Feature Request: Unlock 1Password for iOS using a custom PIN and not the device passcode

System
edited June 2023 in iOS
This discussion was created from comments split from: Unlocking 1Password for iOS using a PIN code.

Comments

  • mvasilakis
    mvasilakis
    Community Member

    Is it on the roadmap to give us the option to select our own 4-6 digit passcode [pin] instead of using the same passcode that unlocks the iPhone? This seems like a security risk because if someone is able to observe us unlock our phone they potentially have access to our whole lives. I prefer the 1Password7 option where we could define the PIN instead of being relegated to the device pin.

  • Dave_1P
    edited May 2023

    @mvasilakis

    If you choose to enable the feature, 1Password 8 supports using your device PIN to unlock the app. If you do enable this option then you should choose a strong passcode that is difficult to guess or view. For those concerned with security, you can enable Face ID / Touch ID unlock rather than using the device PIN:

    Alternatively, you can choose to unlock 1Password using your account password which you can change to be easier to type in while still being strong and unique: How to choose a good 1Password account password

    -Dave

    ref: PB-33332220

  • mvasilakis
    mvasilakis
    Community Member

    Over the years I’ve come to trust allot of info to 1Password and therefore the info in 1password is way too important to trust to a device pin. For 1password I prefer a pin unique to the app. Preferably requiring a password every few days. Also I’m not comfortable shortening my password for comfort sake. 1password is about security and while some folks might be ok with comfort and reduced security, I am not.

    While Face ID has gotten better I’m still not comfortable with it unlocking financial website info. If it were the passwords to a few websites I wouldn’t care. But in my case the stakes are larger and a 6 digit pin that unlocks my phone is just too unsafe.

  • @mvasilakis

    To be clear: I'm not suggesting that you choose a password that reduces security. However, it's possible to choose a password that is easier to type in while still being secure and unique as explained in the guide that I linked to above. It's also important to remember that your data is not just protected by your account password but by your Secret Key as well: About your Secret Key

    You can also choose a device PIN that is longer than 6 digits by choosing "Custom Alphanumeric Code" in your iPhone's settings: Set a passcode on iPhone - Apple Support (CA)

    That all being said, I've passed along your feedback to the Product team.

    -Dave

    ref: PB-33332220

  • pete16
    pete16
    Community Member

    I agree. We should have the ability to use a different PIN for 1password from the device/iPhone PIN. This backward step of functionality from 1password 7 is extremely dissapointing and disheartening. Especially from a long long term user.

    I can’t understand the thought process on this. Security is surely at front and centre of your minds and business. This doesn’t make sense.

    Please fix this. Please. And please educate me as to why I am wrong. Thankyou kindly 1password team.

  • @pete16

    I'm not on the product team myself but I believe that one of the major motivators was that, in the old days of 1Password 7, we saw a lot of folks permanently lock themselves out of their 1Password accounts or vaults because they believed that the "custom PIN" that they had set for 1Password was actually their account password. Then, when they needed to setup 1Password on a new device, they no longer remembered their actual account password and were locked out.

    At the moment you can unlock 1Password for iOS using three different options:

    1. Your account password, which can be made easier to type in while still being secure: How to choose a good 1Password account password
    2. Face ID or Touch ID.
    3. Your device PIN which can be made longer and more complex than just the default 4-6 digits: Set a passcode on iPhone - Apple Support (CA)

    Can you tell me a little more about why none of these options would work for your use case? What specific threat are you trying to protect against where none of these options would be an acceptable path forward? I would be happy to pass along your reply to the product team. 🙂

    -Dave

    ref: PB-33499680

  • munoo
    munoo
    Community Member

    Dear 1Password team,
    I trust this message finds you all in good health.

    I would like to formally request the addition of a separate Pin Code feature in 1Password 8, separate from the device PIN Code. This particular functionality was available in 1Password 7.

    While it is true that 1Password 8 has introduced Pin code support, it is currently limited to the device's PIN code. In contrast, 1Password 7 allowed users to set a different Pin code for enhanced security purposes.

