While ‘period of inactivity’ is certainly a tried-and-true method of deciding when to lock a session, it’s not the only one. In some cases, it’s not practical to use a very short period of inactivity in all cases, so leaving the window open longer for your device to be (mis)used by someone else.
For mobile devices in particular, there are options like geofencing that would allow the Bitwarden app to distinguish between ‘safe’ locations (home, work, etc.) and elsewhere, where a short inactivity time period is wise. Similarly, most mobile platforms have the concept of ‘significant movement’, i.e. you’ve moved the device some appreciable distance (not just the restroom and back). Similarly, other clues like a change in network connectivity, a Bluetooth device being in range (that’s a good one to provide an ‘in my car’ location for a ‘location’ that isn’t fixed).
It’s certainly possible to overload the UI with a myriad of options, but a few criteria to choose between one inactivity timeout value for locations the user has configured as ‘safe’, vs. a default for those he/she has not designated as ‘safe’, covers a wide range of needs without a complex UI no-one can figure out.
I for one would like the ability to set a long inactivity timeout at home, work and in the car (which triggers when I leave those places), and a very short one at all other times.
I see a few other feature requests around this topic; hopefully this provides further food-for-thought on the topic.
- Paul