Can't unlock FF extension with biometrics anymore if Bitwarden is not unlocked

[holdit]

Steps To Reproduce

1. Firefox + Bitwarden + option to unlock with biometrics enabled
2. Open Bitwarden client (from app store), but don't unlock it
3. Try to unlock the extension with your fingerprint

Expected Result

Until the Bitwarden client (installed via the app store) was updated to "2024.5.0", I could have the client running in the background locked, and when I used the browser extension, the "popup" window to use my fingerprint would come up and using it, the Bitwarden Firefox extension would unlock.

Not requiring the client to be unlocked was good, as there's no need for content to be available if we're just using the client to process browser extensions requests to unlock via biometrics.

Actual Result

Since the update to the 2024.5.0 client, the option "unlock with biometrics" on the Firefox extension stopped working if the Bitwarden client itself isn't unlocked.

The extension doesn't show an error or tells users what to do. The "popup" saying that Bitwarden is trying to unlock my vault never comes up and passing my finger over the reader doesn't do anything. The extension is never unlocked.

Screenshots or Videos

No response

Additional Context

No response

Operating System

macOS

Operating System Version

macOS 14.5

Web Browser

Firefox

Browser Version

Latest stable/beta/ESR

Build Version

FF extension: 2024.4.2; macOS client: 2024.5.0 (app store)

Issue Tracking Info

• [X] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

[Krychaz]

Hello there,

Will you try uninstalling the application, removing any leftover data, powering off and on your device and re-installing? Does this issue still persist?

Guide to the leftover data: https://bitwarden.com/help/data-storage/#on-your-local-machine

[holdit]

Hi @Krychaz,

I've uninstalled both the mac client and firefox extension (and removed the leftover data, as instructed), restarted the machine, reinstalled them, and logged in to both.

The problem is still there. With the mac client (from the app store) open - but not unlocked - the extension initially shows the same "Awaiting confirmation from desktop" message as before:

But after a few seconds, nothing happens and "Awaiting confirmation from desktop" disappears:

It works if I unlock the mac client. Before this wasn't needed, only that the client was running in the background.

So it seems that some change in the mac client 2024.5.0 (or a change on the extension, not sure if that was updated. I'm using 2024.4.2) broke biometrics unlocking when the mac client isn't unlocked.

[holdit]

Just to be sure it wasn't just Firefox:

I've tested with Brave (Version 1.66.113; Chromium: 125.0.6422.76; arm64) and the same thing happened (extension version: 2024.4.2). Biometrics unlocking only works if the mac client vault is unlocked.

With Safari, the "popup" comes up, but it doesn't unlock the extension. Works fine if I unlock the mac client.

So it affects Firefox, Brave, and Safari.

[BurntToasters]

Can confirm this happens to me as well but on Windows 10 22H2 build 19045.4291 with Firefox 126.0 and Brave 1.66.113 With the new Bitwarden desktop app (2024.5.0). The extensions are running version 2024.4.2. I used revouninstaller to fully remove the previous version of the desktop and and installed the new one and it still has the same issue.

[EagleonePrimo]

Same here Windows 11 23H2 Build 22631.3593 Chrome 125.0.6422.77 BW Client: 2024.5.0 BW Extensions: 2024.5.0

[Tipoff4317]

Seems this is now the expected "interim" behavior. BW employee responded in this reddit thread:

https://old.reddit.com/r/Bitwarden/comments/1cyw9sp/extension_202450_always_requires_desktop_app_to/

[holdit]

If only there was a place to warn users about these changes... I don't know, the changelog for example. I guess that's reserved to more important stuff, like the very descriptive "- Bug fixes".

We shouldn't have to learn about this via some random post on social media.

[mwisnicki]

If browser extension is older than desktop client then user gets no message, just a silent failure. With newer extension at least there is an explanation.

[pascal-ws]

Same here Windows 11 23H2 Build 22631.3593 Edge 125.0.2535.67 (Official Build) (64-Bit) BW Client: 2024.5.0 BW Extensions: 2024.4.2

From the discussion at reddit above, what is the recommendation (if still wanting to use biometrics)? Is not locking the desktop app considered "secure enough"?

But Now either I have to keep desktop app unlocked all the time. which I don't feel conformable. Or I have to first unlock desktop app and then unlock extension every time which I find quite inconvenient.

Please include an error message next time.

[holdit]

@mwisnicki is correct. The message is there on extension v2024.5.0 and 2024.5.1, but it still only says that the app needs to be "started". Well, the app is open... but it doesn't work as it also needs to be unlocked.

The problem is that the Firefox extension is still on 2024.4.2 and even the Chromium extension didn't update right away.

