Safari extension issues upon restarting device

winterqt
winterqt
Community Member
edited December 2021 in iOS

When the Safari extension is unlocked, it does not lock itself upon restarting the device. Additionally, if it is locked (and the device is restarted), it allows biometrics to be used to unlock it even when the app hasn’t been unlocked at least once (the app disallows biometrics to be used on the initial unlock after a restart of the device, which the extension should mirror).


1Password Version: 7.9.3
Extension Version: Not Provided
OS Version: iOS 15.2

Comments

  • winterqt
    winterqt
    Community Member

    Whoops, posted this in the wrong category. Can someone please move this to the stable iOS category?

  • winterqt
    winterqt
    Community Member

    Bumping just in case this was missed.

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @winterqt!

    Can you confirm what the value of Settings > Advanced > Security> Require Master Password is in your 1Password app?

  • winterqt
    winterqt
    Community Member

    @ag_ana It’s set to the default of 2 weeks.

  • jvis
    jvis
    Community Member

    I can confirm the same experience on the same version of 1P and iOS.

    There is no option Settings > Advanced > Security> Require Master Password. It simply says that the master password will be required after 2 weeks. The extension is set to require re-auth after 1 day.

  • @winterqt and @jvis 👋

    I'm sorry for the delay in responding and I hope that you both had a wonderful time during the holidays!

    I've read over the thread and the behaviour, as described, is by design. Our new 1Password for Safari web extension for the iPhone and iPad does not share lock state with the main 1Password app. Rather it's controlled by the Require Authorization After setting found in the following location:

    1. Open and unlock the main 1Password app.
    2. Tap on Settings.
    3. Tap on Safari Extension.

    If you have this set to 1 Day then you'll be asked to reauthorize 1Password for Safari using either Face ID or your account password after a day of inactivity and restarting your iPhone won't immediately trigger a need to reauthorize.

    Regarding Face ID: if you restart your iPhone and the Require Master Password setting is set to 2 weeks then Face ID will remain available even after a restart unless Face ID has been expired for some other reason.

    Please let me know if I misunderstood the issue and I'll be happy to help further. :)

  • winterqt
    winterqt
    Community Member

    Hey @Dave_1P, hope your holidays went well as well, and thanks for the info!

    If you have this set to 1 Day then you'll be asked to reauthorize 1Password for Safari using either Face ID or your account password after a day of inactivity and restarting your iPhone won't immediately trigger a need to reauthorize.

    This seems... counterintuitive, to be honest. It seems like it just undermines the deliberate security decisions relating to biometrics for the iOS app, since a malicious party can completely skip the app and go straight for the Safari extension with biometrics. Why was this chioce made?

    Regarding Face ID: if you restart your iPhone and the Require Master Password setting is set to 2 weeks then Face ID will remain available even after a restart unless Face ID has been expired for some other reason.

    Unless two weeks have passed since the master password has been entered, correct?

    Thanks!

  • Ben
    Ben
    edited January 2022

    Unless two weeks have passed since the master password has been entered, correct?

    That would be one reason for Face ID to expire, yes.

    This seems... counterintuitive, to be honest. It seems like it just undermines the deliberate security decisions relating to biometrics for the iOS app, since a malicious party can completely skip the app and go straight for the Safari extension with biometrics. Why was this chioce made?

    We really wanted to have the extension and app lock and unlock together on iOS, like is possible with our desktop apps ("shared lock state"). Unfortunately we ran up against some technical hurdles that we couldn't overcome. Hopefully it'll be possible to revisit that after further improvements are made. Web Extensions on iOS are still a very new technology.

    Ben

This discussion has been closed.