@grb Thank you so much for asking!
The answer is no, we don’t lock the vault when it’s not in use, and we want it available without extra prompts when we use it for LOW RISK passwords and other information. So we set longer timeouts - 30 mins, 2 hours, maybe even lock on browser restart, and lock our device when we leave it for a coffee break or toilet break. If we forget to lock our device one time, the risk is low.
I guesstimate that 80% of passwords are “low risk” (e.g. online stores, forums, subscriptions, social media, etc.) and 20% are “high risk” (banking, email, security systems, source code repos, government services, etc.). Everyone’s definitions of risk will be different.
High risk passwords must not be available for these extended timeout periods, in case we forget to lock the device or if the device’s unlock procedure is not secure enough. The same goes for other high risk data stored in secure notes for example (see Require Re-prompt for entire item (view, edit, etc.)).
The master password reprompt feature gives us the ability to protect our high risk passwords during a longer vault timeout period. Unfortunately it does not accept biometric authentication, so the master password must be entered every time we need to use a high risk password. And unfortunately there is no separate reauthentication timeout, which could expire access to high risk passwords quickly, ensuring a high level of security is maintained.
I believe the above use case is extremely common - certainly everyone who has voted for this feature, plus hordes who have not. I appreciate you asking the question so we can communicate why this feature is so important to us.
Lastly, there’s a user segment that does not have biometric authentication. I’m one of them when I’m using my Mac Pro. To be secure right now, I have to enter my long master password every time I need to access the vault - which is all day, every day. I don’t mind doing that when I use a high risk password, but it’s incredibly annoying for the 80% of the time I use a low risk password.