Open j81Q3FxaKMPRG5GfjGcFW7eEP1YdV6mU3kDfvle opened 1 year ago
tAbIkUi4blEAu4VW0M5YzJirfSmb81ikaEnVLxy
commented
1 year ago Hi @BenjaminMichaelis,
This has been escalated for further investigation. If you have more information that can help us, please feel free to add it below.
Thank you.
j81Q3FxaKMPRG5GfjGcFW7eEP1YdV6mU3kDfvle
commented
1 year ago Also, here is a quick video on it. In this video, I enter in a pin, then then bitwarden disappears without showing anything. As well, normally at the top of my keyboard it gives a preview as to the emails that can be used to log into this site, but those don't show up.
wvHuZ1uBpfzpBNgkrqGCbppW41gkErPZPGqUOam
commented
1 year ago Also experiencing this issue. iPhone 14 Pro on iOS 16.3.1 tried as low as 16mb, 3 iterations and 4 on parallelism without it working, not even on multiple tries.
Using the lowest possible settings, 16mb, 2 iterations, and 1 on parallelism works though. Hope this information helps.
tAbIkUi4blEAu4VW0M5YzJirfSmb81ikaEnVLxy
commented
1 year ago Hello @BenjaminMichaelis and @frdrkolsson,
Could you please activate Touch/Face ID as an unlocking method (https://bitwarden.com/help/biometrics/) and then attempt to perform Auto-Fill and let me know if you encounter the same behaviour? I ask because there are reports that indicate that this happens only when you unlock the client using the master password though the Auto-Fill flow.
Thank you in advance,
vfHl0IpR8cYKV2ywHUJZuuOYu4CQIRMGbrI6N7J
commented
1 year ago @SergeantConfused I'm using Argon2id with very high KDF memory, and I can confirm that AutoFill works just fine when the vault is being unlocked via biometrics. The problem is that whilst I am able to use autofill using Touch/Face ID now, it didn't work previously for some reason - I was still being asked for the master password (which can't be verified due to the memory limits of iOS) to enable biometric unlocking through autofill despite it being active & working on the app itself.
j81Q3FxaKMPRG5GfjGcFW7eEP1YdV6mU3kDfvle
commented
1 year ago Hello @BenjaminMichaelis and @frdrkolsson,
Could you please activate Touch/Face ID as an unlocking method (https://bitwarden.com/help/biometrics/) and then attempt to perform Auto-Fill and let me know if you encounter the same behaviour? I ask because there are reports that indicate that this happens only when you unlock the client using the master password though the Auto-Fill flow.
Thank you in advance,
I do encounter the same issue (with a slight twist). It still doesn't autofill, but I get in a loop of biometric unlock pending verification of master password, entering in the master password, then it closing the autofill (the same action as when I finished entering in my pin when I was testing that). This was at a KDF memory of 90mb.
wvHuZ1uBpfzpBNgkrqGCbppW41gkErPZPGqUOam
commented
1 year ago Hello @BenjaminMichaelis and @frdrkolsson,
Could you please activate Touch/Face ID as an unlocking method (https://bitwarden.com/help/biometrics/) and then attempt to perform Auto-Fill and let me know if you encounter the same behaviour? I ask because there are reports that indicate that this happens only when you unlock the client using the master password though the Auto-Fill flow.
Thank you in advance,
I have biometrics enabled (Face ID), and I've tried to disable/re-enable, without solving this matter. After biometrics passes, the dialog disappears, and nothing is filled, with a brief moment before the keyboard is back up and I can try again, without avail. I have not yet succeeded in any successful autofills with any decent settings.
Just to emphasize, with the following settings, it works every time, but anything above it fails.
tAbIkUi4blEAu4VW0M5YzJirfSmb81ikaEnVLxy
commented
1 year ago Thank you all for your assistance; We are looking into this matter internally at this stage.
