Fingerprint scanner?

parekh
parekh
Community Member

Now that the new iPhone is going to have a built in fingerprint scanner, will I be able to unlock 1Password using my fingerprint instead of my master password?

Comments

  • khad
    khad
    1Password Alumni

    A lot of things are still under NDA, but it doesn't appear that Apple is opening up the fingerprint scanner to developers at this time.

    Asked by AllThingsD whether Apple might expand its own use of the fingerprint reader over time, Apple CEO Tim Cook didn’t offer any specifics, but said, “You can probably imagine a lot of [other] uses.”

    Keep in mind that the first iPhone didn't even allow any third party apps, though. Developer access often opens up over time after Apple has had a chance to test things and work the kinks out. I'm not sure I would want to be relying on the fingerprint scanner to access my 1Password data on day one anyway, though. It's much harder to change a finger than a password if you have some trouble. :)

  • parekh
    parekh
    Community Member

    Thanks for the response. I think that if Apple doesn't open it up to developers then they will surely do so by the next generation. It's just a matter of time.

  • hawkmoth
    hawkmoth
    Community Member

    I'd been wondering whether using the same bio identification for security for both the phone and the confidential data is a good idea. Maybe it is though. Since fingerprints are unique, maybe it would be good to have everything secured that way. (I waffle on this in my own mind. :-) )

  • khad
    khad
    1Password Alumni
    edited September 2013

    From MacWorld (emphasis added):

    “It is possible to copy a fingerprint and I think that as the technology sees wider usage, the techniques of copying fingerprints will only improve,” the researcher said. However, a fingerprint is still better and more convenient than a four-digit PIN, he said.

    The best single factor of authentication is a strong password stored only in the user’s brain, but it’s inherently difficult for people to create and remember strong passwords, Sigurdson said. This often results in bad passwords being used, so a good fingerprint reader and matching algorithm will likely improve the security of iOS devices, he said.

    But it will certainly be interesting to see what we might be able to do with it in the future. :)

  • molvetica
    molvetica
    Community Member

    This would be a life-changing development.

    Seriously.

  • khad
    khad
    1Password Alumni

    We'll see what the future holds. :D

  • khad
    khad
    1Password Alumni

    If you're interested, we just posted a support article with some more details:

    Will 1Password work with the iPhone 5s fingerprint scanner and Touch ID?

  • parekh
    parekh
    Community Member
    edited September 2013

    Here's a nice article discussing the pros and cons of fingerprint based authentication in light of the recent demonstration that Touch ID can be hacked.

    Why I Hacked Apple’s TouchID, And Still Think It Is Awesome.

    The article concludes that while Touch ID itself may not suffice as a robust form of authentication, it could be used in conjunction with a simple 4 digit pin to yield a robust two factor authentication system.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    I entirely agree with Marc Roger's argument in his outstanding post. As I've said elsewhere: "TouchID remains enormously more secure than no passcode at all, and it is probably still stronger than a simple 4 digit passcode."

    I've been working on a blog post about this, which largely reinforces what Marc has said in his.

  • parekh
    parekh
    Community Member

    @jpgoldberg

    I'd love to read your blog post on this topic. In fact, most of my knowledge of cryptography comes from reading your blog posts!

  • Megan
    Megan
    1Password Alumni

    Hi @parekh,

    I can't wait to read this post too (I'm with you - all I know about cryptography comes from @jpgoldberg too!)

    Bookmark our blog so you don't miss it :)

  • eurasian
    eurasian
    Community Member

    For the balance I would like to offer a different opinion on the TouchID security. I don't think at this stage the existing fingerprint scanner and Touch ID are superior to a 4-digit password.

    1. Biometric security (fingerprint or iris scanning) is mainly used as secondary (additional) form of identification. For example it may be used in two-factor authentication together with the password or ID.
    2. Your fingers are unique. And you have only ten of them for your whole life. In comparison there are 5040 combinations (10!/(10-4)!) you may choose from for the 4-digit password. Unlike your password your fingers are not secret, there are all over the place you stay in.
    3. You don't know what database eventually your fingerprints will end up in. Once you've enrolled them for ID purposes they are not longer yours. If you work in high security environment and already use fingerprints for ID purposes, that's an additional consideration for you.

    I agree it's a good start for Apple and fingerprint security is a better choice than no security at all (no password). If properly used it might prevent thieves from getting to your iPhone and data. It is indeed not easy for the average person to crack in Touch ID. The problem I see with Touch ID is that many users will substitute their passwords for their Touch IDs because it is faster and more convenient. I think this is plainly wrong. In my personal opinion this does not add security as it is used instead of not in addition to the password. And presently OS7 does not allow yet for the two-factor authentication. So my recommendation would be to stick with the password until the technology gets better.

  • guiambros
    guiambros
    Community Member

    Let me offer a different perspective. Entering passwords manually on the iPhone is painful.

    It takes you 30 seconds to type that long and carefully selected master passphrase on the tiny keyboard. If you have switched to a 100% 1P-based environment, you know what I'm talking about.

