1pw8 not needing to be unlocked to input a user and pass?

hawklet00
hawklet00
Community Member

I just updated to 1pass 8 on my pixel4a5g running android 12 on the july security patch and in using 1pass the autofill is not asking me to log into 1 pass like it did with 1pass 7. I set 1pass 8 to auto lock immediately after closing the app, thinking that it would also require me to use my fingerprint or master password to select my user and pass for an app or a website login, but it did not. I thought that maybe it was an issue with something in the cache so i force stopped the app, cleared the cache and had the same problem. this is a huge security hole and needs to be fixed. i shouldnt have to go back and forth from the app to copy a password and then go back to the app where i need it. it should work the same as it did in version 7, where you need to log in with a fingerprint or master password before getting the stored login credentials, at least that's what i would have thought. is this something that isnt working as intended or is this supposed to work this way? if this is not working as intended then how long will it take to get fixed? if this is working as intended, why? the whole reason apps like this is to help things be more secure then how does this functionality support that. for the moment i have reverted back to 1pw7.


1Password Version: 8
Extension Version: na
OS Version: android 12
Browser:_ na

Comments

  • Hello @hawklet00, thanks for letting us know about the issue you've seen with 1Password 8 on your device.

    With Auto-Lock on Exit set to Immediately, 1Password 8 should lock any time you switch focus away from 1Password or lock your device. If you have Show filling suggestions on, you will see linked suggestions after tapping a login field but filling them should require you to unlock 1Password 8.

    If that's not the case for you, I'd like to ask you to try the following to help give us a better idea where the issue may lie:
    1. Open and unlock 1Password 8.
    2. Tap Settings > Security.
    3. Confirm Auto-Lock on Exit is set to Immediately.
    4. Return to 1Password's home screen.
    5. Tap your account icon > Lock.
    6. Open a website and tap the filling suggestion.

    After tapping the suggested Login are you required to unlock 1Password? If you turn Show filling suggestions off from Settings > Autofill then repeat steps 4-6 do you see the same behavior? Thanks again!

  • hawklet00
    hawklet00
    Community Member
    edited April 2023

    thanks for following up, here is what i found:

    Scenario 1: when toggling the show filling suggestions to off when i tap on a user or pw field, i am prompted to unlock 1pw
    Scenario 2: when toggling the show filling suggestions to on i am not prompted to unlock 1pw to see my user and pass

    I've attached screenshots to this thread to show both scenarios so you can see what i am seeing, the first is scenario 1 and the second is scenario 2

    image

    image

  • Hello @hawklet00 thanks very much for including the screenshots and I apologize for the delay in response.

    The behavior you've described in both scenarios is expected assuming that after you tap a suggested item in scenario 2 you are prompted to enter your password or biometrics (if 1Password is locked). The Show filling suggestions setting works similarly to the Autofill previews section in 1Password 7 for Android. Both reveal the name and username of any item linked to the website or app after tapping a sign-in field. If you prefer this information to be revealed only after unlocking 1Password you can turn Show filling suggestions off.

    Let us know if we can help with anything else!

  • hawklet00
    hawklet00
    Community Member

    it seems counter intuitive that login information is being shows while 1pass is locked. why was it designed to show that way?

  • Hi @hawklet00, with Show filling suggestions on, you can preview your linked Logins' titles and username before selecting them to Autofill. This provides the option to quickly select and fill the right account when you might have multiple Logins for the same site. If 1Password is locked, your account password will be required to fill this information. If you prefer this information not to be previewed, you can set Show filling suggestions off.

  • RobMendez
    RobMendez
    Community Member
    edited August 2022

    @ag_timothy I actually have the opposite problem. I have fingerprint enabled and auto lock set to the maximum of 8 hours. But anytime I switch focus away and use autofill, I always have to use my fingerprint. For me, this is very annoying. I wish apps could sense that authentication was used to bypass the lock screen instead of constantly requiring re-authentication using fingerprints. It's almost as if my app is set to instantly lock, ignoring the 8-hour window. Literally, within seconds, if I switch to another app and then use autofill again I have to re-authenticate.

  • hawklet00
    hawklet00
    Community Member

    @ag_timothy ahh, i missed that. my apologies. thank you for your help!

