github-starred/android
2
0
Fork 0
mirror of https://github.com/bitwarden/android.git synced 2026-03-18 03:09:11 -05:00
Code Issues 144 Packages Projects Releases 116 Wiki Activity

Master password can only be used once in the iOS app. Master password can't be verified for autofill with Face ID #1298

New Issue
Closed
opened 2025-11-26 22:44:11 -06:00 by GiteaMirror · 13 comments
GiteaMirror commented 2025-11-26 22:44:11 -06:00
Owner
Copy Link

Originally created by @pomkos on GitHub (Jun 5, 2021).

Describe the Bug

First found when trying to verify Autofill:

  • After tapping Bitwarden in the Settings -> Passwords -> Autofill section, Bitwarden pops up asking for the master password. The password is always rejected. Typing in the master password, the pin, iOS password are also rejected. If pin is enabled first, it still asks for master password.
  • If we back out of that screen, Bitwarden remains checked in Autofill and indeed Bitwarden attempts to Autofill by asking for master password each time. If pin is enabled it will ask for pin during autofill each time. If faceid is enabled, it will not use faceid and asks for master password or pin each time with the error "biometric unlock for autofill disabled pending verification of master password". While I can log in with bitwarden using the master password, on the app and on the website, I cannot "verify" master password from the settings screen.
  • If user does NOT log into bitwarden (ie: user installs bitwarden, does not open it), then enables autofill from Settings app, enters master password and the master password is accepted and the success screen comes up. User can then login to the actual app, enable faceid. Using autofill still requires master password with the error "biometric unlock for autofill disabled pending verification of master password". If the user goes back and enables pin, autofill still requires master password with same error. If the user does not enable pin, waits for timeout, user cannot log back into the app.

But it looks like the issue is with the master password not being read right or something because:

  • After logging into bitwarden, quitting the app, and waiting for the time out it is impossible to unlock the app using the master password. Each time after initial login the password is rejected, no matter the screen. ie: rejected in the app itself, rejected when prompted while enabling autofill, rejected when prompted during autofill.
  • If pin is enabled after initial login, unlocking the app with pin works.
  • If faceid is enabled after initial login, unlocking the app with faceid works

Steps To Reproduce

See above, but the simplest way:

  1. Download app from Apple app store
  2. Log in to the app
  3. Quit the app, wait for time out
  4. Log back into app
  5. Password is rejected

Expected Result

Master password is accepted.

Actual Result

Master password rejected.

Screenshots or Videos

Environment

  • Device: iPhone 12 Pro
  • Operating system: iOS 14.6
  • Build Version (go to "Settings" → "About" in the app): 2.10.0 (616)
  • Is this a Beta release?: N

Additional Context

Also tried uninstalling app, reinstalling it. Logging out, logging back in. Replicating issue on friend's phone (confirmed).

Originally created by @pomkos on GitHub (Jun 5, 2021). <!-- Comment: Please do not submit feature requests. The [Community Forums][1] has a section for submitting, voting for, and discussing product feature requests. [1]: https://community.bitwarden.com --> ## Describe the Bug <!-- Comment: A clear and concise description of what the bug is. --> First found when trying to verify Autofill: - After tapping Bitwarden in the Settings -> Passwords -> Autofill section, Bitwarden pops up asking for the master password. The password is always rejected. Typing in the master password, the pin, iOS password are also rejected. If pin is enabled first, it still asks for master password. - If we back out of that screen, Bitwarden remains checked in Autofill and indeed Bitwarden attempts to Autofill by asking for master password each time. If pin is enabled it will ask for pin during autofill each time. If faceid is enabled, it will not use faceid and asks for master password or pin each time with the error "biometric unlock for autofill disabled pending verification of master password". While I can log in with bitwarden using the master password, on the app and on the website, I cannot "verify" master password from the settings screen. - If user does NOT log into bitwarden (ie: user installs bitwarden, does not open it), then enables autofill from Settings app, enters master password and the master password is accepted and the success screen comes up. User can then login to the actual app, enable faceid. Using autofill still requires master password with the error "biometric unlock for autofill disabled pending verification of master password". If the user goes back and enables pin, autofill still requires master password with same error. If the user does not enable pin, waits for timeout, user cannot log back into the app. But it looks like the issue is with the master password not being read right or something because: - After logging into bitwarden, quitting the app, and waiting for the time out it is impossible to unlock the app using the master password. Each time after initial login the password is rejected, no matter the screen. ie: rejected in the app itself, rejected when prompted while enabling autofill, rejected when prompted during autofill. - If pin is enabled after initial login, unlocking the app with pin works. - If faceid is enabled after initial login, unlocking the app with faceid works ## Steps To Reproduce <!-- Comment: How can we reproduce the behavior: --> See above, but the simplest way: 1. Download app from Apple app store 2. Log in to the app 3. Quit the app, wait for time out 4. Log back into app 5. Password is rejected ## Expected Result <!-- Comment: A clear and concise description of what you expected to happen. --> Master password is accepted. ## Actual Result <!-- Comment: A clear and concise description of what is happening. --> Master password rejected. ## Screenshots or Videos <!-- Comment: If applicable, add screenshots and/or a short video to help explain your problem. --> ## Environment - Device: iPhone 12 Pro - Operating system: iOS 14.6 - Build Version (go to "Settings" → "About" in the app): 2.10.0 (616) - Is this a Beta release?: N ## Additional Context <!-- Comment: Add any other context about the problem here. --> Also tried uninstalling app, reinstalling it. Logging out, logging back in. Replicating issue on friend's phone (confirmed).
GiteaMirror commented 2025-11-26 22:44:11 -06:00
Author
Owner
Copy Link