    And it's only 30 seconds because my passphrase is long, but not long enough. The only thing stopping me from using a 50 characters totally random passphrase is exactly the thought that I'll have to type this in the tiny keyboard every. single. time. And iOS has the terrible (or great, depending on your perspective) habit of not remembering passwords when restoring from backups.

    Yes, I'm fully aware of the proof of concepts bypassing the Touch ID sensor with a fake finger. But let's see how realistic it is. It starts by requiring a good photo of my fingerprint -- maybe from a government or employer database (which already drastically reduces the attack vector). Then you have to steal my physical device, which is not trivial, considering it's always in my pocket or my hand. Then you have to have the knowledge that this device is actually mine (a pickpocket or a phone left on a taxi wouldn't be enough). Then you have to manufacture the fake finger, and hope it will work. And hope I didn't set the iPhone to erase the device after 10 wrong tries (which I did; sorry).

    Yes, it may be a real risk for a few users out there, but if you're the type of guy that has to worry with people stealing your phone (!) to create a fake finger (!!) based on data obtained - or stolen - from your employer and government (!!!)... well, then you're not the type of guy that will be using Touch ID. Or 1Password for that matter. And absolutely will not be sync'ing your agile keychain via iCloud or Dropbox.

    Now, here's a much more realistic scenario: your iCloud/Dropbox was hacked (or leaked like in 2012, or sniffed by some 3-letter organization). Imagine a semi-professional attacker decides to use Cryptocat on a server farm powered by EC2 GPUs. Imagine the attacked assumes that you're probably using a mobile device, and, knowing how painful it is to type passwords, he/she decides to brute force leghts between 11-20 characters. Knowing that typing is painful in any phone, he prioritize latin charset in some human comprehensible way, minimizing CaPs alternation to start of words, and adds some symbols and digits. Not entirely dictionary attack (he figures that we're smarter than that), but certainly not Q3z78D^ofkx2GwxP?Adf. A few days/weeks later, he probably has the master password of most users here.

    Bottom line: Touch ID can be a tremendous boon for 1Password*, and make the world A LOT more secure. It would allow users to finally chose decent 50-char master passwords, knowing that you'll need to enter it only once, and not every single day. And if you want to be extra-super secure, you could still have an optional secondary 4-dig password besides the fingerprint, just to make it a little harder for those with fake fingers out there..

    ( * ) of course, this is all speculation, given that there's no Trust ID API yet. For now it's fingers crossed. Fake or not.

  • khad
    khad
    1Password Alumni

    Indeed. As mentioned in our support article about Touch ID (which I just realized hasn't actually been included in this thread save a link):

    It will certainly be interesting to see what we might be able to do with it in the future. :)

    This gives us time to observe and learn more about how well it works in general before we can see whether this is something what would be useful for 1Password. In particular, we will be able to learn what sorts of authentication tasks it works well for and what it doesn't. We might, for example, conclude that a fingerprint scan would be useful as an alternative to the Quick Unlock Code, but not as an alternative to the Master Password. Or the entire discussion may be moot if Apple doesn't eventually open this up for apps like 1Password.

    On the whole, the security community has been skeptical of biometric authentication (things like fingerprints, facial recognition, iris scans), however there are circumstances in which these can be useful. And Apple do seem to avoid some of pitfalls of fingerprint scanners.

    In particular, if Touch ID is used by people who currently don't set any device passcode for their iPhones, then it will be a good thing. Much of iOS security depends on a passcode being set, and so helping people who otherwise wouldn't lock phones at all may dramatically improve their security. (If you don't have a passcode set for your iOS device, stop reading this and go set one now. If you would like to set one that is a stronger than just a 4 digit code, take a look at our article on not so simple passcodes.)

    For us the wise thing to do is to wait and see before we decide how to used Touch ID with 1Password (should it become available to us). It will be interesting to study these things in the months to come.

  • Wakkorotti
    Wakkorotti
    Community Member

    What about enabling the desktop 1Password program use of a fingerprint reader to authenticate 1Password on a PC or Mac? LastPass does this, for example, and it's very convenient to swipe a finger rather than entering in the entire Master Password everytime you want to edit a stored password.

  • James Willson
    James Willson
    Community Member

    I agree with Wakkorotti. Is there anyway to use a fingerprint reader for password entry in either the MAC app or the PC app? Please advice

  • Jasper
    edited April 2014

    Hi James,

    The only way to decrypt your 1Password data is with your master password.

  • RichardPayne
    RichardPayne
    Community Member

    I'm not sure if the iOS version has a quick code feature, similar to Android, but if it does then TouchID might be a suitable alternative to the quick code. I certainly wouldn't want it to replace the master password.

  • Megan
    Megan
    1Password Alumni

    Hi @RichardPayne‌,

    I'm with you - I don't quite trust the fingerprint scanner to replace my Master Password. However, 1Password 4 for iOS does currently have a Quick Unlock code, and (as @Khad mentions above) this might be a better implementation of TouchID. We're keeping our eyes on this feature and will be exploring it further, should Apple make it available to developers.

This discussion has been closed.