Password manager Bitwarden expands passwordless login experience, and now the desktop version also supports it.
Passwordless login is a recently popular term that is a joint effort by technology companies and password manager providers to improve online account security.
In essence, passwordless login means that users do not need to enter their account password when logging in. Instead, it uses encrypted verification to transform the login process into a request, which can then be authorized by clicking “allow login” on a trusted device.
Today, password manager Bitwarden announced the expansion of its passwordless login experience, and now the desktop version and browser extensions also support passwordless login. This feature is not enabled by default, but Bitwarden users can actively enable it.
Here are the instructions for using the feature:
Open the client that requires login, using Bitwarden as an example in this article. There are three options for logging in: using the master password, using device login, and using single sign-on (SSO).
Select “device login” and a unique fingerprint will be generated by Bitwarden based on IP address and browser information, which is displayed on the vault page. This fingerprint is unique to each login attempt.
The Bitwarden app on Android or iOS will then show a notification with the same fingerprint, browser information, and IP address. Click “confirm” to login.
Once the desktop version and web extension have been used for the first time, a similar confirmation notification will appear for future logins.
To ensure the security and reliability of this feature, it is important to set up automatic locking on the desktop version, and enable fingerprint or facial recognition on the mobile versions. Only after successful unlocking can the user click “confirm”.
How it works:
According to Bitwarden, the entire workflow uses end-to-end encryption (E2EE) and zero-knowledge proof. The vault on the web is fully encrypted and data is encrypted before leaving the device.
Client fingerprint phrase: A phrase is generated for each login attempt, and it will appear on the page or app that requires login, as well as the device that requires confirmation. Users should confirm that the phrase is identical before clicking “confirm”.
2FA verification: If the user has configured 2FA verification, they will need to enter the 2FA code after approving the login request to increase account security.
Is the PC login confirmation safe?
Some users may be concerned that others can confirm login requests on their PC. Therefore, it is important to protect the vault with a master password and enable automatic locking, such as locking after 10 minutes of inactivity. If you unlock the vault with the master password and let someone else use your computer, there is no solution except manually locking Bitwarden before giving your computer to someone else.
The same applies to other devices. If you unlock Bitwarden on your phone and let someone else use it, this is not secure, and this issue needs to be resolved by the user.