Biometric time out

It's a good feature, but please don't force it on your customers. If you like the option, add it, but leave it up to the customer please. This is the first time I feel strongly about an option that should exist.

I just installed 1Password 8 on my new phone and immediately noticed this forced two week master password timeout. I've been a very satisfied paid family plan subscriber since 2016, and a individual plan subscriber for a few years before that. I just want to chime in and let you know that if this change isn't reverted / improved upon quickly, I'll be looking into canceling and moving to the competition.

Forcing users to retype a password that is by nature long and complex on a mobile device at unexpected times, when you're on the go, busy, etc is a MAJOR inconvenience.

I've read the discussions from staff members here and in other threads and I understand the reasoning for enabling this by default, however removing the option to change the behavior at all is plain dumb. I get that this is to avoid support calls from angry people that forgot their password, but at some point folks need to take responsibility for their actions. The implications of losing your master password are quite clearly explained when setting up an account. Annoying your whole customer base for the vast minority of forgetful / unprepared customers is not a good move.

At the very minimum we need the option to only have to enter the master password at reboot, this would still be slightly annoying but acceptable. Syncing the last typed time from Windows/Mac/Linux clients would also be acceptable. Bringing back the "never" option would be best.

2 weeks is fine with me EXCEPT it's making me login multiple times per day. In fact I logged in 4 times in the last hour.

I sent in a support ticket already but I'm not sure what I could be doing differently.

I had the same issue with V8 months ago when testing the pre-release version and I'm having it now but I never had it on v7.

Samsung zFlip3 on Android 12 with the July security update. I think I said June in my email.

This force to repeat on mobile feels quite bothersome. I think I fully understand the reasoning behind it but could this be done in a different way?

For example inside the app we could be notified (until done) to repeat the password every two weeks but it would not block accessing the passwords? This way people would use / retype the password but they could choose the time to do it and would not be locked out from 1P suddenly.

For example several times I have needed a password quite fast to buy public transportation tickets to catch the trains (after apps token has been expired). Entering master password in public is not the biggest threat model but it still feels uncomfortable.

All in all I would prefer the old biometric model and would like to see it return as an option if possible. Maybe a warning if enabled or something.

Post is getting bit long, so have a nice day everyone!

I came to find this issue as well. I rolled back to 1P7 on Android after finding this on my phone and will keep it until this is changed or it's not able to work anymore.

Turn this timer off please. Inpromise i will never be contactincg you for my pw. I thought if you lose your mpw you are hosed anyway.

Came to find if this issue had been reported. A two week timer on my phone that disables biometrics may as well be simply removing biometrics. I seldom need 1P on my phone, but every time I do I need it instantly and without delay. I consider this to be sufficient friction to simply stop using a third party password manager despite the risks.

Honestly at my age I can barely see my phone well enough to type a sentence, I certainly can't type my 1P master password in anything approaching a reasonable timeframe on a telephone keyboard. The difference between literally looking at my phone and two or three minutes of trial and error trying to type a 20+ character password is enormous. If the timeout isn't made optional then there simply isn't any utility in keeping my subscription as it more or less renders the mobile app and anything that I have to login into (such as my banking app which also times me out of biometrics) completely inaccessible to me.

Yes, if I have to be forced to type it, make me type it on my computer. I can type 120wpm on my PC, and my master password reflects that. I can type 20wpm on my phone at best. With 1P7, this wasn't an issue, but this is SUPER annoying on 1P8 for android.

Also, if this is such a concern, why didn't you include a 2 week timeout on 1P8 for Windows? I have to use my password on Windows if my TPM invalids it's state, but that happens very rarely now (which is fantastic! now that it works properly)

Anything more than once per month on my computer and never on my phone is too much IMHO. Maybe you can take an approach similar to what Signal does with the pincode. Once per week for the first few weeks. Then once every 2 weeks, then once every month, and then once every 6 weeks forever after. Do this based on the age of the account/master password.

Edit: Apparently, the 2 week timeout does exist on Windows. I feel like I notice the prompt less often than that, and it was only when the TPM state was invalidated (I guess that's issue has been fixed completely). Either way, please remove the timeout on my phone!

Thanks for your additional input wraith. We're continuing to evaluate what will work best here, so thanks for sharing!

Jack

Also, FWIW I wouldn't want a synchronised timer. My devices have different use cases and risk profiles. I don't want them all treated the same.