Bitwarden expands the Log in with device option that lets you use a second device to authenticate your Bitwarden vault login instead of using your Bitwarden password. Read on to learn how this works, how it maintains security, and what the future of passwordless looks like for you and Bitwarden.
Before we get started, if you do not have it, install the Bitwarden desktop app or mobile app and login there. In the Settings, turn on the Approve login requests option in the Security section (off by default).
Now that you’re ready, open the client where you want to log in. For this example, the Bitwarden web vault, and enter your account’s email address. On the next screen you will see an option to Log in with device. Selecting this will send a push notification to your Bitwarden mobile and desktop apps for approval.
Open your Bitwarden mobile app, confirm the login request within the notification, and the web vault in your browser will automatically log in. Fast and easy!
To extend the passwordless experience to your mobile app you should set up Unlock with Biometrics or Unlock with PIN Code, and be sure that the Vault timeout action is set to Lock. Now you can quickly unlock your mobile app using your fingerprint, Face ID, or a short PIN number, and by extension, access the web vault without entering your password.
Several technology safeguards keep this process locked down:
End-to-end, zero knowledge encryption - the communication between the web vault client and the mobile app are completely encrypted with a public and private key pair, with data encrypted before it even leaves the device.
Client fingerprint phrase - the web vault login will show a Fingerprint Phrase that identifies the login attempt. It might look something like
juniper-sandbar-footnote-improve-evolution. This phrase will also appear in the login request on the mobile app. You should make sure that they match before approving the request.
Two-step Login - if you have two-step login turned on (and you should!) you will still need to complete the second step after approving the login.
Note: If you’re a member of an organization that has enabled Single Sign-On policies, you will be required to go through the Enterprise single sign-on process instead of Log in with device.
Recognized devices only - the option to log in with a device will only be available to a browser that has logged into your Bitwarden account before.
If you’re interested in the more technical aspects of how it works and the flow of encrypted data, more information is available here: Help Center: Log in with device - How it works.
In addition to championing passwordless authentication support such as biometrics and hardware security keys, Bitwarden recently acquired European-based startup Passwordless.dev, which helps developers build passwordless features into their software. Now in beta, Bitwarden Passwordless.dev trims down the development work around passkeys and FIDO2 WebAuthn features.
Bitwarden also recently expanded its partnership with the FIDO Alliance. Now, as a sponsor-level member, Bitwarden will further its involvement and influence in shaping FIDO specifications.
Editor's note: This blog was originally published on Dec 5, 2022 and updated on Feb 22, 2023 with new features and descriptions.