1Password doesn't auto-lock if a Windows PC is prevented from idling

Hello @mike48397289,

Thanks for your comments and this feature request. I've passed along your feedback to the Product team so they can consider more granular security settings such as Lock when the app is idle.

While the current settings do rely on the system being idle, in most cases other options in place can help, such as Lock 1Password when computer locks and locking the device when you step away. However, in the case where others are also using the same device, manually locking 1Password (Ctrl + Shift + L) is your best workaround.

Do let us know if you have any other feedback about this type feature or any other workarounds you are currently using. We appreciate your time!

ref: 29481097

Hello @mike48397289,

Thanks for getting back to me.

(Ctrl + Shift + L) only works consistently after (Ctrl + Shift + SPACE). Otherwise it doesnt always work

The Ctrl + Shift + L command is in place to lock 1Password while the app (or Quick Access) is focused. Similarly, the app can be locked through use of this option from the system tray icon when the app is minimized or closed.

There still remains a threat from mouse wobblers - and I dont see this being registered or acknowledged anywhere - which is very worrying

I've raised your concerns with our team within the previous requests filed. I have no additional news to share. As always, you should keep an eye on our 1Password Releases page for updates to features and settings within the 1Password app.

There should also be a double lock feature that requires a password to be entered and to disable fingerprint/face entry on a adhoc basis

To confirm, you're looking for a feature to be implemented requiring your account password when an attempt is made to disable Windows Hello (or other biometrics), before that setting can be disabled? Can you provide some more details about a use case why this is an important feature to include, given that the password (or biometrics) is required to unlock 1Password?

We always recommend using best practices and protecting yourself when using Windows Hello as detailed in that guide.

If you have any additional comments to share, I'll be happy to pass them along to the team for you! Thanks again!

@mike48397289

Thank you for the feedback. Your threads have been merged together to keep the conversation in the same place, I don't see anything that has been deleted.

The few responses from 1password they have given either blame the victim for not locking the machine manually, (many users rely on the screensaver idle time). Or they say its too far fetched and with access to the machine "all bets are off".

I'm sorry if our previous replies sounded like they "blamed the victim" that is certainly not our intention. Wherever possible, 1Password is designed to help protect the user from various threats that include some local threats on their device. However, if someone has physical access to your PC and can manipulate the functions of the operating system then 1Password is limited in what it can do to protect you. That's why it's important to keep your device safe and secure, 1Password is not designed to function on a compromised device.

As an example, in your scenario the "mouse wobbler" can easily be replaced by a similarly sized hardware keylogger which could spy on what you type and pick up your account password, or other information, as you type it into 1Password.

The auto-lock setting in 1Password is controlled by the user and can be triggered based on the following events:

1. If the system itself locks.
2. If the system is idle.

As you've noted, we depend on the system itself to report when it is idle. Most users expect that, when they sit down to work at their computer, they only have to unlock 1Password once and then have it stay unlocked. If we based auto-lock on app idleness rather than system idleness then users would be prompted to unlock 1Password over and over again each time that they wanted to fill a login in the browser or use Quick Access to search and display an item. Since this has been 1Password's behaviour since the beginning changing the behaviour now would break a lot of people's workflows and go against when they expect and desire 1Password to auto-lock.

This isn't a vulnerability: auto-lock is working as designed, documented, and expected by most users. Matters like this are always a balance between security and convenience and I think that the right balance has been made for a few reasons:

1. The auto-lock feature includes a clear label that it is based on system idleness, not app idleness.
2. The current behaviour corresponds to the expectations of most users.
3. The workaround of manually locking your Windows PC or manually locking 1Password, if you are concerned that you might be attacked by someone using something like a "mouse wobbler", exists.

Personally I always lock my device when I step away from it. You can lock your PC by pressing the Windows button and the L button at the same time. Would adding that behaviour to your workflow work for you?

If it won't then can you tell me a little more about why it won't? Can you also tell me if your preference is that we add another option to the app's security settings to allow folks to choose to auto-lock based on app idleness rather than system idleness? I see that my colleague has already passed along your feedback and I'm happy to share more details about your request internally with the team as well. 🙂

-Dave