It's either meant to do one approach or the other. If it's BTC like and open until action, then do that; otherwise ensure that client is locked and doesn't just appear to be most of the time. I don't mind either approach, although I think there's advantage having confirmation of password at the moment of action rather than having it open and with risk for a preferred amount of time. If it's open and available to action, then the user needs to use other screenlocks to secure the client's capability, which perhaps is odd.