    Thank you for your attention to this matter.
    Best regards,
    Munoo Chahar

  • Dave_1P
    edited June 2023

    Hello @munoo! 👋

    Thank you for the suggestion! Can you tell me a little more about why the current options to unlock 1Password don't work for your use case? You can unlock 1Password for iOS using your account password, Face ID / Touch ID, or your device passcode.

    I look forward to hearing from you. 🙂

    -Dave

  • munoo
    munoo
    Community Member

    Dear Dave_1P,

    Thank you sincerely for your prompt response.

    At present, 1Password 8 offers three locking options:

    1. Master Password: The purpose of a password manager is to relieve the burden of remembering multiple passwords, requiring only the recall of a single master password. My master password is both complex and lengthy, rendering it inconvenient to input each time 1Password is used.

    2. Face ID: In certain situations and specific workplaces, the use of Face ID may be prohibited, necessitating the use of a passcode as an alternative. Personally, I harbor concerns about the security of relying solely on Face ID for 1Password. Notably, many applications, such as Dropbox, provide the capability to set a pin code.

    3. Pin Code: Password managers bear significant importance for numerous individuals as they store valuable account credentials, bank details (including credit/debit card information), and secure notes. To enhance security and foster peace of mind, it is advisable to assign a distinct pin code to each specific application. The probability of someone inadvertently discovering your device's passcode outweighs the likelihood of them gaining access to the app's passcode.

    I appreciate your attention to this matter.

  • Dave_1P
    edited June 2023

    @munoo

    Thank you for the detailed reply. From what you've written here, it seems that the best option for your specific use case would be for you to change your account password to something that is easier to type in while still being secure. I've linked to our guide about choosing a good account password already but here it is again for convenience: How to choose a good 1Password account password

    Remember that, unlike other services, 1Password doesn't just use your account password but it also uses a unique 34-character Secret Key to protect your data: About your Secret Key

    That being said, I've passed your comments along to the team.

    -Dave

    ref: PB-33532152

  • munoo
    munoo
    Community Member

    Dear Dave_1P,

    I would like to express my gratitude for your prompt reply. I am aware that 1Password utilizes a distinctive 34-character Secret Key to safeguard user accounts. In addition, I have taken the precautionary measure of enabling two-factor authentication (2FA) through the use of a Yubikey.

    Nevertheless, my request does not pertain to the introduction of a novel feature. 1Password 7 already possesses this feature that I am referring to. Any many other Apps also do. Therefore, I kindly request that you reinstate this feature in the current version.

    Thank you for your attention to this matter. I look forward to your response.

    Best regards,
    Munoo Chahar.

  • munoo
    munoo
    Community Member

    Hi,
    I couldn't find this thread earlier, so I initiated a new thread regarding this issue. I have posted a comment there. Now I am posting here as well.

  • munoo
    munoo
    Community Member

    Dear 1Password team,
    
I trust this message finds you all in good health.

    I would like to formally request the addition of a separate Pin Code feature in 1Password 8, separate from the device PIN Code. This particular functionality was available in 1Password 7.
    While it is true that 1Password 8 has introduced Pin code support, it is currently limited to the device's PIN code. In contrast, 1Password 7 allowed users to set a different Pin code for enhanced security purposes.

    At present, 1Password 8 offers three locking options:

    1. Master Password: The purpose of a password manager is to relieve the burden of remembering multiple passwords, requiring only the recall of a single master password. My master password is both complex and lengthy, rendering it inconvenient to input each time 1Password is used.

    2. Face ID: In certain situations and specific workplaces, the use of Face ID may be prohibited, necessitating the use of a passcode as an alternative. Personally, I harbor concerns about the security of relying solely on Face ID for 1Password. Notably, many applications, such as Dropbox, provide the capability to set a pin code.

