New Auto-Lock Policy Concerns and Suggestions

YellowVista
YellowVista
Community Member
in Business and Teams

I read about the new auto-lock policy option (https://blog.1password.com/browser-auto-lock-release-channel-policies/ and https://support.1password.com/auto-lock-policy/). I have a few suggestions/requests:

This should be an "auto-lock no later than" policy similar to the "Maximum link lifespan" policy setting for Item Sharing

First, individual users of Business/Teams accounts should be able to set their 1Password apps to auto-lock sooner than the default policy. The policy should work like the Link Expiration settings under the Item Sharing policy, where admins can set "Maximum link lifespan" and "Default expiration time" for shared item links. If the business determines that share item links should expire no later than 7 days after they are sent, there is no reason to prohibit people from sending links that expire in 1 hour (which people are currently able to do). Similarly, if the business determines that 1Password apps used to access Business/Teams account should lock no later than 8 hours after being idle, there is no reason to prohibit people from setting their 1Password apps to lock after 30 minutes (or some other period of time less than 8 hours).

I would suggest making the auto-lock policy have two settings: (1) Maximum Auto-Lock Period, and (2) Default Auto-Lock Period, such that individual users would all default to the recommended Default Auto-Lock Period, but they could choose any auto-lock period up to the Maximum Auto-Lock Period.

Second, individuals who use 1Password with both Business/Teams accounts and Family/Personal accounts should be able to select a shorter auto-lock policy for their Family/Personal accounts.
It is problematic that a less security conscious employer could impose a longer auto-lock policy on employees that would also result in their Personal/Family 1Password accounts (on the same app) to be forced into a longer auto-lock policy than they might otherwise choose. Speaking for myself, if I worked at a company that set a long auto-lock policy for 1Password apps used to access a Business/Teams account and I couldn't set a shorter auto-lock period, at least with respect to my Family/Personal account, I would take my 1Password Family account and switch to another password manager (probably Bitwarden) rather than risk the security of my personal accounts.

Third, individual users should be able to have different auto-lock policies for different apps/devices. An appropriate auto-lock policy for a desktop in a home or business is different than a laptop or a phone/tablet. .... For example, I personally set different auto-lock policies on different devices, such as:

  • Home Desktop: 15 min., because the chance of an unauthorized person gaining access to my home desktop while 1Password is unlocked is almost zero
  • Work Desktop: 2 min., because I am an admin for various accounts for our company, and although the risk of unauthorized access is low, it is still possible I could step away and a disgruntled employee or a vendor in the building could access my computer
  • Laptop: 1 min., because it is easy for a criminal to snatch an unlocked laptop. (Also, it's easy to unlock 1Password on my MacBook with Touch ID.)
  • iPhone/iPad: Immediately, because it is so easy to unlock with biometrics and because stealing phones/tablets is easy

Fourth, Business/Team administrators should be able to customize the auto-lock policy for different groups. Our company would impose a stricter auto-lock policy for individuals in the Owners and Administrators groups than for other users, since it would be much worse for an unauthorized person to gain access to the various credentials saved in 1Password accounts belonging to our company's admins than our regular users.

Lastly, a related feature request: For all apps/devices that are configured to use biometrics to unlock 1Password (e.g., Touch ID, Face ID, Windows Hello, biometric unlock on Android), there should be an "Immediately" lock option like there is on iOS devices.

Thanks!

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • ag_tommy
    ag_tommy

    Thanks @YellowVista

    I've shared your thoughts with the team behind the feature. I appreciate how much thought you've given the subject.