tracking Info

• [X] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

[NovaSilentium]

Hi there,

I am unable to reproduce this issue, it has been escalated for further investigation. If you have more information that can help us, please add it below.

Thanks!

[Snarj]

Clean macOS install did not resolve it. Safari technology preview did not resolve it.

Completely removing my account, registering a new account, signing in the new account, and using biometrics with the new account DOES resolve it. Either the safari extension malforms my login for some reason (unlikely), there is an issue with my account that prevents operation (unlikely), or a keychain property associated with my Bitwarden account in iCloud is preventing normal operation. I will update after scrubbing all Bitwarden references from my iCloud Keychain.

edit: deleted the biometrics keychain entry, logged into my main account, re-registered biometrics using the exact same steps as the new dummy account, and still failing when using my main account. I am at a loss.

[Ferrox85]

Last time i had this, the root cause was an outdated bitwarden (vaultwarden) selfhosted version. Updating the server fixed the bug.

[olivermuc]

Seeing the same issue here with two inidividual accounts (not self-hosted) both accounts sometimes operate as expected, ie.

• accessing a website with a login form
• clicking the bitwarden icon (safari action bar)
• biometrics popup accepts finger print
• access to bitwarden data is granted and website entry shown

however, the majority of the times it doesn't:

• biometrics popup still "accepts" finger print
• but then shows nothing

Sometimes I get it to work by toggling the Safari extension. Other times it helps to launch the bitwarden Mac app (bio-authenticating there always works) and then simply switching back to Safari seems to do the trick.

Tedious, but at least I can get it to work. Hope this gets addressed soon.

PS: this started happening round about 3-4 weeks ago.

[quexten]

@olivermuc Since you mention two individual accounts, is this on two different machines? (Account switching on safari is currently not enabled in the production release).

[olivermuc]

@olivermuc Since you mention two individual accounts, is this on two different machines? (Account switching on safari is currently not enabled in the production release).

no, both accounts are completely separate. different email addresses, different computers.

one more observation: when the biometric auth appears to be working (ie. bitwarden accepts it) but then doesn't show any content in the safari extension popup, what helps is, to switch tabs back an forth. this at least worked the last few times, I ran in to this issue.

ps: i wanted to verify the above just now and funnily enough, it worked as intended, no erroneous behaviour shown. i'll keep an eye out, and will update this thread.

[quexten]

Since this hasn't been reproduced yet it's somewhat hard to see what exactly is causing this. #10326 changes the way the browser extension validates it's keys after a biometric unlock, which might fix this issue, and adds additional error messages to further help uncover the cause. I will post an update, when that change has made it to a release, so that we can see if the issue is still present.