master password lock for inactivity

[wokawoka]

hello,
I've searched through the past issues but strangely I couldn't find anyone requesting a function that looks very simple to me: inactivity lock of the app and requesting of the master password after a fixed amount of idle time.
I've also gone through the options of the app itself multiple times and couldn't find anything related to it.
Am I missing something, if not, do you eventually plan to add this option in the future?
Keep up the great work. Thank you

[vladimiry]

• Doesn't locking for inactivity the entire system/computer solve the need?
• What do you expect the lock for inactivity feature would do?
  • We just block the interface with a password input form. The accounts will remain open, the delayed login timers enabled, desktop notifications enabled, the local database remains loaded in the memory, etc. So the app is fully active but the interface is blocked.
  • We perform complete logout action which involves unloading the data from the memory. The unlocking action would be the same action the app performs when it starts, so the cold start.
  • Something else.
• What are the metrics of inactivity?

I couldn't find anyone requesting a function

Well, it's probably because the feature is not considered as a crucial one.

Am I missing something, if not, do you eventually plan to add this option in the future?

Enabling the feature is not planned yet.

[wokawoka]

Considering that this client is specifically focused on secure e-mail providers I believe that being able to lock the interface after the computer has been inactive for a while could be a very valuable function.

There are situations where locking the entire system is not an option, or the same account has to be shared with other people, or again the system locking has to be set to a longer period of inactivity than the one preferable to secure one's private e-mails; also, on windows, the system locking is known to be weak and easy to bypass so that any other additional security measure would help a lot.

Many other programs I regularly use provide this possibility, telegram desktop and keepass are just the ones that come to my mind.

Personally, I would just block the interface with a password input form and block the notifications and leave everything in memory. Maybe not the most secure way but still way much better than nothing.

A simple metric could just be not moving the mouse cursor for x minutes, but I'm sure that there are much better ways to easily count the number of minutes of inactivity on a machine.

[vladimiry]

Personally, I would just block the interface with a password input form and block the notifications and leave everything in memory. Maybe not the most secure way but still way much better than nothing.

Described locking scenario would also be weak. Probably weaker than you described the windows locking system:

on windows, the system locking is known to be weak and easy to bypass so that any other additional security measure would help a lot.

[wokawoka]

It would not be weaker than the system locking because it would not replace it, you could have both at the same time so it would just ADD a layer of security in the same way that many other programs that focus on security are doing.

But from the tone of your first answer I can see that this is not going to happen in any way so I will stop bothering.
Thank you again for the project.

[vladimiry]

The fact that enabling the feature is not planned at the moment doesn't mean that the feature won't land here in the future.

I don't want the feature to be misleading. If the app only blocks the interface there will be a need to notify a user that it's a weak way of locking. But showing such notification, in my opinion, would be a bad UX.

[vladimiry]

I think that in addition to blocking the interface the app should do the following:

• Clear the accounts credentials from the memory.
• Unload the local database from the memory.
• Turn off the network access for the app by emulating the offline state (supported by Electron).

If we do that then I think locking could be considered secure and so there will be no need to show a warning hint.

[vladimiry]

The initial implementation will include the logout action performing after an idle period, not the app screen locking. Because if you had saved the master password ("keep me signed in" feature) it won't make sense to just lock the app screen since it will be easy to bypass such locking by just restarting the app.

[vladimiry]

@wokawoka can you try this build?

Here is how to configure the idle period:

[vladimiry]

Released with v3.8.0.