Home » Blog » Security
Security

Vault Approver: Open-Source Login Approver for Vaultwarden

Bitwarden’s «Login with device» feature is brilliant — tap a notification, approve, and you’re in without typing a password. But approving requires the full Bitwarden app with your entire vault loaded. I built Vault Approver — a minimalist Flutter app that does exactly one thing: approve login requests on self-hosted Vaultwarden servers. No vault access, no stored passwords, just biometric unlock and one tap.

Contents
  1. Why Vault Approver Exists
  2. How Vault Approver Works
  3. Security Architecture
  4. Technical Stack
  5. Getting Started with Vault Approver
  6. Why Open Source Matters for Security Apps
  7. Frequently Asked Questions
  8. Does Vault Approver work with official Bitwarden servers?
  9. Can Vault Approver access my passwords?
  10. What happens if I lose my phone?
  11. Is the Android version available?

Why Vault Approver Exists

Self-hosted Vaultwarden is the gold standard for password management — you control your data, your server, your rules. But «Login with device» has a UX problem: the official Bitwarden mobile app loads your entire vault just to approve a request. That’s unnecessary attack surface. Vault Approver strips everything down to the essential flow: Face ID → see request → verify fingerprint phrase → approve. The app never accesses your vault, never stores your master password, and the security model is fully end-to-end encrypted with RSA-2048-OAEP.

How Vault Approver Works

  1. One-time setup: Enter your Vaultwarden server URL + email + master password. The app derives encryption keys via Argon2id, stores the user key in device Keychain/Keystore behind biometrics, then discards the password
  2. Real-time notifications: SignalR WebSocket with MessagePack binary protocol connects to your server. When someone triggers «Login with device», you get an instant push notification
  3. Biometric unlock: Face ID or Touch ID on every app launch — no PIN fallback, no shortcuts
  4. Fingerprint verification: A 5-word EFF phrase derived from the requester’s public key prevents spoofing attacks
  5. One-tap approval: RSA-2048-OAEP encrypts your user key with the requester’s public key. The server never sees your encryption keys

Security Architecture

With 6 patents in information security, I designed Vault Approver with a zero-trust approach. Here’s the Vault Approver security model:

  • Master password never stored: Entered once during setup, used to derive keys, then discarded. Re-setup required if biometric data changes
  • Device Keychain/Keystore: User key encrypted with a random biometric storage key, protected by Secure Enclave (iOS) or Android Keystore
  • E2E encryption: Full Bitwarden-compatible crypto chain — Argon2id KDF, HKDF-SHA256 key stretching, AES-256-CBC vault key decryption
  • No vault access: The app only calls /api/auth-requests — it literally cannot read your passwords
  • No data collection: Zero analytics, zero telemetry, zero cloud. App Store privacy label confirms: «Data Not Collected»

This is the same defense-in-depth approach I recommend for enterprise IT architecture: minimize attack surface, encrypt everything, trust nothing.

Technical Stack

  • Flutter + Dart: Cross-platform (iOS released, Android in beta)
  • State management: Riverpod 2.x for reactive UI
  • Crypto: PointyCastle 4.x + cryptography 2.x — full Bitwarden-compatible implementation
  • Real-time: SignalR WebSocket with MessagePack binary encoding + polling fallback
  • Security: local_auth (biometrics), flutter_secure_storage (Keychain/Keystore)
  • Localization: English + Russian with in-app switcher

Getting Started with Vault Approver

Prerequisites: A self-hosted Vaultwarden server with «Login with device» enabled. iPhone with Face ID or Touch ID.

  1. Install: Download Vault Approver from the App Store (free, 20.9 MB)
  2. Connect: Enter your Vaultwarden server URL (e.g., https://vault.yourdomain.com)
  3. Authenticate: Email + master password + optional 2FA/TOTP
  4. Enable biometrics: Face ID or Touch ID — this becomes your only unlock method
  5. Done: Next time you or your team uses «Login with device», the request appears instantly

Android version is currently in beta — check GitHub for APK builds.

Why Open Source Matters for Security Apps

A security app you can’t audit is a security risk. Vault Approver is MIT-licensed and fully open source on GitHub. Every line of crypto code is reviewable — from the Argon2id key derivation to the RSA-OAEP key exchange. No obfuscation, no hidden network calls, no proprietary black boxes. This transparency is especially critical for data-sensitive organizations that need to verify what runs on employee devices.

Need help setting up self-hosted Vaultwarden for your team? Book a free consultation →

Frequently Asked Questions

Does Vault Approver work with official Bitwarden servers?

It’s designed for self-hosted Vaultwarden but uses the standard Bitwarden API. It may work with official servers, though primary testing is against Vaultwarden.

Can Vault Approver access my passwords?

No. The app only interacts with the auth-requests API endpoint. It has no vault UI, no password list, no ability to decrypt stored credentials. It’s an approver, not a vault client.

What happens if I lose my phone?

The user key is protected by device biometrics. Without your face/fingerprint, the key can’t be extracted. Your vault remains safe. Just set up Vault Approver on a new device with your master password.

Is the Android version available?

Android is in open beta. You can build from source or download the APK from GitHub releases. Google Play release is planned once beta testing is complete.

Ilya Arestov — Fractional CTO | Dubai Airport Free Zone (DAFZ), Dubai, UAE | Almaty, Zenkov Street 59, Kazakhstan | +971-585-930-600 | https://t.me/getmonolith

Rate article
2009 - 2026