    3. Pin Code: Password managers bear significant importance for numerous individuals as they store valuable account credentials, bank details (including credit/debit card information), and secure notes. To enhance security and foster peace of mind, it is advisable to assign a distinct pin code to each specific application. The probability of someone inadvertently discovering your device's passcode outweighs the likelihood of them gaining access to the app's passcode.

    I am aware that 1Password utilizes a distinctive 34-character Secret Key to safeguard user accounts. In addition, I have taken the precautionary measure of enabling two-factor authentication (2FA) through the use of a Yubikey.

    Nevertheless, my request does not pertain to the introduction of a novel feature. 1Password 7 already possesses this feature that I am referring to. Any many other Apps also do. Therefore, I kindly request that you reinstate this feature in the current version.

    Thank you for your attention to this matter.


    Best regards,
    
Munoo Chahar

  • pete16
    pete16
    Community Member

    Hi Dave,

    Many people who might see you regularly at work might know your iPhone passcode. Also children know our phone passcode. We don’t want either of these groups knowing how to access 1password.

    Recent stories of phone being stolen with known passcodes is an also a major security threat I am concerned about. I'm sure most users and your team here will have heard of the news linked here.
    https://appleinsider.com/articles/23/02/24/if-both-your-iphone-and-passcode-get-stolen-youre-in-deep-trouble
    https://9to5mac.com/2023/04/19/locked-out-of-apple-accounts/

    I am requesting the unique PIN available in 1password 7 be re-instated in 1password 8.

  • munoo
    munoo
    Community Member

    Hi @Dave_1P ,
    I second with @pete16 . It is the legitimate concern.
    Please re-instated pin code.

  • @munoo

    I've merged the two threads together so that we can keep the conversion in one place. As mentioned in my reply to you yesterday, I've passed your comments along to the team. 🙂

    @pete16

    Thank you for the feedback. Using the device passcode to unlock 1Password is optional and, if it doesn't fit your personal threat model, then you can unlock 1Password using Face ID / Touch ID or your account password instead. I've shared your request regarding a custom PIN with the team as well.

    -Dave

    ref: PB-33545334

  • pete16
    pete16
    Community Member

    @Dave_1P . Not everyone uses Face ID. Entering a long secure 1password password isn't always ideal. If the concern is users will lock themselves out because they don't understand what is their PIN and what is their actual password. Can we have it so that the full password is required on every 10th login or every 2 weeks like on the Mac version of 1password? Just curious?

    Thanks for any help you can offer. You know you make a great product, it's just this backward step in functionality is very disappointing for savvy long term users.

    Many thanks. Pete

  • mjudman
    mjudman
    Community Member

    Adding an optional, extra passcode requirement.

    Why? Because inputting a long password/passphrase on the iPhone is too hard and using FaceID is too easy.

    I've got a nice long password, which, of course, is a pain to enter on my iPhone. I know about using FaceID but feel uncomfortable about the fact that someone in possession of both my phone and me, could unlock 1Password very easily. Of course, using the iPhone's passcode alone is not too secure.

    As a suggestion, I'd like it if there was an option to require a numeric passcode (not the iPhone's passcode) after the FaceID was passed, as an additional feature for the insecure, like me.

    Thanks.

  • Dave_1P
    edited June 2023

    @pete16 and @mjudman

    Thank you for the feedback. Our Product team recently considered all of the requests and suggestions that we received from folks (here on the forums, over email, and in other places such as user studies) regarding PIN unlock and added device passcode (PIN) unlock as a result of that feedback: Use your device passcode to unlock 1Password for iOS

    I'm not personally aware of plans to introduce a custom PIN at this time however I've filed feature requests on behalf of everyone in this thread for future consideration. We appreciate that you took the time to voice why such as a feature would be useful to you.

    I've got a nice long password, which, of course, is a pain to enter on my iPhone. I know about using FaceID but feel uncomfortable about the fact that someone in possession of both my phone and me, could unlock 1Password very easily. Of course, using the iPhone's passcode alone is not too secure.

