ssh: Apple Watch biometric unlock not gracefully falling back

I've gotten my work Macbook and my Apple Watch into a state several times where 1Password's ssh agent refuses operations and only briefly pops up a Mac OS dialogue that's immediately dismissed.

I'm not sure exactly what is triggering the state where the Watch doesn't receive or display approval notices, but when it happens, the only solution I've found to let me use the ssh agent again is to take my watch off entirely.

This has been present for a while, but I just now figured out where to look for ssh-agent logs (~/Library/Group Containers/2BUA8C4S2C.com.1password/Library/Application Support/1Password/Data/logs/1Password_rCURRENT.log); this log is as of today's beta (80904012). I'm using Mac OS 15.1, and 1password iOS 7.9.8 and its associated Watch app if it's relevant.

When I take my watch off, we can see the logic change to properly note that we cannot use the watch.
watch on:

INFO  2022-08-31T09:54:38.256 tokio-runtime-worker(ThreadId(1)) [1P:foundation/op-sys-info/src/process_information/macos/non_app_store.rs:81] failed to find NSApplication related to pid 4683
INFO  2022-08-31T09:54:38.270 tokio-runtime-worker(ThreadId(29)) [1P:foundation/op-apple/src/biometry_service.rs:287] System biometry info: BiometricStatus { current_policy: WatchOnly, current_method: TouchId, current_availability: Available }
INFO  2022-08-31T09:54:38.277 tokio-runtime-worker(ThreadId(28)) [1P:foundation/op-apple/src/biometry_service.rs:287] System biometry info: BiometricStatus { current_policy: WatchOnly, current_method: TouchId, current_availability: Available }
ERROR 2022-08-31T09:54:38.408 tokio-runtime-worker(ThreadId(29)) [1P:foundation/op-system-auth/src/apple.rs:144] Biometric unlock failed, system response: AuthenticationFailed
ERROR 2022-08-31T09:54:38.410 tokio-runtime-worker(ThreadId(2)) [1P:op-automated-unlock/src/lib.rs:294] Failed to authorize using system biometry: FailedToUnlockWithKeys(FailedSystemAuthenticationChallenge)
INFO  2022-08-31T09:54:38.410 tokio-runtime-worker(ThreadId(2)) [1P:ssh/op-ssh-agent/src/lib.rs:419] Session was not authorized

watch off:

INFO  2022-08-31T10:03:56.121 tokio-runtime-worker(ThreadId(2)) [1P:foundation/op-sys-info/src/process_information/macos/non_app_store.rs:81] failed to find NSApplication related to pid 4683
INFO  2022-08-31T10:03:56.133 tokio-runtime-worker(ThreadId(30)) [1P:foundation/op-apple/src/biometry_service.rs:287] System biometry info: BiometricStatus { current_policy: BiometricsOnly, current_method: TouchId, current_availability: SensorUnavailable }
INFO  2022-08-31T10:03:58.136 tokio-runtime-worker(ThreadId(30)) [1P:foundation/op-apple/src/biometry_service.rs:287] System biometry info: BiometricStatus { current_policy: BiometricsOnly, current_method: TouchId, current_availability: SensorUnavailable }
INFO  2022-08-31T10:03:58.140 tokio-runtime-worker(ThreadId(30)) [1P:foundation/op-apple/src/biometry_service.rs:287] System biometry info: BiometricStatus { current_policy: BiometricsOnly, current_method: TouchId, current_availability: SensorUnavailable }
WARN  2022-08-31T10:03:58.140 tokio-runtime-worker(ThreadId(2)) [1P:op-app/src/app/backend/lock_screen.rs:74] Biometry is unavailable: BiometryUnavailable
INFO  2022-08-31T10:03:58.192 tokio-runtime-worker(ThreadId(30)) [1P:foundation/op-apple/src/biometry_service.rs:287] System biometry info: BiometricStatus { current_policy: BiometricsOnly, current_method: TouchId, current_availability: SensorUnavailable }
INFO  2022-08-31T10:03:58.192 tokio-runtime-worker(ThreadId(4)) [1P:op-app/src/app/backend/unlock.rs:266] System unlock was attempted but we cannot use it.
INFO  2022-08-31T10:03:58.193 tokio-runtime-worker(ThreadId(31)) [1P:foundation/op-apple/src/biometry_service.rs:287] System biometry info: BiometricStatus { current_policy: BiometricsOnly, current_method: TouchId, current_availability: SensorUnavailable }
INFO  2022-08-31T10:03:58.193 tokio-runtime-worker(ThreadId(4)) [1P:op-app/src/app/backend/unlock.rs:266] System unlock was attempted but we cannot use it.
INFO  2022-08-31T10:04:03.465 tokio-runtime-worker(ThreadId(30)) [1P:foundation/op-apple/src/biometry_service.rs:287] System biometry info: BiometricStatus { current_policy: BiometricsOnly, current_method: TouchId, current_availability: SensorUnavailable }