Knowing that it takes time for extension updates to be approved - especially on Firefox - I still think these changes need to be better communicated.

I rely on the changelog to learn about changes. Since on macOS biometrics only works with the version from the App Store and I've updated, I can't go back. I'm stuck with this update, which was supposed to only have "bug fixes". Now I need to change the way I unlock the browser extension or keep the vault unlocked all the time.

[robwhess]

I'm also wishing this behavior hadn't changed. I'll also add, since I don't think anyone has mentioned it, that even though I have the BW client set to allow unlocking with Touch ID, it doesn't give me that option. So if I want to use the BW browser extension to fill a password when the client is locked, I have to go through these steps:

1. Try to use BW extension, discover I can't use Touch ID because client is locked.
2. Open BW client, discover I need to type my password because Touch ID isn't an option.
3. Type my password to unlock BW client.
4. Go back to browser. Use Touch ID to unlock BW extension.
5. Now I can fill my password.

These may be two unrelated issues, but it's annoying to have to type my password in the client so I can use Touch ID to unlock the extension.

[pascal-ws]

These may be two unrelated issues, but it's annoying to have to type my password in the client so I can use Touch ID to unlock the extension.

Hey @robwhess, I think it's a good idea to start a separate issue for this. But, why is TouchID (I guess Biometrics in general?) not an option for you? My workflow is:

• Open Extension (remember the issue)
• Open Client App, Click on Biometrics
• Use Finger to log in App
• Click in Extension on Biometrics
• Use Finger to log in Extension

Maybe it's a bug or misconfiguration in your app?

One thing to remember: You need to basically keep the Client App running and set it so that it only minimizes when closing and just "locks" itself for using biometrics, since it's recommended not to use it on first start of the app (for me that's right after starting my device), although there is an advanced option to even allow that. Then, when opening the App, it should give you the option for Biometrics.

Might depend on version and OS of course.

[robwhess]

Thanks for the input @pascal-ws. When I said Touch ID was not an option, what I meant was that the BW client doesn't give me the option to use Touch ID to unlock it, only password. This is despite having the "Unlock with Touch ID" setting turned on. I do also always have the BW client app running. It correctly always shows in the Mac menu bar. The issue is that when it locks itself, I can't use Touch ID to unlock it for some reason. Interestingly when the BW client app first starts (e.g. when I restart my machine), I can use Touch ID to log in (I also have the "Ask for Touch Id on app start" option enabled), but that's the only time I can use Touch ID with the client app.

[gdurys]

@robwhess It looks like #7150, no ? I also have the touchId button disappearing.

[robwhess]

Thanks @gdurys. I hadn't seen that.

[Xytronix]

Issue occurs on Arc as well, do hope for a solution.

[sylveon]

Can repro with Edge on Windows

[X4V1]

The issue is still present in 2024.06

[zexpe]

With Safari, the "popup" comes up, but it doesn't unlock the extension. Works fine if I unlock the mac client.

So, I've been having the same behaviour too both on the latest and previous releases of Bitwarden. However, I've noticed that if I use Touch ID when the "popup" comes up it doesn't work, but if I instead enter my computer password in that "popup" (not the Bitwarden master password in the extension itself, which also works, obviously) - then it works to unlock the browser extension. Odd... you'd expect biometrics and computer password to offer the same authorisation behaviour.

[zexpe]

Actually, just tried this again... what's actually happening is that regardless of whether I use Touch ID or I use the computer password, it will unlock the extension but only if I click away from the extension and then click for a second time. Very weird. Also it then locks again after a short while... but doesn't show the lock icon.

[rumenavramov]

Seems this is now the expected "interim" behavior. BW employee responded in this reddit thread:

https://old.reddit.com/r/Bitwarden/comments/1cyw9sp/extension_202450_always_requires_desktop_app_to/

I opened a ticket with support and they responded the same way - this is the expected temp behaviour. Sadly, the docs are not updated to reflect that and I agree that this change should have been announced somehow. They also said that they are trying to come-up with a better approach that will maintain security while providing the convenience of the old behaviour. Additionally, the code to have a proper error message should have been pushed to the browser extension before the behaviour was changed, because the extensions are always behind the desktop app due to the approval process they need to pass with every new release.

[holdit]

Finally, a useful message. Add-on v2024.6.2:

[zexpe]

Actually, just tried this again... what's actually happening is that regardless of whether I use Touch ID or I use the computer password, it will unlock the extension but only if I click away from the extension and then click for a second time. Very weird. Also it then locks again after a short while... but doesn't show the lock icon.

I get the same behaviour in 2024.6.2. It appears to not unlock with biometrics, but if I tap away and then tap the extension again then it's unlocked...