Biometric time out

wraithwraith
Community Member
edited August 5 in Android

Why do I now need to enter my password every 2 weeks? My phone is as secure as it's going to get (and requires biometric for all use). Meanwhile typing the password once every 2 weeks is a royal pain in the backside (it's a complicated password). I've been using 1Password for nearly a decade now, and every time there's a new version of 1Password it takes 2 good steps forward and 1 big step backward (on something, for Android this seems to be the current thing, for Windows its lack of AutoType). 😔

Comments

  • Jack.P_1PJack.P_1P

    Team Member

    Hi @wraith:

    Generally speaking your password should be relatively easy to type. We saw many cases of people forgetting their account password, and adding the 2 week reminder per device has helped reduce the frequency of people forgetting their password and reaching out to us. We're still evaluating options here, and what my colleague has been advocating for (and what I'd like to see as well) is a synchronized two week timer across all of your devices, where an unlock with your account password on any device would reset it on all of your devices.

    Jack

  • wraithwraith
    Community Member

    It is easy to type, on a PC. I type it roughly 25 times per day as I use different business systems. But typing it on a phone is very difficult with uppercase and symbols off in different "parts" of the keyboard.

    A timer is fine, but make it optional so I can have no timer.

  • wraithwraith
    Community Member

    Also, FWIW I wouldn't want a synchronised timer. My devices have different use cases and risk profiles. I don't want them all treated the same.

  • Jack.P_1PJack.P_1P

    Team Member

    Thanks for your additional input @wraith. We're continuing to evaluate what will work best here, so thanks for sharing!

    Jack

  • tmakarotmakaro
    Community Member
    edited August 9

    Yes, if I have to be forced to type it, make me type it on my computer. I can type 120wpm on my PC, and my master password reflects that. I can type 20wpm on my phone at best. With 1P7, this wasn't an issue, but this is SUPER annoying on 1P8 for android.

    Also, if this is such a concern, why didn't you include a 2 week timeout on 1P8 for Windows? I have to use my password on Windows if my TPM invalids it's state, but that happens very rarely now (which is fantastic! now that it works properly)

    Anything more than once per month on my computer and never on my phone is too much IMHO. Maybe you can take an approach similar to what Signal does with the pincode. Once per week for the first few weeks. Then once every 2 weeks, then once every month, and then once every 6 weeks forever after. Do this based on the age of the account/master password.

    Edit: Apparently, the 2 week timeout does exist on Windows. I feel like I notice the prompt less often than that, and it was only when the TPM state was invalidated (I guess that's issue has been fixed completely). Either way, please remove the timeout on my phone!

  • Recent_ConvertRecent_Convert
    Community Member

    Came to find if this issue had been reported. A two week timer on my phone that disables biometrics may as well be simply removing biometrics. I seldom need 1P on my phone, but every time I do I need it instantly and without delay. I consider this to be sufficient friction to simply stop using a third party password manager despite the risks.

    Honestly at my age I can barely see my phone well enough to type a sentence, I certainly can't type my 1P master password in anything approaching a reasonable timeframe on a telephone keyboard. The difference between literally looking at my phone and two or three minutes of trial and error trying to type a 20+ character password is enormous. If the timeout isn't made optional then there simply isn't any utility in keeping my subscription as it more or less renders the mobile app and anything that I have to login into (such as my banking app which also times me out of biometrics) completely inaccessible to me.

  • bugsbugs
    Community Member

    Turn this timer off please. Inpromise i will never be contactincg you for my pw. I thought if you lose your mpw you are hosed anyway.

  • SnpbondSnpbond
    Community Member

    I came to find this issue as well. I rolled back to 1P7 on Android after finding this on my phone and will keep it until this is changed or it's not able to work anymore.

  • LatteCoffeeLatteCoffee
    Community Member

    This force to repeat on mobile feels quite bothersome. I think I fully understand the reasoning behind it but could this be done in a different way?

    For example inside the app we could be notified (until done) to repeat the password every two weeks but it would not block accessing the passwords? This way people would use / retype the password but they could choose the time to do it and would not be locked out from 1P suddenly.

    For example several times I have needed a password quite fast to buy public transportation tickets to catch the trains (after apps token has been expired). Entering master password in public is not the biggest threat model but it still feels uncomfortable.

    All in all I would prefer the old biometric model and would like to see it return as an option if possible. Maybe a warning if enabled or something.

    Post is getting bit long, so have a nice day everyone!

  • d0x360d0x360
    Community Member

    2 weeks is fine with me EXCEPT it's making me login multiple times per day. In fact I logged in 4 times in the last hour.

    I sent in a support ticket already but I'm not sure what I could be doing differently.

    I had the same issue with V8 months ago when testing the pre-release version and I'm having it now but I never had it on v7.

    Samsung zFlip3 on Android 12 with the July security update. I think I said June in my email.

  • ethebergeetheberge
    Community Member

    I just installed 1Password 8 on my new phone and immediately noticed this forced two week master password timeout. I've been a very satisfied paid family plan subscriber since 2016, and a individual plan subscriber for a few years before that. I just want to chime in and let you know that if this change isn't reverted / improved upon quickly, I'll be looking into canceling and moving to the competition.

    Forcing users to retype a password that is by nature long and complex on a mobile device at unexpected times, when you're on the go, busy, etc is a MAJOR inconvenience.

    I've read the discussions from staff members here and in other threads and I understand the reasoning for enabling this by default, however removing the option to change the behavior at all is plain dumb. I get that this is to avoid support calls from angry people that forgot their password, but at some point folks need to take responsibility for their actions. The implications of losing your master password are quite clearly explained when setting up an account. Annoying your whole customer base for the vast minority of forgetful / unprepared customers is not a good move.

    At the very minimum we need the option to only have to enter the master password at reboot, this would still be slightly annoying but acceptable. Syncing the last typed time from Windows/Mac/Linux clients would also be acceptable. Bringing back the "never" option would be best.

  • jfalkinghamjfalkingham
    Community Member

    It's a good feature, but please don't force it on your customers. If you like the option, add it, but leave it up to the customer please. This is the first time I feel strongly about an option that should exist.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file