github-starred/android
2
0
Fork 0
mirror of https://github.com/bitwarden/android.git synced 2026-05-10 05:49:44 -05:00
Code Issues 1.1k Packages Projects Releases 122 Wiki Activity

Issue with "Remember me" Feature Retaining 2FA Key on iOS App #1808

New Issue
Closed
opened 2025-11-26 22:58:39 -06:00 by GiteaMirror · 2 comments
GiteaMirror commented 2025-11-26 22:58:39 -06:00
Owner
Copy Link

Originally created by @canassa on GitHub (Mar 6, 2024).

Steps To Reproduce

  1. Open the Bitwarden iOS app and navigate to the login screen.
  2. Ensure the "Remember me" option is selected before logging in.
  3. Complete the login process with both your email and 2FA key as required.
  4. Log out of the app.
  5. Log back in, observing that the email is pre-filled (as expected from the "Remember me" feature).
  6. Notice that the app does not prompt for the 2FA key, indicating it has been remembered along with the email.

Expected Result

The "Remember me" option should only store the email address of the user for convenience and not the 2FA key. Upon logging in again after logout, the app should require the user to enter their 2FA key to ensure an added layer of security. If the user also want to remember the 2FA key for that device, that should be asked on a separate prompt.

Notice: That's also how the browser extensions works: If I logout from it, even with the "Remember me" enabled, I have to reenter the 2FA.

Actual Result

The "Remember me" feature stores both the email and the 2FA key, causing the app to bypass the 2FA prompt on subsequent logins after the initial authentication.

Screenshots or Videos

No response

Additional Context

I have encountered an issue with the Bitwarden iOS app concerning the "Remember me" option during the login process. While this feature is intended to store the user's email for convenience, it appears to also inadvertently remember the 2FA (Two-Factor Authentication) key. As a result, the app does not prompt for 2FA verification after a user logs out and logs back in, undermining the security layer that 2FA is supposed to provide.

Operating System

iOS

Operating System Version

No response

Device

iPhone 15

Build Version

2024.2.0 (6100)

Beta

  • Using a pre-release version of the application.
Originally created by @canassa on GitHub (Mar 6, 2024). ### Steps To Reproduce 1. Open the Bitwarden iOS app and navigate to the login screen. 2. Ensure the "Remember me" option is selected before logging in. 3. Complete the login process with both your email and 2FA key as required. 4. Log out of the app. 5. Log back in, observing that the email is pre-filled (as expected from the "Remember me" feature). 6. Notice that the app does not prompt for the 2FA key, indicating it has been remembered along with the email. ### Expected Result The "Remember me" option should only store the email address of the user for convenience and not the 2FA key. Upon logging in again after logout, the app should require the user to enter their 2FA key to ensure an added layer of security. If the user also want to remember the 2FA key for that device, that should be asked on a separate prompt. Notice: That's also how the browser extensions works: If I logout from it, even with the "Remember me" enabled, I have to reenter the 2FA. ### Actual Result The "Remember me" feature stores both the email and the 2FA key, causing the app to bypass the 2FA prompt on subsequent logins after the initial authentication. ### Screenshots or Videos _No response_ ### Additional Context I have encountered an issue with the Bitwarden iOS app concerning the "Remember me" option during the login process. While this feature is intended to store the user's email for convenience, it appears to also inadvertently remember the 2FA (Two-Factor Authentication) key. As a result, the app does not prompt for 2FA verification after a user logs out and logs back in, undermining the security layer that 2FA is supposed to provide. ### Operating System iOS ### Operating System Version _No response_ ### Device iPhone 15 ### Build Version 2024.2.0 (6100) ### Beta - [ ] Using a pre-release version of the application.
GiteaMirror added the bug label 2025-11-26 22:58:39 -06:00
GiteaMirror commented 2025-11-26 22:58:40 -06:00
Author
Owner
Copy Link

@Krychaz commented on GitHub (Mar 6, 2024):

Hello there,

Are you sure you have not also checked the remember me option for 2FA?

@Krychaz commented on GitHub (Mar 6, 2024): Hello there, Are you sure you have not also checked the remember me option for 2FA?
GiteaMirror commented 2025-11-26 22:58:40 -06:00
Author
Owner
Copy Link

@canassa commented on GitHub (Mar 6, 2024):

I probably did at some point. I just did a "Deauthorise sessions" and the problem is gone 😄 Thanks for the quick reply

@canassa commented on GitHub (Mar 6, 2024): I probably did at some point. I just did a "Deauthorise sessions" and the problem is gone 😄 Thanks for the quick reply
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
app:authenticator
app:password-manager
bug
bug-passkey
customer-support
duplicate
enhancement
good first issue
help wanted
needs-reply
needs-response
pull-request
Mirrored from GitHub Pull Request
 question
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/android#1808
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?