Sometimes, making particular security design decisions can have unexpected consequences. For security-critical software, such as password managers, this can easily lead to catastrophic failure: In this blog post, we show how Bitwarden’s Windows Hello implementation allowed us to remotely steal all credentials from the vault without knowing the password or requiring biometric authentication. When we discovered this during a penetration test it was so unexpected for us that we agreed with our client to publish a blog post about it and tell the story.