Currently, the biometrics unlock feature only requires authentication when the application starts. However, when the app is resumed from background, it remains unlocked, which I think slightly defeats the purpose, because users might not consistently recall that they should remove the app from recent apps to relock the database.
A solution to this problem could be to automatically relock the app after a while in background. The delay could be configured from the settings menu when biometrics are enabled. Another workaround could consist in providing a shortcut in the UI to relock the database manually.
What platform are you on?
I've been using Android's App Lock for this purpose for years. I haven't tried Joplin's implementation, though.
But I'm not sure how exactly it works from the way you phrased it. Will it only require biometrics on launch, and then never again? Because App Lock will not lock your app just after a while in the background, but it will lock it after you lock your phone, even if the app stays running. (Which is perfectly sufficient, I think.)
I'm using the Android app. I'm specifically talking about the biometrics feature of Joplin, not a third-party application or a manufacter mod. I don't think the App Lock thing exists within vanilla Android.
Currently, using Joplin's biometrics feature (beta), the app requires authentication with biometrics only on "cold starts". After it's been authenticated (unlocked) with biometrics a first time, it'll never ask for authentication again so long it's still loaded in RAM (even if you lock and unlock the device afterwards). The only way to make Joplin prompt for biometrics again is to unload it from RAM, either by manually removing it from the recent apps menu, or by starting enough other apps to fill up the RAM so that Android garbage collects Joplin.
AFAIK, this problem is typically solved in password managers by creating a timer that starts when the application is put in background (onPause) and that locks the app after the timer expires. After, say, 5 minutes, you can typically consider that the user is not actively using the app anymore and that it can safely be locked again.
Re-locking when the device is locked also sounds like a reasonable solution, although I suspect it's harder to implement, and slightly worse in terms of UX (as the device could get locked while you're writing a note in some cases).
Yes it would make sense to have some kind of timer. On many devices it doesn't matter because the operating system is going to close the app after a while anyway, so biometrics will have to be done again. The current implementation relies on this, but it's true it's not a guarantee so a timer would be a good.
Hi, can you make these changes please. I am finding that anyone can pick up my phone and Joplin is accessible without any security, in the same way as talked about above.
I'm encountering this problem recently, and I consider it to be a bug in an application of this sort. The provision of a biometric security barrier is a good start, but it does need to be easier to control. I would like to have the app locked within a few seconds of the screen turning off.
But this alone is not enough. If the biometric control is faulty or absent, or if the user just doesn't like it or is not physically able to use it, the user should be able to set up a PIN (up to 8 digits) to be entered in lieu of biometric validation.
Something like this is present in Fairemail (Android-only, Java.)
While I would use a PIN lock, I don't expect it will ever be supported.
The related Github issue has been locked since 2019.
The related FAQ entry has existed since at least 2023.
Even Google apparently provides an answer stating Joplin does not have local or at-rest encryption.
Yet, PIN lock continues to be requested countless times in this forum for years now. The last request was made just a few days ago.
All this is either insufficient or unseen before users submit requests for a PIN lock. Do users typing "PIN" into a new topic need to be forced to read the above resources before posting?
If you need PIN lock, I'm convinced that you should use a different notebook app which supports it (like Notesnook or Standard Notes), a separate app locker, or develop the feature yourself.