‘Never’ option removed from Require Master Password?
Has the option to select ‘never’ for requiring a master password (if Face ID is active) been removed on iOS for iPhones? Three weeks ago it was there, and now the option is missing. Oddly and fortunately, the option is still present on my iPad (see screenshots).
Is this a bug or has the feature been removed on iPhones? If it’s been removed, please bring that back. The ability to unlock with Face ID even after a restart is critical and arguably even more secure than typing in a master password over and over again.
1Password Version: 7.9.5
Extension Version: Not Provided
OS Version: iOS 15.3.1
Comments
-
Hey @keinanesq !
I also stumbled about this missing setting. I thought I was wrong, but good to know that the setting was there before the update. I can remember that after restarting my device I had to type in my master password, or I could use Face ID.
I think this was introduced in 7.9.4 as you can read in the changelog:
https://app-updates.agilebits.com/product_history/OPI4#v709040021Password no longer requires you to type your master password every reboot in order to re-enable Touch ID or Face ID unlock. {#5533}
Now, it is not possible to switch to Face ID after restarting the device. I have to type in my master password every time I restart my device.
Maybe this is a bug? Please bring back the Never-setting to the iOS version.
0 -
This content has been removed.
-
Hey @DenalB / @keinanesq:
There's two improvements / changes that we've made here that are related to one another:
- Biometry is now available after a reboot immediately, without needing your password (assuming the "Require Master Password" timer has not been reached), no matter what option has been selected. In this case, your setting of "After device restart" from your iPhone screenshot would disallow biometry on boot.
- The short version is we wanted to help people from locking themselves out of the 1Password app. With the lockout timer set to "Never", it's completely possible to use biometry for months or even longer, then run into a situation where biometry is no longer available for one reason or another (iOS update, upgrade to a new phone, similar), and because they haven't typed the password in months and don't remember it, can no longer unlock it with their password. The "Never" option is no longer available as an option for "Require Master Password". If it's currently configured as the option in 1Password for iOS, it will remain selected and function as it did before, but on any new installs of 1Password, or after changing the setting from "Never", "Never" will no longer be available as a selectable option.
Let me know if that explains it! :smile:
Jack
0 -
Hey @Jack.P_1P !
Thanks for explaining.
My problem is, that my wife also uses my vault on her device because she only needs 2 or 3 passwords. So she rarely opens 1Password. And if she requires these passwords now, she has to type in the master password that she always forgets... Hopefully it will work in the future. Let's see...
Maybe it could be possible to add a longer time like 90 or 180 days? ;)
0 -
Hi Folks!
This is all helpful, and thanks for the great dialogue. Allow me to register my dissent and advocate for returning this setting.
First, thanks @Jack.P_1P for your thoughtful and candid response on 1Password's thinking here. Your explanation was illuminating and very helpful in understanding how the revised functionality works.
What concerns me is that 1Password prides itself (I think rightfully) on its security, but this change makes users less secure. It's well researched and common knowledge at this point that the more times a user has to input a password, the less secure it is. Forcing users to enter/retype their master password on completely arbitrary time intervals so that they 'don't forget their password' is seemly antithetical to the mission of keeping users secure.
Understanding that there's often a balance for software makers to decide between security and supporting users, some 'compromises' (to use our good friend @Ben 's terminology) may be made. But even if we accept that premise (which in this instance, it doesn't seem to apply because there are 7 other options), the decision to remove 'never' seems particularly unsound:
- "Never" was never (haha) the default set for any user. In order for a user to actually set it as such, they must have affirmatively sought out a hidden advanced setting and affirmatively changed it.
- As far as one can tell, there was no clamoring by users for this setting to be removed. In fact, it's quite the opposite. A cursory search of these forums alone yielded not one instance of requesting 'never' be removed as an option. On the other hand, there are countless threads and posts about 1Password incessantly asking to users to enter their master passwords. (Heck there are three threads on just the first page of the iOS subsection saying as much). Taking an action that is so inconsistent with user sentiment, particularly when it is unnecessary and no demand for it is a bit odd.
- Finally, keeping the setting enabled on some devices (those where it already exists) suggests the change isn't all that critical and certainly not about keeping users more secure, otherwise you all would have disabled it immediately and informed users the option had been removed.
Making a change to seemingly protect users from themselves is admirable and, one assumes, very helpful to you fine folks who deliver great support to users. I want to acknowledge the great work that you all in support do. It's tough, so I certainly want to name the balance that 1Password is trying to strike here. And as admirable as the motivations for the change are, doing so at the expense of security of others, especially when the change ensures other users like myself cannot be as secure as possible is less than ideal.
Because we know passwords, even very good ones, are less secure than biometrics, particularly Apple's implementation of Face/Touch ID, having 'never' as the option was the most secure way to keep users' vaults out of the wrong hands. I hope 1Password reconsiders and brings back the option to 'never' type in the master password after first time when biometrics are enabled.
Thanks again for the great work you all do in supporting users.
0 -
Hey guys/gals: MY iPhone (11) is at iOS 15.3.1. MY VER of 1PW IS at 7.9.5!!
It STILL HAS the "Never" option in the panel "Require Master Password" (Which I just today set to 'Never').......
Why/how did this Thread get going? Are'nt ALL iPhone11 with 1PW 7.9.5 the same??? And especially if o iOS 15.3.1,,,, Is there a later iOS update that I have overlooked?
This is REALLY weird !!