I thank you in advance for your understanding and patience.
zgpyAjrWDLpmFUqIpAfq3dji1W45Hq65OUlmrlT
commented
1 year ago In case it helps triaging @SergeantConfused this is an iOS autofill context limitation. It is well known on other password managers https://keepassium.com/articles/autofill-memory-limits/ . The "fix" in other password managers is displaying a warning when trying to log in during autofill, with too high argon2 memory configuration, that explains the issue / warns about too low memory and possibly suggests to log in to the main app before autofilling (since there the limit does not apply).
There is a previous GitHub issues that is the same problem: https://github.com/bitwarden/mobile-maui/issues/2383
Kww0YAd9IuAnLKpRc9GPLTIX18zengr8327Cvbu
commented
1 year ago Issue solved for my side (1000 entries approx):
tmxjmNUKCogKhOn8mUW2EJQoyEEwWRatkl0q8qZ
commented
10 months ago I'm having the same issue on latest iOS. I feel like it started happening somewhat recently, maybe ios 16. Argon2 worked fine for a while.
I am using all the default argon 2 setting for memory, iterations, and parallelism
I get the warning often, but not every time. Some times the auto fill works despite the warning, sometimes it doesn't. When it doesn't, it almost always does if I just try again immediately.
tmxjmNUKCogKhOn8mUW2EJQoyEEwWRatkl0q8qZ
commented
10 months ago After more testing, whenever the auto populate fails for me, it always works on the second attempt following the same steps
Sometimes it works first time, sometimes it requires two tries
In every case, I see the KDF memory warning
tmxjmNUKCogKhOn8mUW2EJQoyEEwWRatkl0q8qZ
commented
9 months ago This is still happening on the latest major release iOS 17.0
Same behavior: always shows memory warning; sometimes auto-fill works first time, else auto-fill always works on second attempt
yuNDm7WxiCmuAYyJEWRxUdFZGdJvPuVH7Hqq97x
commented
9 months ago It doesnt autofill when you need to input the master password. It just stays blank and does nothing.
tmxjmNUKCogKhOn8mUW2EJQoyEEwWRatkl0q8qZ
commented
9 months ago @sallyFoster indont understand your comment. The BitWarden master password should not be auto filled. You enter that manually and then BW returns you to the web/app login form and auto fills that
At least, it should auto fill that. Sometimes it doesn't, which is what this issue is about
yuNDm7WxiCmuAYyJEWRxUdFZGdJvPuVH7Hqq97x
commented
9 months ago @arderyp No, if you want extra security, you can have the master password to be required on your iPhone even with biometrics on. When you have the master password added on top of biometrics, it doesn't auto-fill ever with argon2id. I am using iPhone 11 Pro Max btw.
RX5ulL6nKunJz88UkudvsdCkM5jkiNQA74LKKeP
commented
9 months ago @SergeantConfused this appears to be the same however I had never had this issue until updating bitwarden to 2023.9. Previously I had been on iOS 16, no issues with previous versions of BW. I then updated iPhone 14 pro to iOS 17 and then a security update for that came out and all was good. Bitwarden app version 2023.9 came out and now I’m receiving warning unlocking may fail due to insufficient memory. Clicking continue does not auto fill. I am using the default values for argon2.
**update ahh maybe I never noticed this because I would keep my vault timeout to never, therefore I never had to go thru the unlock process for autofill which is memory intensive on iOS? So I guess it’s possible I may have had this problem as old as this thread.
tchuGWED1polKRaffRuAXXuGqg5KEk7ddyPHCYj
commented
9 months ago Started with BW 2023.9.1. IOS 15.7.9 on 256 gb iphone 7 plus. had been using Argon2id for many months without trouble.
j81Q3FxaKMPRG5GfjGcFW7eEP1YdV6mU3kDfvle
commented
9 months ago Started with BW 2023.9.1. IOS 15.7.9 on 256 gb iphone 7 plus. had been using Argon2id for many months without trouble.
I also have begun having trouble with autofill when I hadn't previously in months (other than one off cases, but trying autofill a second time always worked). Now it fails no matter how many times I try. Have ended up having to open the app itself and copy over details.
Using iOS 17.0 and Bitwarden Version: 2023.9.1 (4890) and a pin to unlock in autofill.
