1Password is allowing me to access my bank account just using iPad passcode

ajcutz
ajcutz
Community Member

Using a bookmark in Safari on iPad pro running iPad os 13 to access my bank account, if I deliberately use the wrong touch id it then gives me the option to use my iPad passcode and not the 1password master password and that then enters the information and allows me to access my bank account. That is extremely concerning because my iPad passcode is not as long or as secure as my master password. How do I stop that happening?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:1password allows me to use iPad passcode to access my bank account

Comments

  • @ajcutz,

    Do you happen to have iCloud Keychain enabled in the Settings.app -> Passwords & Accounts -> AutoFill Passwords? The behavior you describe would be consistent with how iCloud Keychain handles autofill. 1Password itself should never fall back to device pin/passcode for any of its mechanisms.

  • ajcutz
    ajcutz
    Community Member

    Under autofill passwords only 1Password is checked. iCloud Keychain is NOT checked and I don’t use Keychain to store passwords.

  • ag_ana
    ag_ana
    1Password Alumni

    @ajcutz:

    Making sure that you don't post anything sensitive, can you please post a screenshot of the PIN prompt? I would like to understand if this is coming from 1Password or from the OS. From what you wrote, I think this is coming from iOS itself, so 1Password is not involved here, but I would like to make sure.

  • ajcutz
    ajcutz
    Community Member

    It certainly appears to be coming from IOS, but nevertheless it still enters the username and password from 1Password.

  • ag_ana
    ag_ana
    1Password Alumni

    @ajcutz:

    Can you do a quick test for us? If you temporarily edit this login in 1Password, is the new information filled when the PIN prompt appears? This would help confirm where the information is really coming from.

  • ajcutz
    ajcutz
    Community Member

    I made the edit and the edited version showed up, so it is coming from 1Password.

  • ajcutz
    ajcutz
    Community Member

    So just out of interest, I installed the free version of Dashlane and when I use the incorrect Touch ID it allows 2 chances and on the 3rd try asks for the master password, which is what I expected from 1Password.

  • Hi @ajcutz

    Do you have the setting 1Password > Settings > Advanced > Security > Always show lock screen for Password AutoFill? This setting should be on by default on an iPad.

    Ben

  • ajcutz
    ajcutz
    Community Member

    I can’t find the advanced setting on iPad.
    I also have an update for this problem. This security hole is specific to Safari and doesn’t happen in Chrome or Firefox. They lock down after five attempts with an incorrect Touch ID and ask for the master password.

  • @ajcutz

    In the 1Password app at the bottom right is the Settings (gear) icon. From there you'd need to select Advanced and then Security in order to see the setting I'm talking about. It should be enabled.

    Ben

  • ajcutz
    ajcutz
    Community Member

    I didn’t scroll down enough for the Advanced setting, but I have done that now and the setting was off. I have turned it on and 1Password now asks for the master password instead of the iPad pin code. However, the issue still needs addressing, because Chrome and Firefox ask for the master password whether that security switch is on or off, so only Safari is impacted.

  • Thanks @ajcutz. Safari on iOS has special properties that aren't available to 3rd party browsers. As such I'm not sure this is a situation we'd be able to address directly, other than through the setting we've discussed, but I'll certainly mention it to our development team.

    Ben

  • ajcutz
    ajcutz
    Community Member

    OK Ben and thanks to you and the team for your quick responses and help.

  • You're most welcome. If we can be of further assistance, please don't hesitate to contact us.

    Ben

  • ymztennis78
    ymztennis78
    Community Member

    Same problem.

  • ag_ana
    ag_ana
    1Password Alumni

    @ymztennis78:

    Have you tried all the suggestions mentioned in the discussion so far? And specifically Ben's suggestion?

  • ymztennis78
    ymztennis78
    Community Member

    I just turned on “Always show lock screen for Password Autofill,” and now if my fingerprint isn’t recognized once I get a message that since my fingerprint wasn’t recognized five times that I have to use the master password. I didn’t try it five times! The fingerprint is rarely recognized the first time, so it looks like I’m stuck using the password just about every time. I don’t think this is how this was supposed to work, but it’s better than someone being able to access my websites that I use 1Password for with my passcode. I think this is a problem you should fix. I certainly won’t be able to recommend 1Password to anyone else knowing that this issue exists.

  • ag_ana
    ag_ana
    1Password Alumni

    @ymztennis78:

    I cannot reproduce this issue here, my fingerprint is always recognized. Have you tried enrolling the fingerprint again in the iOS Settings?

  • ymztennis78
    ymztennis78
    Community Member

    I do that at least monthly. There are reasons that fingerprints are not always recognized, dry skin and age being some, but a public forum is not the place to discuss this. Also, since I made the change suggested above my program is really whacky, always asking for the 1Password log in to do anything at all. Is there some way to talk to someone about all the settings to figure out how to set up the program so that it works the way it’s supposed to. It’s too hard to explain here and also to go over all my settings to make sure they’re now correct.

  • @ymztennis78

    We'd be happy to discuss further by email. To facilitate that I'd like to ask you to create a diagnostics report from your iOS device:

    Sending Diagnostics Reports (iOS)

    Attach the diagnostics to an email message addressed to support+forum@agilebits.com.

    With your email please include:

    • A link to this thread: https://discussions.agilebits.com/discussion/comment/542462/#Comment_542462
    • Your forum username: ymztennis78

    That way I can "connect the dots" when I see your diagnostics in our inbox.

    You should receive an automated reply from our BitBot assistant with a Support ID number.  Please post that number here so I can track down the diagnostics and ensure that this issue is dealt with quickly. :)

    Once I see the diagnostics I'll be able to better assist you. Thanks very much!

    Ben

This discussion has been closed.