Log in with Device
Did you know you can log in to Bitwarden using a secondary device instead of your master password? Logging in with a device is a passwordless approach to authentication, removing the need to enter your master password by sending authentication requests to any certain devices you're currently logged in to for approval. Learn about our zero-knowledge encryption implementation.
Log in with device can be initiated on the web vault, browser extension, desktop app, and mobile app. Requests issued by these apps can be approved on mobile apps and desktop apps.
Logging in with a device is currently only available on the Bitwarden cloud server (https://vault.bitwarden.com).
To set up logging in with a device:
Log in normally to the initiating app (web vault, browser extension, desktop, or mobile app) at least once so that Bitwarden can recognize your device.
Using Incognito mode or Private Browsing prevents Bitwarden from registering your browser, so you won't be able to log in with a device in a private browser window.
Have a recognized account on an approving app (mobile or desktop app). Recognizing an account requires you to have successfully logged on to that device at any time.
On the approving app, open the Settings (or Preferences on iOS desktop) and, in the Security section, turn on Approve login requests.
If, as a member of an Enterprise organization, you are subject to the require SSO policy, you won't be able to use the Log in with device option. You'll need to use SSO to log in instead.
On the login screen of the initiating app, enter your email address and select Continue. Then, select the Log in with device option:
Using Log in with device will send authentication requests to any mobile or desktop apps that you're currently logged-in to, and have enabled the option on, for approval. Compare the fingerprint phrases on the initiating and approving client and, if they match, select Confirm login on the approving device. Note that this is a unique fingerprint that isn't the same as your account fingerprint phrase.
Requests expire after 15 minutes if they aren't approved or denied. If you aren't receiving login requests or are using F-Droid, try manually syncing your vault from the mobile app.
If you use the Login with device option, you'll still need to use any currently active two-step login method.
When logging in with a device is initiated:
The initiating client POSTs a request, which includes the account email address, a unique auth-request public keyª, and an access code, to an Authentication Request table in the Bitwarden database.
Registered devices, meaning mobile or desktop apps that are logged in and have a device-specific GUID stored in the Bitwarden database, are provided the request.
When the request is approved, the approving client encrypts the account's master key and master password hash using the auth-request public key enclosed in the request.
The approving client then PUTs the encrypted master key and encrypted master password hash to the Authentication Request record and marks the request fulfilled.
The initiating client GETs the encrypted master key and encrypted master password hash.
The initiating client then locally decrypts the master key and master password hash using the auth-request private key.
The initiating client then uses the access code and fulfilled authentication request to authenticate the user with the Bitwarden Identity service.
ª - Auth-request public and private keys are uniquely generated for each passwordless login request and only exist for as long as the request does. Requests expire and are purged from the database every 15 minutes if they aren't approved or denied.