Biometric time out

wraith
wraith
Community Member
edited August 2022 in Android

Why do I now need to enter my password every 2 weeks? My phone is as secure as it's going to get (and requires biometric for all use). Meanwhile typing the password once every 2 weeks is a royal pain in the backside (it's a complicated password). I've been using 1Password for nearly a decade now, and every time there's a new version of 1Password it takes 2 good steps forward and 1 big step backward (on something, for Android this seems to be the current thing, for Windows its lack of AutoType). 😔

Comments

  • Hi @wraith:

    Generally speaking your password should be relatively easy to type. We saw many cases of people forgetting their account password, and adding the 2 week reminder per device has helped reduce the frequency of people forgetting their password and reaching out to us. We're still evaluating options here, and what my colleague has been advocating for (and what I'd like to see as well) is a synchronized two week timer across all of your devices, where an unlock with your account password on any device would reset it on all of your devices.

    Jack

  • wraith
    wraith
    Community Member

    It is easy to type, on a PC. I type it roughly 25 times per day as I use different business systems. But typing it on a phone is very difficult with uppercase and symbols off in different "parts" of the keyboard.

    A timer is fine, but make it optional so I can have no timer.

  • wraith
    wraith
    Community Member

    Also, FWIW I wouldn't want a synchronised timer. My devices have different use cases and risk profiles. I don't want them all treated the same.

  • Thanks for your additional input @wraith. We're continuing to evaluate what will work best here, so thanks for sharing!

    Jack

  • tmakaro
    tmakaro
    Community Member
    edited August 2022

    Yes, if I have to be forced to type it, make me type it on my computer. I can type 120wpm on my PC, and my master password reflects that. I can type 20wpm on my phone at best. With 1P7, this wasn't an issue, but this is SUPER annoying on 1P8 for android.

    Also, if this is such a concern, why didn't you include a 2 week timeout on 1P8 for Windows? I have to use my password on Windows if my TPM invalids it's state, but that happens very rarely now (which is fantastic! now that it works properly)

    Anything more than once per month on my computer and never on my phone is too much IMHO. Maybe you can take an approach similar to what Signal does with the pincode. Once per week for the first few weeks. Then once every 2 weeks, then once every month, and then once every 6 weeks forever after. Do this based on the age of the account/master password.

    Edit: Apparently, the 2 week timeout does exist on Windows. I feel like I notice the prompt less often than that, and it was only when the TPM state was invalidated (I guess that's issue has been fixed completely). Either way, please remove the timeout on my phone!

  • Recent_Convert
    Recent_Convert
    Community Member

    Came to find if this issue had been reported. A two week timer on my phone that disables biometrics may as well be simply removing biometrics. I seldom need 1P on my phone, but every time I do I need it instantly and without delay. I consider this to be sufficient friction to simply stop using a third party password manager despite the risks.

    Honestly at my age I can barely see my phone well enough to type a sentence, I certainly can't type my 1P master password in anything approaching a reasonable timeframe on a telephone keyboard. The difference between literally looking at my phone and two or three minutes of trial and error trying to type a 20+ character password is enormous. If the timeout isn't made optional then there simply isn't any utility in keeping my subscription as it more or less renders the mobile app and anything that I have to login into (such as my banking app which also times me out of biometrics) completely inaccessible to me.

  • bugs
    bugs
    Community Member

    Turn this timer off please. Inpromise i will never be contactincg you for my pw. I thought if you lose your mpw you are hosed anyway.

  • Snpbond
    Snpbond
    Community Member

    I came to find this issue as well. I rolled back to 1P7 on Android after finding this on my phone and will keep it until this is changed or it's not able to work anymore.

  • LatteCoffee
    LatteCoffee
    Community Member

    This force to repeat on mobile feels quite bothersome. I think I fully understand the reasoning behind it but could this be done in a different way?

    For example inside the app we could be notified (until done) to repeat the password every two weeks but it would not block accessing the passwords? This way people would use / retype the password but they could choose the time to do it and would not be locked out from 1P suddenly.

    For example several times I have needed a password quite fast to buy public transportation tickets to catch the trains (after apps token has been expired). Entering master password in public is not the biggest threat model but it still feels uncomfortable.

    All in all I would prefer the old biometric model and would like to see it return as an option if possible. Maybe a warning if enabled or something.

    Post is getting bit long, so have a nice day everyone!

  • d0x360
    d0x360
    Community Member

    2 weeks is fine with me EXCEPT it's making me login multiple times per day. In fact I logged in 4 times in the last hour.

    I sent in a support ticket already but I'm not sure what I could be doing differently.

    I had the same issue with V8 months ago when testing the pre-release version and I'm having it now but I never had it on v7.

    Samsung zFlip3 on Android 12 with the July security update. I think I said June in my email.