RX5ulL6nKunJz88UkudvsdCkM5jkiNQA74LKKeP
commented
9 months ago This has been opened since February and no one assigned to task, I’m guessing this is something that won’t be addressed in the near future?
tchuGWED1polKRaffRuAXXuGqg5KEk7ddyPHCYj
commented
9 months ago Bitwarden support just emailed me:
I believe this is a known bug with Argon2: https://github.com/bitwarden/mobile-maui/issues/2389 The workaround for the time being is to revert to pbkdf2 until the issue has been resolved.
tAbIkUi4blEAu4VW0M5YzJirfSmb81ikaEnVLxy
commented
9 months ago Hello,
@Gerardv514, @BenjaminMichaelis, @dickaux, have you had your (Vault Timeout) set to (Never) all this time, and this behaviour started only recently with version 2023.9.1?
Thank you in advance,
RX5ulL6nKunJz88UkudvsdCkM5jkiNQA74LKKeP
commented
9 months ago Hello,
@Gerardv514, @BenjaminMichaelis, @dickaux, have you had your (Vault Timeout) set to (Never) all this time, and this behaviour started only recently with version 2023.9.1?
Thank you in advance,
For me yes, I had always been set to vault timeout never. I believe the reason we are seeing this issue just now is due to the other bug recently introduced in 2023.9 which is vault timeout is not being respected in iOS.
tchuGWED1polKRaffRuAXXuGqg5KEk7ddyPHCYj
commented
9 months ago I get vault lock all the time. It doesn’t matter where Timeout is set. Note that after each change in timeout, I log out and then restart entering my master pw. -Dickaux
On Mon, Sep 25, 2023 at 11:12 AM SergeantConfused @.***> wrote:
Hello,
@Gerardv514 https://github.com/Gerardv514, @BenjaminMichaelis https://github.com/BenjaminMichaelis, @dickaux https://github.com/dickaux, have you had your (Vault Timeout) set to (Never) all this time, and this behaviour started only recently with version 2023.9.1?
Thank you in advance,
— Reply to this email directly, view it on GitHub https://github.com/bitwarden/mobile/issues/2389#issuecomment-1733922308, or unsubscribe https://github.com/notifications/unsubscribe-auth/BCZPW4GWPATB7PG6OWKL4RTX4GNOXANCNFSM6AAAAAAVD2YSXE . You are receiving this because you were mentioned.Message ID: @.***>
tAbIkUi4blEAu4VW0M5YzJirfSmb81ikaEnVLxy
commented
9 months ago Hi @dickaux,
I understand that, and that is related to this (https://github.com/bitwarden/mobile/issues/2787); Regardless, have you had your Vault Timeout set to Never prior?
Thank you in advance,
tchuGWED1polKRaffRuAXXuGqg5KEk7ddyPHCYj
commented
9 months ago Yes. It was set to never when I first hit the bug.
-Dickaux
On Mon, Sep 25, 2023 at 1:32 PM SergeantConfused @.***> wrote:
Hi @dickaux https://github.com/dickaux,
I understand that, and that is related to this (#2787 https://github.com/bitwarden/mobile/issues/2787); Regardless, have you had your Vault Timeout set to Never prior?
Thank you in advance,
— Reply to this email directly, view it on GitHub https://github.com/bitwarden/mobile/issues/2389#issuecomment-1734183769, or unsubscribe https://github.com/notifications/unsubscribe-auth/BCZPW4BA42PYJYDCKKR4QQTX4G52NANCNFSM6AAAAAAVD2YSXE . You are receiving this because you were mentioned.Message ID: @.***>
tmxjmNUKCogKhOn8mUW2EJQoyEEwWRatkl0q8qZ
commented
9 months ago I don't think I've ever had vault timeout set to never, and I have this issue. I didn't have it when I first enabled argon2 shortly after it became available, but it has been happening for a number of months and isn't a brand new issue for me
j81Q3FxaKMPRG5GfjGcFW7eEP1YdV6mU3kDfvle
commented
9 months ago Hello,
@Gerardv514, @BenjaminMichaelis, @dickaux, have you had your (Vault Timeout) set to (Never) all this time, and this behaviour started only recently with version 2023.9.1?