  • Happy to help @hawklet00!

    @RobMendez, thanks for letting us know about this issue on your device. If 1Password is running and unlocked in the background, it should re-open or Autofill without your account password (or fingerprint).

    I'd like to ask a few question to help determine the issue:

    • What steps do you typically take to switch focus? Is 1Password still in your recents when you switch focus?
    • If you re-open 1Password is your fingerprint required, or only for Autofill?
    • What is the make and model of your device?
  • RobMendez
    RobMendez
    Community Member

    @ag_timothy apologies for the late reply. It should re-open and autofill without authentication, but it doesn't.

    • I usually switch focus by sliding up halfway and going back to 1Password (still in the recents). But I'm not sure if it asks me w/1Password in the recents or not. I'll have to pay closer attention and get back to you. I do know I have the settings set to password every 30 days and auto-lock after 8 hours, but I still get asked for a password (maybe after 2 weeks) and authenticate way less than 8 hours.

    • When I re-open 1Password, I still have to reauth w/my fingerprint (within the 8 hours).

    • I'm using a Google Pixel 6 Pro on the latest Android (OS 13, Security Oct 5, Play System Sep 1) and 1Password (8.9.3) versions.

    I can't pin the app in the recents like I could on my previous OnePlus phone (Google's App Pinning seems to be an always on stuck on that app or nothing at all).

    My guess is that while the app may still be shown in the recents, if I've opened a lot of other apps, maybe the OS and/or app doesn't consider itself still "open" and then requires a reauth. I'll have to test that theory (still works w/o reauth after I opened 16 other apps, so maybe it is a timing issue).

    Should I send diagnostics right after it happens next time?

  • BrendanR1P
    edited October 2022

    Hi @RobMendez,

    Thanks for your reply.

    I was able to reproduce this issue on my own Android 13 device and your assumption appears to be correct from what I seen in my testing.

    I opened 1Password 8 for Android, with auto-lock set to 8 hours and for master password to be required every 30 days. I then closed out of the 1Password 8 for Android app (showing as the only opened app in my Recents). I then opened my device Settings, tapped System > Developer options > Running Services > tapped the three dots in the top right and tapped Show Cached Processes.
    From here I was able to see that 1Password is kept running as a cached process when the app isn't being used, but is still open in my Recents menu. If I open 1Password again from my Recents menu at this point, it opens without asking me to unlock using my account password or biometrics.

    I then opened 13 random apps in a row, then checked the Show Cached Processes in Running Services in Developer Options and noticed 1Password was no longer showing as a cached or active process in Running Services. When I open 1Password 8 for Android from my Recents at this point, I am prompted to unlock the app via biometrics. Once I unlock the app, 1Password appears as a cached process again in Running Services.

    To conclude, it appears the opening then closing of multiple apps at once, but leaving them in the Recents menu causes 1Password to be "pushed out" as one of the cached process, leading to the app being treated as being opened for the first time again, leading to an account password, or biometric unlock being required to activate the process again.

    I've filed an issue for this with our development team to make them aware of the issue and I appreciate you for bringing it to our attention.

    In terms of pinning the app. I am currently using a custom ROM and I was able to lock the 1Password for Android app in the Recents menu, by opening Recents, then tapping the lock icon below the 1Password for Android app. This prevent the issue outlined above from occurring, but I suspect this feature may be a different way of app pinning or locking added to the developers of the custom ROM I'm using, which may be why it is behaving differently than you've experienced on your device.

    Apologies for the very long response, but I hope it helps. :)

    -- Brendan

    ref: dev/core/core#18114

  • RobMendez
    RobMendez
    Community Member

    @BrendanR1P awesome find - thank you so much!!! I've noticed it usually times out around 30 minutes or less - very different than the 8 hours. But nonetheless, thank you for researching and duplicating the issue! 🙏👍😁🤩

  • On behalf of Brendan, you are very welcome!

  • RobMendez
    RobMendez
    Community Member

    @BrendanR1P @ag_timothy any update on fixing this bug? It's just as annoying now as it was 4 months ago. Hoping a fix is on the horizon soon. 🤞

  • ag_audrey
    ag_audrey
    1Password Alumni

    Hey @RobMendez, thanks for following up!