@RusseII commented on GitHub (Jun 8, 2021):

Same ISSUE! Please please fix!

@RusseII commented on GitHub (Jun 8, 2021): Same ISSUE! Please please fix!
GiteaMirror commented 2025-11-26 22:44:11 -06:00
Author
Owner
Copy Link

@Apologin commented on GitHub (Jun 13, 2021):

Same issue. This is locking me out of several accounts.

@Apologin commented on GitHub (Jun 13, 2021): Same issue. This is locking me out of several accounts.
GiteaMirror commented 2025-11-26 22:44:12 -06:00
Author
Owner
Copy Link

@SergeantConfused commented on GitHub (Jun 14, 2021):

Hi @pomkos,

I have performed the reproduction steps several times on iOS 14.6 and I was able to unlock my iOS client using my master password. Please clarify to me what you mean by "Master password rejected.", are you being told that the master password is invalid/incorrect?

Thank you in advance,

@SergeantConfused commented on GitHub (Jun 14, 2021): Hi @pomkos, I have performed the reproduction steps several times on iOS 14.6 and I was able to unlock my iOS client using my master password. Please clarify to me what you mean by "Master password rejected.", are you being told that the master password is invalid/incorrect? Thank you in advance,
GiteaMirror commented 2025-11-26 22:44:12 -06:00
Author
Owner
Copy Link

@pomkos commented on GitHub (Jun 14, 2021):

Hi @pomkos,

I have performed the reproduction steps several times on iOS 14.6 and I was able to unlock my iOS client using my master password. Please clarify to me what you mean by "Master password rejected.", are you being told that the master password is invalid/incorrect?

Thank you in advance,

Yes exactly. I can record a screenshare if that would help?

I recently found this Reddit thread, which unfortunately confirms it's not just on my side.

I do have 2FA enabled, and am self hosting. Although the Reddit thread seems to indicate self-host isn't necessarily the issue.

@pomkos commented on GitHub (Jun 14, 2021): > Hi @pomkos, > > > > I have performed the reproduction steps several times on iOS 14.6 and I was able to unlock my iOS client using my master password. Please clarify to me what you mean by "Master password rejected.", are you being told that the master password is invalid/incorrect? > > > > Thank you in advance, Yes exactly. I can record a screenshare if that would help? I recently found this [Reddit](https://www.reddit.com/r/Bitwarden/comments/nwcj5l/bitwarden_no_longer_accepts_master_password/) thread, which unfortunately confirms it's not just on my side. I do have 2FA enabled, and am self hosting. Although the Reddit thread seems to indicate self-host isn't necessarily the issue.
GiteaMirror commented 2025-11-26 22:44:12 -06:00
Author
Owner
Copy Link

@SergeantConfused commented on GitHub (Jun 14, 2021):

Hi @pomkos,

Thank you. What is your local Bitwarden server's version, please?
Are you also self-hosting, @Apologin and @RusseII?

Thank you in advance,

@SergeantConfused commented on GitHub (Jun 14, 2021): Hi @pomkos, Thank you. What is your local Bitwarden server's version, please? Are you also self-hosting, @Apologin and @RusseII? Thank you in advance,
GiteaMirror commented 2025-11-26 22:44:12 -06:00
Author
Owner
Copy Link

@pomkos commented on GitHub (Jun 14, 2021):

It is at 2.15.1. Thanks for looking into this @SergeantConfused !

@pomkos commented on GitHub (Jun 14, 2021): It is at 2.15.1. Thanks for looking into this @SergeantConfused !
GiteaMirror commented 2025-11-26 22:44:12 -06:00
Author
Owner
Copy Link

@pomkos commented on GitHub (Jun 14, 2021):

Update:

So I did a complete reinstall of the bitwarden server (accidentally deleted instead of backed up the bwdata folder. Thankfully no data was actually lost, thanks to the local caches on PCs and phones) and that seems to have fixed the iOS app bug. I can login more than once using the master password, and I can confirm the master password when setting up autofill with faceid. The 2.15.1 version number was from the webgui, it shows that at the bottom. If that wasn't the server version number then I suppose the reinstall updated it. If it was the version number, then .. magic?