Thank you in advance,
Mine has been set to 15 minutes the whole time, for probably more than 6 months now.
yuNDm7WxiCmuAYyJEWRxUdFZGdJvPuVH7Hqq97x
commented
9 months ago Were you able to look into my issue because it still doesn’t work for me?
https://github.com/bitwarden/mobile/issues/2389#issuecomment-1730330344
tAbIkUi4blEAu4VW0M5YzJirfSmb81ikaEnVLxy
commented
9 months ago Hello everyone,
First, please read this (https://github.com/bitwarden/mobile/issues/2389#issuecomment-1488976242) for context. Some of you are only now encountering this matter because you did not need to unlock the client through the Auto-Fill flow (when performing Auto-Fill) up till the latest version (2023.9.1), and now you are asked to do so because of this (https://github.com/bitwarden/mobile/issues/2787).
If you are encountering something different, please get in touch with us (https://bitwarden.com/help/) so we'd assist with your particular case, so that we'd keep this GitHub thread focused on this matter only.
I hope you find this clear and helpful, and I thank you in advance for your understanding and patience,
tmxjmNUKCogKhOn8mUW2EJQoyEEwWRatkl0q8qZ
commented
9 months ago @SergeantConfused, regarding the comment you referenced at the top of your latest comment... does this mean this issue is with iOS AutoFill, and not with BitWarden Mobile?
Some of you are only now encountering this matter because you did not need to unlock the client through the Auto-Fill flow (when performing Auto-Fill) up till the latest version (2023.9.1), and now you are asked to do so because of this (#2787).
I've read this a few times and can't make sense of the words. I used to not experience this issue after enabling Argon2 shortly after BW made it available. Then, at some point, I started receiving this warning frequently--sometimes the auto-fill would work regardless and, if not, it would always work on the second try. Now., since moving to ios17, the warning happens every time (still), and the first auto-fill attempt always fails, and the second attempt always works. at no point during my history of argon2 usage have I changed my approach to using it in the UI... I've always used the ios auto-fill widget. I mention this because the quoted bit above makes it sounds like this is user error due to changed behavior, but maybe I'm misreading your statement?
- ... your Argon2id KDF configuration is probably too high for the device you are using; Please revert to the default Argon2id values and set the KDF Memory to 45 MB and try again. If this behavior continues, please get in touch with us (https://bitwarden.com/help/) so we'll have a look, and please include a link to this GitHub thread in your message.
I was using the default argon2 config provided by BitWarden. This set memory=64kb, iterations=3, parallelism=4. I have changed memory to 48 as you suggested. This resolved the issue for me.
For those of us like myself who are not well versed in cryptography, does changing the memory setting in this way impact the security/strength of my vault? Thanks very much for your helpful and thorough comment!
zgpyAjrWDLpmFUqIpAfq3dji1W45Hq65OUlmrlT
commented
9 months ago I used to not experience this issue after enabling Argon2 shortly after BW made it available.
The dialog was only added later. In the initial argon2 release, there was no warning so if the app did not fit into the iOS memory constrained autofill environment, it would just crash. However, it also meant that it worked fine for 64MiB (the default) in most cases.
The warning triggers at at 48 MiB (lower than the 64 MiB default), regardless of whether the app would actually crash. It might make sense to just adjust the default argon2 values down (maybe increasing iterations to compensate) just so that users don't run into this as often.
For those of us like myself who are not well versed in cryptography, does changing the memory setting in this way impact the security/strength of my vault? Thanks very much for your helpful and thorough comment!
