Log In With Device
Although most people log into their Bitwarden vault with a master password, there is a more convenient method of doing so called passwordless authentication. Using Log in with device, any time you log into Bitwarden on one device, you can opt to use another logged-in web app, mobile app, or desktop app to approve those authentication requests instead of typing your master password.
Log in with device can be initiated on the web app, browser extension, desktop app, and mobile app. Requests issued by these apps can be approved on the web app, mobile app and desktop app.
Learn about our zero-knowledge encryption implementation.
Prepare to log in with a device
To set up logging in with a device:
Log in normally to the initiating app (web vault, browser extension, desktop, or mobile app) at least once so that Bitwarden can recognize your device.
note
Using Incognito mode or Private Browsing prevents Bitwarden from registering your browser, so you won't be able to log in with a device in a private browser window.
Have a recognized account on an approving app (web vault, mobile or desktop app). Recognizing an account requires you to have successfully logged on to that device at any time.
note
If, as a member of an Enterprise organization, you are subject to the require SSO policy, you won't be able to use the Log in with device option. You'll need to use SSO to log in instead.
Log in with a device
On the login screen of the initiating app, enter your email address and select Continue. Then, select the Log in with device option:
Approve a log in request
Using Log in with device will send authentication requests to any web vault, mobile or desktop apps that you're currently logged-in to for approval.
To approve a request with the mobile app:
Log in to the mobile app.
Navigate to Settings → Account security → Pending login requests.
Locate and select the active device request.
Verify the fingerprint phrase and select Confirm login.
Mobile device approval
Note that this is a unique fingerprint that isn't the same as your account fingerprint phrase.
Requests expire after 15 minutes if they aren't approved or denied. If you are not receiving login requests, try refreshing the web app, or manually syncing your vault from the mobile app.
note
If you use the Login with device option, you'll still need to use any currently active two-step login method.
How it works
When logging in with a device is initiated:
The initiating client sends a request which includes the account email address, a unique Auth-request Public Keyª, and an access code, to an Authentication Request table in the Bitwarden database. Registered devices, meaning clients that are logged in and have a device-specific GUID stored in the Bitwarden database, are provided the request.
When the request is approved, the approving client encrypts the account's User Encryption key using the Auth-request public key enclosed in the request.
The approving client then sends the User Encryption key to the Authentication Request record and marks the request fulfilled.
The initiating client requests the encrypted User Encryption key.
The initiating client then locally decrypts the User Encryption key using the Auth-request private key.
The initiating client then uses the access code to authenticate the user with the Bitwarden Identity service.
The initiating client can then retrieve the user's vault data and use the User Encryption key to decrypt it.
ª - Auth-request Public and Private Keys are uniquely generated for each passwordless login request and only exist for as long as the request does. Requests expire and are purged periodically if they aren't approved or denied.