    Just in case you didn't see my post above: You can make the iPhone's passcode longer and more secure by using this guide from Apple: Set a passcode on iPhone - Apple Support (CA)

    Alternatively, since your 1Password account is protected by both your account password and the 32-character Secret Key, you can change your account password to be easier to type in while still being secure.

    I know that these are not the options that you're looking for but I'm mentioning them in case they help. 🙂

    -Dave

    ref: PB-33571563

  • mjudman
    mjudman
    Community Member

    Dave,
    Thanks for your quick response.

    I am aware that the iPhone passcode can be made long and complex, but that seems rather like overkill for most of the stuff on the phone, photos, etc., other than 1Password. So it seems inefficient to go this route just to have a shorter password for 1Password, but an awkwardly long passcode for routine unlocks.

    As to making a shorter or easier password for 1Password, I don't think the use of the 32-character Secret Key means that I could prudently change my password to "12345". I assume your point is that my data on your server would still be secure if I changed to "12345" (which, by the way, I don't plan on doing).

    For now I suppose I'll continue grumbling about inputting my password on the iPhone app or weighing the risk of evildoers unlocking 1Password with my phone and my face.

    In the meantime, it would be great to have the option of revealing the password on the iPhone app, just like it's now possible in the Mac app, so typos could be easily corrected without reentering the whole thing.

    -- Mark

  • @mjudman

    I recommend using our guide to choose a strong but easier to type in account password, I don't recommend using "12345": How to choose a good 1Password account password

    That being said, I've passed your feedback along to the team.

    In the meantime, it would be great to have the option of revealing the password on the iPhone app, just like it's now possible in the Mac app, so typos could be easily corrected without reentering the whole thing.

    You can reveal the password when using 1Password 8 for iOS by beginning to type your account password into the app's lock screen and then tapping on the eye icon to the right of the password field.

    -Dave

  • mjudman
    mjudman
    Community Member

    Thanks, Dave. I wasn't seriously planning on using "12345" as a password, but merely trying to use it to question the idea that because of the 1Password's use of a secret key, even a dumb password like "12345" would presumably be secure (as long as evildoers didn't have possession of one's unlocked phone).

    As to password reveal, thanks. I wasn't aware that the eye icon to the right didn't show up until one starts to type. At that point I'm concentrating on the keyboard. This is inconsistent with the Mac app, in which the eye icon shows up before one begins typing.

    -- Mark

  • @mjudman

    I've filed a feature request on your behalf to reconsider how revealing the account password works in 1Password for iOS to make it more consistent with the desktop version. Thank you for the suggestion. 🙂

    -Dave

    ref: PB-33634162

  • mjudman
    mjudman
    Community Member

    Dave,
    Great. Thanks. At least now I'm aware of the iOS version's behavior.

    -- Mark

  • Thanks again for the feedback. 🙂

    -Dave

  • johnnyV3
    johnnyV3
    Community Member

    Hi Dave,

    You seen to be missing the essence of what everyone is requesting here.

    Everyone in this thread has explained that they want the same unique PIN functionality back that was in 1Password 7, as do I.

    FaceID is not secure enough, our 1Password account passwords are far too long and complex to use, and our device PINs are often known by friends and family. Therefore the only viable option for us is the unique PIN feature.

    In 1Password 7, if the unique PIN is entered incorrectly just once, you have to enter your full 1Password account password. This makes the unique PIN option very secure and the preferred unlock method for many users.

    I will be using 1Password 7 until the unique PIN feature is introduced in version 8. And truthfully, if the feature is not introduced to version 8 and users are forced to upgrade the app, I will move to a different vaulting vendor.

    Please understand the options you keep presenting in this thread are not sufficient, and your customers need the unique PIN feature brought back.

    Thank you,
    Jonathan

  • munoo
    munoo
    Community Member
    edited October 2023

    Hi Dave,
    I second @johnnyV3 . Please expedite this matter.
    Thanks

    Best Regards
    Munoo

This discussion has been closed.