As long as you have a good master password, no. Even if not, the difference between 48 MiB and 64 MiB, for cracking purposes, is not that relevant. It nearly linearly scales in this case, meaning that cracking your vault - should someone have an encrypted offline copy of it - is about 33% faster on the lower memory setting. You can compensate by increasing iterations (to 4), if you really feel that it is necessary. Either way, at both settings cracking any medium to high complexity passwords is not possible for a reasonable amount of time/money investment.
tmxjmNUKCogKhOn8mUW2EJQoyEEwWRatkl0q8qZ
commented
9 months ago Thanks @quexten! Seeing as I'm on a modern iPhone with strong hardware, I'm surprised the 64m setting triggers errors on my phone, while also triggering errors on older models. I guess iOS doesn't care about the hardware capability and those the error in all cases, which seems dumb. Again, maybe I'm misunderstanding. Anyways, thanks again.
zgpyAjrWDLpmFUqIpAfq3dji1W45Hq65OUlmrlT
commented
9 months ago Thanks @quexten! Seeing as I'm on a modern iPhone with strong hardware, I'm surprised the 64m setting triggers errors on my phone, while also triggering errors on older models. I guess iOS doesn't care about the hardware capability and those the error in all cases, which seems dumb. Again, maybe I'm misunderstanding. Anyways, thanks again.
Yeah, the hardware is certainly not the limit. It's just an iOS software limitation specifically within autofill contexts. When unlocking in the app, even 1GiB (the max setting) works fine on iOS.
RX5ulL6nKunJz88UkudvsdCkM5jkiNQA74LKKeP
commented
9 months ago Thanks @quexten! Seeing as I'm on a modern iPhone with strong hardware, I'm surprised the 64m setting triggers errors on my phone, while also triggering errors on older models. I guess iOS doesn't care about the hardware capability and those the error in all cases, which seems dumb. Again, maybe I'm misunderstanding. Anyways, thanks again.
Yeah, the hardware is certainly not the limit. It's just an iOS software limitation specifically within autofill contexts. When unlocking in the app, even 1GiB (the max setting) works fine on iOS.
Is there a way to get this information out to Apple? I would assume companies have access to other companies to work together when issues cross the boundary lines. Surely there has to be a way to suggest to Apple to increase the limitation within the software.
zgpyAjrWDLpmFUqIpAfq3dji1W45Hq65OUlmrlT
commented
9 months ago A solution would be to decouple the KDF used for local unlocking from the account KDF. Usually, a KDF is adjusted for the device it is run on. With the account's KDF this is not possible as it is used on multiple devices. But the locally encrypted user symmetric key could be encrypted instead with a KDF adjusted to the device (i.e 48MiB on iOS, iterations automatically calibrated to take ~1 second). This would (slightly) increase the security for all users, and make it so that any account KDF setting is safe since in the autofill context, only the local KDF would be used.
tmxjmNUKCogKhOn8mUW2EJQoyEEwWRatkl0q8qZ
commented
9 months ago Yeah, the hardware is certainly not the limit. It's just an iOS software limitation specifically within autofill contexts. When unlocking in the app, even 1GiB (the max setting) works fine on iOS.
@quexten can you clarify this comment? Does your suggestion to "unlock in the app" include the following scenario:
Will this get around the error, even with higher memory setting? I get the error when I go from step 1 straight to step 5. Are steps 2-3 a workaround? Or when you say "unlocking in the app" do you just mean unlocking the vault from the BW app and using copy/paste to move username and password into the browser auth form?
yuNDm7WxiCmuAYyJEWRxUdFZGdJvPuVH7Hqq97x
commented
8 months ago Hello everyone,
First, please read this (#2389 (comment)) for context. Some of you are only now encountering this matter because you did not need to unlock the client through the Auto-Fill flow (when performing Auto-Fill) up till the latest version (2023.9.1), and now you are asked to do so because of this (#2787).