Either way problem solved.

@pomkos commented on GitHub (Jun 14, 2021): Update: So I did a complete reinstall of the bitwarden server (accidentally deleted instead of backed up the bwdata folder. Thankfully no data was actually lost, thanks to the local caches on PCs and phones) and that seems to have fixed the iOS app bug. I can login more than once using the master password, and I can confirm the master password when setting up autofill with faceid. The 2.15.1 version number was from the webgui, it shows that at the bottom. If that wasn't the server version number then I suppose the reinstall updated it. If it was the version number, then .. magic? Either way problem solved.
GiteaMirror commented 2025-11-26 22:44:12 -06:00
Author
Owner
Copy Link

@RusseII commented on GitHub (Jun 14, 2021):

I was using same self-hosted sever as @pomkos. The problem has been fixed for me as well.

Really appreciate the help @SergeantConfused

@RusseII commented on GitHub (Jun 14, 2021): I was using same self-hosted sever as @pomkos. The problem has been fixed for me as well. Really appreciate the help @SergeantConfused
GiteaMirror commented 2025-11-26 22:44:13 -06:00
Author
Owner
Copy Link

@SergeantConfused commented on GitHub (Jun 15, 2021):

Hi @pomkos and @RusseII,

Thank you.

We have received reports describing a situation where unlocking the client using the correct master password would return an error stating that the master password is incorrect, and that what happening when the self-hosted server was outdated. That appears to be the case here, as the latest web vault version you can host is 2.20.3. You can see the latests version of the web vault here: https://github.com/bitwarden/web and the server here: https://github.com/bitwarden/server and please note that 2.20.4 has not been released for self-hosting at this time.

And you can update your local server like so: https://bitwarden.com/help/article/updating-on-premise/

I hope this clarifies everything up for you. Please do not hesitate to let me know if you have any further questions.

@SergeantConfused commented on GitHub (Jun 15, 2021): Hi @pomkos and @RusseII, Thank you. We have received reports describing a situation where unlocking the client using the correct master password would return an error stating that the master password is incorrect, and that what happening when the self-hosted server was outdated. That appears to be the case here, as the latest web vault version you can host is 2.20.3. You can see the latests version of the web vault here: https://github.com/bitwarden/web and the server here: https://github.com/bitwarden/server and please note that 2.20.4 has not been released for self-hosting at this time. And you can update your local server like so: https://bitwarden.com/help/article/updating-on-premise/ I hope this clarifies everything up for you. Please do not hesitate to let me know if you have any further questions.
GiteaMirror commented 2025-11-26 22:44:13 -06:00
Author
Owner
Copy Link

@luckydonald commented on GitHub (Jul 8, 2021):

@SergeantConfused Will that be an issue every time someone updates the apps?

also attached an image for completeness sake:
B4CABA2E-C979-418E-A960-4BBE9BABB3A8

@luckydonald commented on GitHub (Jul 8, 2021): @SergeantConfused Will that be an issue every time someone updates the apps? also attached an image for completeness sake: ![B4CABA2E-C979-418E-A960-4BBE9BABB3A8](https://user-images.githubusercontent.com/2737108/125000714-4b959880-e051-11eb-8c50-27ae49011196.png)
GiteaMirror commented 2025-11-26 22:44:13 -06:00
Author
Owner
Copy Link

@Brainy142 commented on GitHub (Oct 16, 2021):

I can confirm I just had this issue on multiple devices. the apps booted me out of my account, even though I did not have a timeout setup. then the apps would not accept my password. about 15 minutes later I was able to log back in with the exact same password

@Brainy142 commented on GitHub (Oct 16, 2021): I can confirm I just had this issue on multiple devices. the apps booted me out of my account, even though I did not have a timeout setup. then the apps would not accept my password. about 15 minutes later I was able to log back in with the exact same password
GiteaMirror commented 2025-11-26 22:44:13 -06:00
Author
Owner
Copy Link

@doctorkelp commented on GitHub (Nov 28, 2021):

Still suffering from this myself. I have uninstalled and reinstalled the app.

@doctorkelp commented on GitHub (Nov 28, 2021): Still suffering from this myself. I have uninstalled and reinstalled the app.
GiteaMirror commented 2025-11-26 22:44:13 -06:00
Author
Owner
Copy Link

@vvolkgang commented on GitHub (Jun 20, 2024):

Issue migrated to https://github.com/bitwarden/mobile/issues/1418

@vvolkgang commented on GitHub (Jun 20, 2024): Issue migrated to https://github.com/bitwarden/mobile/issues/1418
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
app:authenticator
app:password-manager
bug
bug-passkey
customer-support
duplicate
enhancement
good first issue
help wanted
needs-reply
needs-response
pull-request
Mirrored from GitHub Pull Request
 question
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/android#1298
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?