Let's be honest: we're all supposed to use unique passwords for everything, but who has that kind of mental bandwidth? Most of us either remember a few passwords and uses them in rotation across websites, or remember just one master password required for a dedicated password manager. LastPass may be in recovery from its second serious security incident this year, but rival services are busy adding quality-of-life features like passwordless authentication. One of our favorite password managers, Bitwarden, now allows you to log into the service's web vault using just the smartphone app, bypassing the need for a master password every time.
Bitwarden lets its users store their login credentials, bank card details, secure notes, and other files and folders in its secure web vault. You can access the vault using any browser from anywhere, normally using your email ID associated with Bitwarden and your master password. Now, though, the password manager service is introducing a new passwordless login system, where you can authenticate web vault sign-in requests through the mobile app.
In the app, you'll see the email ID attempting to log in, a series of five random words separated by hyphens (your fingerprint phrase, to avoid man-in-the-middle attacks), the login attempt time, and the IP address of the machine requesting access. Based on these parameters, you can decide to allow or deny sign-in requests.
The very first time you set this up using a computer, you'll still need the master password, but you can use the passwordless method thereafter. You also can't use an incognito window for this to work, and you must complete the second login step after the passwordless authentication if you have two-step login enabled in Bitwarden settings. Although the new vault login system doesn’t make the system completely passwordless, you can make sign-ins slightly frictionless by setting up biometric authentication in the mobile app and ensuring the Vault timeout action is set to Lock.
In addition to this new support, Bitwarden offers a host of other useful capabilities, like granting a trusted person emergency access to your passwords, and generating alias email IDs to mask your real one.