Currently, the biometrics unlock feature only requires authentication when the application starts. However, when the app is resumed from background, it remains unlocked, which I think slightly defeats the purpose, because users might not consistently recall that they should remove the app from recent apps to relock the database.
A solution to this problem could be to automatically relock the app after a while in background. The delay could be configured from the settings menu when biometrics are enabled. Another workaround could consist in providing a shortcut in the UI to relock the database manually.
What platform are you on?
I've been using Android's App Lock for this purpose for years. I haven't tried Joplin's implementation, though.
But I'm not sure how exactly it works from the way you phrased it. Will it only require biometrics on launch, and then never again? Because App Lock will not lock your app just after a while in the background, but it will lock it after you lock your phone, even if the app stays running. (Which is perfectly sufficient, I think.)
I'm using the Android app. I'm specifically talking about the biometrics feature of Joplin, not a third-party application or a manufacter mod. I don't think the App Lock thing exists within vanilla Android.
Currently, using Joplin's biometrics feature (beta), the app requires authentication with biometrics only on "cold starts". After it's been authenticated (unlocked) with biometrics a first time, it'll never ask for authentication again so long it's still loaded in RAM (even if you lock and unlock the device afterwards). The only way to make Joplin prompt for biometrics again is to unload it from RAM, either by manually removing it from the recent apps menu, or by starting enough other apps to fill up the RAM so that Android garbage collects Joplin.
AFAIK, this problem is typically solved in password managers by creating a timer that starts when the application is put in background (
onPause) and that locks the app after the timer expires. After, say, 5 minutes, you can typically consider that the user is not actively using the app anymore and that it can safely be locked again.
Re-locking when the device is locked also sounds like a reasonable solution, although I suspect it's harder to implement, and slightly worse in terms of UX (as the device could get locked while you're writing a note in some cases).
Yes it would make sense to have some kind of timer. On many devices it doesn't matter because the operating system is going to close the app after a while anyway, so biometrics will have to be done again. The current implementation relies on this, but it's true it's not a guarantee so a timer would be a good.