Face ID, Autofill, Device PINs, and App PINs

Options
GS1234
GS1234
in iOS

Hi all. Semi-complicated but a single fundamental question: When using Auto-Fill Passwords and Face ID authentication on iOS, is there a way to turn off using the device PIN as a backup when Face ID fails or to use my Master Password as the backup when it does?

This manifests in two ways that I find problematic:

  • In Safari on iOS, if I have access to a device and know the device PIN, I can use auto-fill passwords to access my 1Password logins with just the device PIN. Just cover the camera with your hand, force it to fail twice, and then enter the device PIN backup and it will auto-fill the credentials.
  • iOS apps can get around this (or more accurately, sit in front of it) by setting app PINs. When Face ID is set as a login option and that fails, the app kicks to a separate app PIN for your backup. BUT, if you cancel out of that app PIN and just try to refill your password at the base login screen, you can use the same method as above to get in via auto-fill passwords and using the device PIN as a backup. So you've effectively gotten around needing the app PIN.

I fully recognize that this behavior is probably set by iOS itself and that it requires a pretty high level of access to the device (physical access, knowing the device PIN, 1Password not requiring its occasional Master Password check) but it would be, I think, a little more secure. I also fully recognize there are probably some settings I could turn off (including and especially Auto-Fill Passwords) if I find the behavior problematic. But the fundamental question remains the same: Is there a way to turn off using the device PIN as a backup when Face ID fails or to use my Master Password as the backup when it does?

1Password Version: 7.7
Extension Version: Not Provided
OS Version: iOS 14.3
Sync Type: Not Provided

Comments

  • ag_ana
    ag_ana
    1Password Alumni
    Options

    Hi @GS1234! Welcome to the forum!

    I just wanted to tell you that I have sent your post to our security team, I think some input from them on this would be useful. We will post back here as soon as we have an update :+1:

  • ag_tommy
    ag_tommy
    Options

    @GS1234

    I am not a member of the security team, but perhaps I can help with your question. If you Open 1Password > Settings > Advanced > Security -- Enable the option for Password AutoFill - This will always require the Master Password when Face ID fails and disable the option for a pin code.

  • GS1234
    GS1234
    Options

    @ag_tommy Thanks very much for this. This does appear to insert 1Password into the chain in a way that makes the Master Password the fallback rather than the device PIN. The popup screen does ruin a bit of the magic that the new autofill feature brought (I just set up a new phone and it really was magic getting all my apps signed in again so seamlessly) but I'll take it. Thanks again.

  • ag_ana
    ag_ana
    1Password Alumni
    Options

    On behalf of Tommy, you are welcom @GS1234! If you have any other questions, please feel free to reach out anytime.

    Have a wonderful day :)

This discussion has been closed.