Unfortunately, the checkbox in the preferences pane to disable Touch ID is greyed out:
so I can't just click that to disable the functionality when it breaks.


1Password Version: 80904012
Extension Version: Not Provided
OS Version: MacOS 12.5.1
Browser:_ Not Provided

Comments

  • darken
    darken
    Community Member

    I can reproduce this issue.

    Macbook Pro 16" M1
    Apple Watch Series 3

    My laptop lid is closed and connected to an external keyboard (non-Apple) and mouse. Elevation prompts will ask me to confirm the request on my Apple Watch. 1Password does not do this to unlock vaults, or authenticate to the ssh-agent.

    INFO  2022-10-25T10:29:16.859 tokio-runtime-worker(ThreadId(74)) [1P:foundation/op-apple/src/biometry_service.rs:287] System biometry info: BiometricStatus { current_policy: WatchOnly, current_method: TouchId, current_availability: Available }
    INFO  2022-10-25T10:29:16.865 tokio-runtime-worker(ThreadId(74)) [1P:foundation/op-apple/src/biometry_service.rs:287] System biometry info: BiometricStatus { current_policy: WatchOnly, current_method: TouchId, current_availability: Available }
    ERROR 2022-10-25T10:29:16.867 tokio-runtime-worker(ThreadId(8)) [1P:op-automated-unlock/src/lib.rs:294] Failed to authorize using system biometry: FailedToUnlockWithKeys(BiometryUnavailable)
    INFO  2022-10-25T10:29:16.867 tokio-runtime-worker(ThreadId(8)) [1P:ssh/op-ssh-agent/src/lib.rs:419] Session was not authorized
    
  • zonywhoop
    zonywhoop
    Community Member

    I can reproduce as well.

    Macbook Pro 16" M1
    Apple watch series 5

    Laptop lid is closed, external (non-apple) keyboard attached.

    INFO  2023-01-31T18:19:43.495 tokio-runtime-worker(ThreadId(31)) [1P:foundation/op-apple/src/biometry_service.rs:286] System biometry info: BiometricStatus { current_policy: WatchOnly, current_method: TouchId, current_availability: Available }
    ERROR 2023-01-31T18:19:43.595 tokio-runtime-worker(ThreadId(31)) [1P:foundation/op-system-auth/src/apple.rs:146] Biometric unlock failed, system response: AuthenticationFailed
    ERROR 2023-01-31T18:19:43.595 tokio-runtime-worker(ThreadId(9)) [1P:op-automated-unlock/src/lib.rs:295] Failed to authorize using system biometry: FailedToUnlockWithKeys(FailedSystemAuthenticationChallenge)
    INFO  2023-01-31T18:19:43.595 tokio-runtime-worker(ThreadId(9)) [1P:ssh/op-ssh-agent/src/lib.rs:460] Session was not authorized
    
This discussion has been closed.