    I noticed a fix was released a few months ago, but it sounds like you are still experiencing the same issue. Can you confirm you are on the latest version of 1Password 8 for Android?

  • RobMendez
    RobMendez
    Community Member
    edited April 2023

    @ag_audrey yes, I'm running 1Password for Android 8.10.1 (81001033) on a Google Pixel 6 Pro running Android 13 with the Feb 5 2023 security update and Mar 1 2023 Play update.
    image

  • ag_audrey
    ag_audrey
    1Password Alumni

    Hey @RobMendez, thanks for confirming that, and apologies that you're still experiencing this bug. This is definitely not intended behaviour, especially after the fix was released!

    As long as you can confirm you have access to 1Password.com via browser, then can you try reinstalling 1Password for Android?

  • RobMendez
    RobMendez
    Community Member

    @ag_audrey I did as you suggested. The first day was wonderful and hardly asked me to login with my biometrics. But the 2nd day, back to ignoring my auto lock after 8 hours, constantly asking for biometrics probably after 30 minutes. Also, it was a bit difficult getting it to turn on auto fill - I had to choose none and then choose 1P for it to work.

    I will uninstall and reinstall to see if the behavior persists, then update this post.

  • Thanks for following up with us @RobMendez.

    Do let us know if that second re-install helps. If not, I'd like to ask if you to modify the following settings then check for a change in behavior:
    1. Open device settings.
    2. Tap Apps.
    3. Search for and select 1Password.
    4. Tap Mobile data & Wi-Fi.
    5. If off, turn "Background data" and "Unrestricted data usage" on.
    6. Tap back and select App battery usage.
    7. Set battery usage to Unrestricted.
    8. Tap back and, if on, tap "Pause app activity if unused" off.

    Thanks again!

  • RobMendez
    RobMendez
    Community Member

    @ag_audrey @ag_timothy I turned on Unrestricted Data Usage and battery usage to Unrestricted. All other options were already set as you suggested. I had previously set battery usage to unrestricted but don't know why it was reset to optimized - maybe I forgot when I reinstalled it or maybe one of the app updates reset it? In either case, I'll test it over the next few days and let you know how it goes. I was able to narrow it down to about an hour after it started asking me for biometrics (when the value is set to 8 hours). I'll report back towards the end of the week. 👍

  • Thanks @RobMendez! When you have the opportunity, let us know how that went.

  • RobMendez
    RobMendez
    Community Member

    @ag_timothy I was still experiencing the problem and have since upgraded my phone to a Google Pixel 7 Pro. I have the same settings and can say it will still ask me for biometric authentication somewhere around 2-3 hours (can't pinpoint it exactly yet). But definitely not waiting the full 8 hours. Is there anything else I can do to help you pinpoint the issue/cause?

  • Hi @RobMendez, thanks for following up with us.

    Certainly odd behavior, I have a Pixel 4a and 6a with me and I'm not seeing the same. I'd like to ask you to unlock 1Password then send in a new diagnostics report once it locks prematurely. We can look over the logs and file a new report with any issues

    1. Open and unlock 1Password for Android.
    2. Tap the account or collection icon.
    3. Tap Settings > Help > “Send diagnostics”.
    4. Add your forum username (@RobMendez) and a link to this conversation (https://1password.community/discussion/132251/1pw8-not-needing-to-be-unlocked-to-input-a-user-and-pass#latest) so we can identify the report.

    Thanks again for your help troubleshooting this!

  • RobMendez
    RobMendez
    Community Member

    @ag_timothy Ironically, the app doesn't let me send diagnostics. I click the button and nothing happens. I've uninstalled, cleared storage, rebooted, reinstalled, and it's still the same thing. I'm running 8.10.6 (81006027) on Prod.

  • Hi @RobMendez, that doesn't sound right, my apologies for the trouble here.

    We've seen some cases where the default mail app isn't detected and we're looking into the cause. If that occurs, installing 3 total email should cause a share sheet to open when creating diagnostics. The share sheet will prompt you to select your preferred email app. With a device in this state I found the combination that worked for me was Gmail, Proton and Outlook.

    Let us know if that works for you and thanks again Rob.

This discussion has been closed.