Comments?0 -
Just reinstalled 1Password 7.9.5 on my iPad 2019 with iPasOS 15.3.1 installed. And the setting "Never" still exists, and I'm able to select.
On my iPhone 12 Pro Max with iOS 15.3.1 installed, the seting "Never" is not available after reinstalling 1Password 7.9.5.
So it looks like the setting doesn't depend on the iOS / iPadOS and the 1Password app installed. And it doesn't matter if you are reinstalling 1Password or not... 😕
0 -
Again: This setting seems to be "Hardware related" .... My iPhone is Ver 11 (2yrs old); my iPad is iPad Pro 2nd Gen (4years+) old
BOTH of my devices have up to date SW and BOTH have the "Never" option available...I know enough German to see that your re-install on iPadPro returned the "Never" as an option. But... your iPhone 12 Pro Max does NOT have it? Is that right?
More comments please! Why is this happening? Is 1PW just not in sync w/Apple? I'm confused...
0 -
But... your iPhone 12 Pro Max does NOT have it? Is that right?
Yep, that's right.
0 -
@sncooper: Thanx...at least there are many differences being found w/ 1PW update 7.9.5!
In my version of 7.9.5,,, the Required Master Password OPTION (found in 1PM Settings> Advanced > Security > Require Master Password
is STILL headed by "NEVER" then a table of options like "After Device Restart", then 1Hour, 1Day, 2 Days...etc to final option of 30 days .What some have noted here that the "NEVER" option was dropped in 1PM 7.9.5 ; Apple iOS 15.3.1,
My iPhone 11 AND iPadOS 2nd gen STILL have the NEVER option.Many others in this thread have complained the option was eliminated (E.G. a iPhone ver 12...and others).
Now do you get the picture? Different results of Software upgrades according to AGE of the Hardware!
W H Y?
@three-cushion0 -
I noticed a bug - the screen text does not match actual behaviour (at least on an iPhone.)
I just restarted my iPhone and was surprised not to be challenged for the Master password.
The screen says "Your Master Password will be required after 2 weeks, after device restart, or if Face ID authentication fails.
What I am saying is that the description on the settings screen does not marry with what is actually happening because I was not asked for a password on reboot - tested on another iPhone and iPad to be sure before posting here.
I am in the camp that wants to be asked for the master password on restart, and a little disgruntled that this was changed without letting people know.
I was once mugged and forced to unlock my phone at knifepoint, just for the sake of stealing my iPhone so that they could then switch it off to prevent it being tracked by 'Find my phone'.
It was a terrible experience, however I felt comforted knowing that 1Password had my back, and that on reboot even if they somehow hacked my phone they would not get into 1Password and my bank accounts.
I started receiving fake text messages (on my new phone) purporting to be apple having found the location of my phone, and asking me to login with my Apple ID on a website to track the location - so they had managed to hack into my phone to some degree.
I am definitely in the camp of wanting an extra level of security so that an extra password is required and not just relying on Fingerprint / Face ID.
Incorrect information displayed under 'Face ID' toggle.
0 -
@sncooper: I got it! AND, I am in the camp of Require Your Password = NEVER....as long as FaceID works. I will NOT forget my Master password.... Need it for some special logins.....so wont forget it.
This reminds me of a Large co (Apple) trying to set up their support of behavior modification. Come on, Apple,,, leave it alone! Stop trying to change me.... That is one on Microsoft's Big errors, IMHO.And...Agile .... dont copy Apple. Let us users set our behavior...OK?
0 -
I'm currently trying out 1password as I consider switching from LastPass. So far I have liked the community engagement and the UI, but I'm hung up on this setting as well. I share my account with my wife, who I would love to use a password manager more, but if she has to enter the master password frequently to unlock it then she will probably never use it. I will not forget the master password and have the emergency kit to regain access in the unlikely occasion that I do forget it. Not necessarily a deal breaker but something that is weighing a little more heavily in my decision.
0 -
Hey folks, thanks for following up here!
As you noticed, the text that elaborates on when the password will be required does still say that the password will be required after a restart. The text for that wasn't updated with this change, but will be updated soon.
The setting for "After Device Restart" still will require your password after rebooting your device, and for that situation, using that setting may be your best option.
Jack
0 -
Hi Folks! Following up here with two notes.
1. Appreciate how thorough 1Password's release notes are 👍🏽, and
2. 1Password just added the equivalent of 'never' to the Windows version. 👍🏽👍🏽But certainly this begs the question about why 1Password removed the 'never' option. I would note that the TMP biometric feature has been requested for a long time, and their implementation is well done and the right move. Now, unless there's some secret time-out (which wouldn't be very user-friendly, so I assume there isn't), you can sign-in, post-restart or post-shutdown, with biometrics (Windows Hello), without the need to input the master password.
I've been using this since it came out this week and it works exactly as it used to on iOS.
Soooo... can we just have the 'never' option back? It's actually been quite a pain (less secure and holistically unnecessary) to have to input the password on a phone incessantly. It's exceptionally odd to claim there were reasons for removing 'Never' on iOS, and then turn around and implement 'never' on the PC.
0 -
Hi @keinanesq:
Thanks for following up on this, and I'd like to apologize for the delay in getting back to you. To clarify, even with TPM support enabled for 1Password 8 for Windows, after 2 weeks without entering your account password, you will be required to enter it once before being able to use Windows Hello unlock again. Similar to us removing the "never" option, we're trying to balance convenience with not forgetting the account password.
Jack
0