Enable Retries on Entering Security PIN
Hi, team! Right now there is one shot at entering a PIN correctly in the popup before you have to enter the full password. Many of us "fat finger" PINs on the first try. Would appreciate having a configurable number, or at least 3 attempts before forcing the full password. Thanks for the consideration.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: IOS
Sync Type: Not Provided
Comments
-
Hi @RobTX,
Thanks for the suggestion; I've passed it on to our Apple developers for future consideration.
Our original decision to limit PIN attempts to just one was a calculated one: since there are only 10,000 possible combinations for the four-digit PIN, allowing 3 attempts vs. 1 would, naturally, triple the chance of successful brute forcing (from .01% to .03%), and that's ignoring the possibility of more educated guesses (e.g. someone looked over your shoulder and saw part of your PIN).
And now, with most of our iOS users using Touch ID/Face ID instead of a PIN code alongside the Master Password, most of our focus on the unlock experience is on those biometrics. I think it's only the iPad Air and iPad Mini 2 that can run the latest 1Password iOS app and don't have Touch ID or Face ID support.
Nonetheless, I definitely agree that having just one PIN entry attempt can be frustrating. Thanks again for bringing this one up, and for using 1Password. :)
ref: apple-3120
0 -
Funny you bring up FaceID, as I feel that is less secure than TouchID. It's nothing to hold up a phone to someone's face to unlock it anymore. If 4 digits is a concern, maybe expand it to 6 like iOS did. I don't use FaceID for any of my sensitive apps. I still use a PIN. :)
0 -
There is an option with Face ID to require that you are paying attention to your device in order for it to unlock:
About Attention Aware features on your iPhone X or iPad Pro - Apple Support
The vast majority of our customers have switched from PINs to biometrics, and so just from a resources vs reward standpoint I don't anticipate that we'll spend more time on the PIN feature. Just some additional food for thought. :)
Ben
0 -
Thanks, Ben. I appreciate your candor. Dashlane & LastPass supports PIN with 3 retries. I'm an IT Security guy, and I'm not sold on the security of FaceID or TouchID. You'd have to hold a gun to my head to get my PIN. True 2-factor means something you know and something you are. Not just hold it up to my face or hold my finger to it. :P
0 -
You're welcome. But to be clear, there is no second factor involved here either way, and it isn't designed to be.
Ben
0