Face ID, Autofill, Device PINs, and App PINs
Hi all. Semi-complicated but a single fundamental question: When using Auto-Fill Passwords and Face ID authentication on iOS, is there a way to turn off using the device PIN as a backup when Face ID fails or to use my Master Password as the backup when it does?
This manifests in two ways that I find problematic:
- In Safari on iOS, if I have access to a device and know the device PIN, I can use auto-fill passwords to access my 1Password logins with just the device PIN. Just cover the camera with your hand, force it to fail twice, and then enter the device PIN backup and it will auto-fill the credentials.
- iOS apps can get around this (or more accurately, sit in front of it) by setting app PINs. When Face ID is set as a login option and that fails, the app kicks to a separate app PIN for your backup. BUT, if you cancel out of that app PIN and just try to refill your password at the base login screen, you can use the same method as above to get in via auto-fill passwords and using the device PIN as a backup. So you've effectively gotten around needing the app PIN.
I fully recognize that this behavior is probably set by iOS itself and that it requires a pretty high level of access to the device (physical access, knowing the device PIN, 1Password not requiring its occasional Master Password check) but it would be, I think, a little more secure. I also fully recognize there are probably some settings I could turn off (including and especially Auto-Fill Passwords) if I find the behavior problematic. But the fundamental question remains the same: Is there a way to turn off using the device PIN as a backup when Face ID fails or to use my Master Password as the backup when it does?
1Password Version: 7.7
Extension Version: Not Provided
OS Version: iOS 14.3
Sync Type: Not Provided
Comments
-
I am not a member of the security team, but perhaps I can help with your question. If you Open 1Password > Settings > Advanced > Security -- Enable the option for Password AutoFill - This will always require the Master Password when Face ID fails and disable the option for a pin code.
0 -
@ag_tommy Thanks very much for this. This does appear to insert 1Password into the chain in a way that makes the Master Password the fallback rather than the device PIN. The popup screen does ruin a bit of the magic that the new autofill feature brought (I just set up a new phone and it really was magic getting all my apps signed in again so seamlessly) but I'll take it. Thanks again.
0