  • etheberge
    etheberge
    Community Member

    I just installed 1Password 8 on my new phone and immediately noticed this forced two week master password timeout. I've been a very satisfied paid family plan subscriber since 2016, and a individual plan subscriber for a few years before that. I just want to chime in and let you know that if this change isn't reverted / improved upon quickly, I'll be looking into canceling and moving to the competition.

    Forcing users to retype a password that is by nature long and complex on a mobile device at unexpected times, when you're on the go, busy, etc is a MAJOR inconvenience.

    I've read the discussions from staff members here and in other threads and I understand the reasoning for enabling this by default, however removing the option to change the behavior at all is plain dumb. I get that this is to avoid support calls from angry people that forgot their password, but at some point folks need to take responsibility for their actions. The implications of losing your master password are quite clearly explained when setting up an account. Annoying your whole customer base for the vast minority of forgetful / unprepared customers is not a good move.

    At the very minimum we need the option to only have to enter the master password at reboot, this would still be slightly annoying but acceptable. Syncing the last typed time from Windows/Mac/Linux clients would also be acceptable. Bringing back the "never" option would be best.

  • jfalkingham
    jfalkingham
    Community Member

    It's a good feature, but please don't force it on your customers. If you like the option, add it, but leave it up to the customer please. This is the first time I feel strongly about an option that should exist.

  • spamminator
    spamminator
    Community Member

    +1 to making the biometric timeout configurable

  • Hello @tmakaro, @Recent_Convert, @bugs, @Snpbond, @LatteCoffee, @d0x360, @etheberge, @jfalkingham, @spamminator, thanks for joining the conversation and sharing your feedback.

    As you may have read in other threads, there are some ongoing conversations internally about how to find the best balance for everyone, and we are currently looking at some shorter and longer term options. We will be sure to share updates here on the forum as soon as we can.

    Thank you all for taking the time to let us know why this is important to you. If there's any other feedback you'd like to share or there's anything else we can help with, please let us know!

  • jfalkingham
    jfalkingham
    Community Member

    Thanks for the update, however turning this on without giving me a way to turn it off will only make me leave your platform. Please leave it up to your customers.

  • Ronso
    Ronso
    Community Member

    I see it the same way as @jfalkingham . Me as adult man and customer of a paid product don't want a "you have to do it".
    I see this feature as an optional service which can be enabled by default, but you have to give us a way to disable this feature.

  • wraith
    wraith
    Community Member

    Is it possible to roll back to the prior release somehow? For a while I had both on my phone (while the release was in beta) but now it has replaced the old version and I only have the newer version. I find the new version quicker, but in every other respect I find it worse and particularly this biometric issue drives me nuts. On windows I'm sticking with v7 because I need Auto-Type for my job, can I also stick with the old android version?

  • bugs
    bugs
    Community Member

    I am completely sympathetic to the problem of too many support calls/emails from people who have lost their password. But I don't even get that - if you lose your password, aren't you completely out of luck?

  • secureregret
    secureregret
    Community Member

    Registered here to +1 this.

    Please remove/mitigate this requirement.

  • tmakaro
    tmakaro
    Community Member

    You can update the app on iOS and Android now: https://www.reddit.com/r/1Password/comments/x1zdhj/thank_you_1password/

  • spamminator
    spamminator
    Community Member

    Thank you 1Password team!

  • Thanks again for everyone's feedback here! After some lengthy discussions internally, our first step in re-examining the lock options when Biometric lock is in use has been to add a 14 day, 30 day and never option for rechecking the account password. This has been included in version 8.9.3 which was released yesterday afternoon and should be available for everyone shortly as the update rolls out. The discussion is continuing internally and there may be some further changes coming in the future. For now, this is all we have to share. As always, your input has been greatly appreciated!

    My colleague Ben shared some notes in a thread on the iOS side that I thought were particularly helpful, especially for those newer to 1Password. I really couldn't say it better myself, so quoting:

    I'd likely to take the opportunity to highlight:

    1. It is critically important that you memorize your account password and be able to type it. If not, the chances you eventually lose access to your data stored in 1Password skyrocket. Our support team will not be able to assist if this happens. Unlike authentication-based services, because 1Password is end-to-end encrypted; there is no "forgot password" function. If you lose your keys (Secret Key and/or account password) — that's it. Game over. I stress this because most services aren't end-to-end encrypted and as such people are accustom to being able to forget their passwords, plug in their email address, and get a new password. It does not work that way with 1Password.

    2. The Emergency Kit can help. We recommend printing this document, and writing your account password on it. Then store the completed document in a safe place. The Emergency Kit will not help if you haven't written your account password on it and kept it up to date. The Secret Key alone is not enough to access your account. Both are required to access your account.

    3. Implement a recovery plan for your family (or team). Account recovery can be performed by a Family Organizer or business administrator. We would strongly encourage you to have multiple people with these roles if you are part of a family/business membership. If you are the only Family Organizer for your family, and you forget your account password, not only does that put you in a tight spot, it puts your whole family in a tight spot.

This discussion has been closed.