1. The new warning message ''Unlocking may fail due to insufficient memory.'' would be shown on iOS at each and every unlocking attempt, such as through the Auto-Fill flow or when creating a new Send via the Share sheet, when the Argon2id Memory is set to 48 MB or higher and you are unlocking using the master password or PIN. It would not be shown when unlocking the main iOS client (the Bitwarden icon on the home screen). 2. If you are using Argon2id and you attempt to perform Auto-Fill and nothing happens after you enter the PIN or master password, meaning no credentials are entered into the webpage or you are stuck with a red message stating ''Biometric unlock disabled pending verification of master password'', your Argon2id KDF configuration is probably too high for the device you are using; Please revert to the default Argon2id values and set the KDF Memory to 45 MB and try again. If this behaviour continues, please get in touch with us (https://bitwarden.com/help/) so we'll have a look, and please include a link to this GitHub thread in your message. 3. If you are using Argon2id and you see the new warning message but are still able to perform Auto-Fill successfully, you can safely ignore that message; Alternatively, you can use Touch ID or Face ID to unlock your client and the warning message would not be shown in that case. 4. If you would like to use Argon2id with high KDF settings, possibly the same ones you had before you started needing to unlock your client at each Auto-Fill action, you can follow the workaround below. To be clear, when unlocking the iOS client using the master password or PIN, high KDF settings such as KDF Memory above 48 MB can result in the Auto-Fill action failing as mentioned in this GitHub thread; However, it may be possible to unlock the client via Touch ID or Face ID with those high KDF settings and perform Auto-Fill successfully. A. Set the KDF Settings to Argon2id where (Iterations = 2) and (Memory = 16). B. Log in via the Bitwarden iOS client. C. Activate (Unlock with biometrics). D. Open a browser, such as Safari, and perform Auto-Fill and enter your Bitwarden master password. E. Attempt to perform Auto-Fill again to confirm that there no longer is a need to enter the master password during Auto-Fill, and that Touch ID or Face ID can be used instead. F. Navigate back to Web Vault and change the KDF settings to the desired configuration. G. Log in via the Bitwarden iOS client anew.If you are encountering something different, please get in touch with us (https://bitwarden.com/help/) so we'd assist with your particular case, so that we'd keep this GitHub thread focused on this matter only.
I hope you find this clear and helpful, and I thank you in advance for your understanding and patience,
Setting the KDF memory to 48 MB in iOS fixed it for me. However, the default value for the KDF memory that BitWarden sets is 64 MB. Is 48 MB not a secure enough memory value @SergeantConfused?
qVTCoBBzYn3JB1MOywjVQWlcEvFmDrITyAkhzEq
commented
1 month ago Try updating to the latest Bitwarden iOS app. Version 2024.5.1. It seemed to fix the issue for me on my end for the most part. Was able to auto fill where I wasn't able to on my iPhone 12
tmxjmNUKCogKhOn8mUW2EJQoyEEwWRatkl0q8qZ
commented
1 month ago @TheNightRider12... with what KDF memory setting?
qVTCoBBzYn3JB1MOywjVQWlcEvFmDrITyAkhzEq
commented
1 month ago I am using a KDF memory setting 64MB with iterations and parallelism each set at 4
tmxjmNUKCogKhOn8mUW2EJQoyEEwWRatkl0q8qZ
commented
1 month ago The autofill worked for me changing to 64/4/4, but iOS still gives me a warning about KDF memory. It may actually be a new warning, but it happens nonetheless. But the autofill now works in first attempt whereas before it was always requiring two attempts.
tmxjmNUKCogKhOn8mUW2EJQoyEEwWRatkl0q8qZ
commented
1 month ago Now it's requiring 2 attempts to autofill. So the issue is, for me, the same as it's ever been, despite report above. I am running latest iOS and BW
qVTCoBBzYn3JB1MOywjVQWlcEvFmDrITyAkhzEq
commented
1 month ago I’m having the issue again, but this time on my iPhone 13. Which never had an issue before. It’s giving the KDF error when I have it set to 64MB. Which I haven’t changed in a while. Shouldn’t be having an issue on an iPhone 13.
Steps To Reproduce
Expected Result
Auto fill on iOS to work with memory limits up to 120mb
Actual Result
Auto fill doesn’t work/actually fill in details. Tried on multiple site and apps, from safari to chrome to apps like Hulu. It works fairly consistently at 64mb and maybe higher but haven’t done more precise testing
Screenshots or Videos
Additional Context
There isn’t a warning of the 120mb limit as well both when setting, and when a failure occurs due to memory I would expect an error message. But even at 64mb, it doesn’t work consistently (sometimes takes multiple tries) even after flushing the memory, before auto fill actually works.
Operating System
iOS
Operating System Version
16.3
Device
iPhone 13 Pro
Build Version
Version: 2023.2.0 (3044)
Beta