‘Never’ option removed from Require Master Password?

Hi Folks!

This is all helpful, and thanks for the great dialogue. Allow me to register my dissent and advocate for returning this setting.

First, thanks @Jack.P_1P for your thoughtful and candid response on 1Password's thinking here. Your explanation was illuminating and very helpful in understanding how the revised functionality works.

What concerns me is that 1Password prides itself (I think rightfully) on its security, but this change makes users less secure. It's well researched and common knowledge at this point that the more times a user has to input a password, the less secure it is. Forcing users to enter/retype their master password on completely arbitrary time intervals so that they 'don't forget their password' is seemly antithetical to the mission of keeping users secure.

Understanding that there's often a balance for software makers to decide between security and supporting users, some 'compromises' (to use our good friend @Ben 's terminology) may be made. But even if we accept that premise (which in this instance, it doesn't seem to apply because there are 7 other options), the decision to remove 'never' seems particularly unsound:

1. "Never" was never (haha) the default set for any user. In order for a user to actually set it as such, they must have affirmatively sought out a hidden advanced setting and affirmatively changed it.
2. As far as one can tell, there was no clamoring by users for this setting to be removed. In fact, it's quite the opposite. A cursory search of these forums alone yielded not one instance of requesting 'never' be removed as an option. On the other hand, there are countless threads and posts about 1Password incessantly asking to users to enter their master passwords. (Heck there are three threads on just the first page of the iOS subsection saying as much). Taking an action that is so inconsistent with user sentiment, particularly when it is unnecessary and no demand for it is a bit odd.
3. Finally, keeping the setting enabled on some devices (those where it already exists) suggests the change isn't all that critical and certainly not about keeping users more secure, otherwise you all would have disabled it immediately and informed users the option had been removed.

Making a change to seemingly protect users from themselves is admirable and, one assumes, very helpful to you fine folks who deliver great support to users. I want to acknowledge the great work that you all in support do. It's tough, so I certainly want to name the balance that 1Password is trying to strike here. And as admirable as the motivations for the change are, doing so at the expense of security of others, especially when the change ensures other users like myself cannot be as secure as possible is less than ideal.

Because we know passwords, even very good ones, are less secure than biometrics, particularly Apple's implementation of Face/Touch ID, having 'never' as the option was the most secure way to keep users' vaults out of the wrong hands. I hope 1Password reconsiders and brings back the option to 'never' type in the master password after first time when biometrics are enabled.

Thanks again for the great work you all do in supporting users.

Hi Folks! Following up here with two notes.
1. Appreciate how thorough 1Password's release notes are 👍🏽, and
2. 1Password just added the equivalent of 'never' to the Windows version. 👍🏽👍🏽

But certainly this begs the question about why 1Password removed the 'never' option. I would note that the TMP biometric feature has been requested for a long time, and their implementation is well done and the right move. Now, unless there's some secret time-out (which wouldn't be very user-friendly, so I assume there isn't), you can sign-in, post-restart or post-shutdown, with biometrics (Windows Hello), without the need to input the master password.

I've been using this since it came out this week and it works exactly as it used to on iOS.

Soooo... can we just have the 'never' option back? It's actually been quite a pain (less secure and holistically unnecessary) to have to input the password on a phone incessantly. It's exceptionally odd to claim there were reasons for removing 'Never' on iOS, and then turn around and implement 'never' on the PC.