Safari extension issues upon restarting device
When the Safari extension is unlocked, it does not lock itself upon restarting the device. Additionally, if it is locked (and the device is restarted), it allows biometrics to be used to unlock it even when the app hasn’t been unlocked at least once (the app disallows biometrics to be used on the initial unlock after a restart of the device, which the extension should mirror).
1Password Version: 7.9.3
Extension Version: Not Provided
OS Version: iOS 15.2
Comments
-
Whoops, posted this in the wrong category. Can someone please move this to the stable iOS category?
0 -
Bumping just in case this was missed.
0 -
I can confirm the same experience on the same version of 1P and iOS.
There is no option Settings > Advanced > Security> Require Master Password. It simply says that the master password will be required after 2 weeks. The extension is set to require re-auth after 1 day.
0 -
I'm sorry for the delay in responding and I hope that you both had a wonderful time during the holidays!
I've read over the thread and the behaviour, as described, is by design. Our new 1Password for Safari web extension for the iPhone and iPad does not share lock state with the main 1Password app. Rather it's controlled by the Require Authorization After setting found in the following location:
- Open and unlock the main 1Password app.
- Tap on Settings.
- Tap on Safari Extension.
If you have this set to 1 Day then you'll be asked to reauthorize 1Password for Safari using either Face ID or your account password after a day of inactivity and restarting your iPhone won't immediately trigger a need to reauthorize.
Regarding Face ID: if you restart your iPhone and the Require Master Password setting is set to 2 weeks then Face ID will remain available even after a restart unless Face ID has been expired for some other reason.
Please let me know if I misunderstood the issue and I'll be happy to help further. :)
0 -
Hey @Dave_1P, hope your holidays went well as well, and thanks for the info!
If you have this set to 1 Day then you'll be asked to reauthorize 1Password for Safari using either Face ID or your account password after a day of inactivity and restarting your iPhone won't immediately trigger a need to reauthorize.
This seems... counterintuitive, to be honest. It seems like it just undermines the deliberate security decisions relating to biometrics for the iOS app, since a malicious party can completely skip the app and go straight for the Safari extension with biometrics. Why was this chioce made?
Regarding Face ID: if you restart your iPhone and the Require Master Password setting is set to 2 weeks then Face ID will remain available even after a restart unless Face ID has been expired for some other reason.
Unless two weeks have passed since the master password has been entered, correct?
Thanks!
0 -
Unless two weeks have passed since the master password has been entered, correct?
That would be one reason for Face ID to expire, yes.
This seems... counterintuitive, to be honest. It seems like it just undermines the deliberate security decisions relating to biometrics for the iOS app, since a malicious party can completely skip the app and go straight for the Safari extension with biometrics. Why was this chioce made?
We really wanted to have the extension and app lock and unlock together on iOS, like is possible with our desktop apps ("shared lock state"). Unfortunately we ran up against some technical hurdles that we couldn't overcome. Hopefully it'll be possible to revisit that after further improvements are made. Web Extensions on iOS are still a very new technology.
Ben
0