How do the Master Password and TouchID settings work? [see FAQ, post #15]

sdagleysdagley
edited September 2014 in iOS

It seems like Touch ID unlocking only works until the Master Password lock kicks in (i.e. My master password lock is set for 10 minutes and after that timeout Touch ID unlocking is disabled until I re-enter the Master Password). Is there any way to change the behavior so that Touch ID unlocking works until the device is restarted? If not, please consider this a feature request.

«1

Comments

  • The touch id FAQ may help you.

    Stephen

  • The FAQ explains the behavior I'm seeing. My request for an option to change the behavior to allow Touch ID to unlock 1Password after master password entry until the device is re-started (as with iTunes store authentication) . There's no way to do that with the current preference settings. Even once a day would be better than what's currently offered as it makes 1Password seem schizophrenic since you've got two separate timers duking it out to see who can lock you out first.

  • jeremybrooksjeremybrooks Junior Member

    That's not how it is working for me. My settings are:

    Request After 10 Minutes
    Touch ID enabled
    Request Fingerprint After 2 Minutes
    Lock on Exit enabled

    The app requests the password, but TouchID does nothing. I have tried disabling Lock on Exit, but there's no difference (other than having to wait 2 minutes for it to lock). Touch ID seems to be 100% non-working for me.

    Any ideas?

  • kop48kop48 Junior Member

    Agreed - I wish the behaviour was more akin to how iTunes purchasing works.

  • invalidptrinvalidptr Junior Member

    Wow, this is just broken. Can't believe I had to "read the doc" to understand this. +1 for iTunes method.

  • invalidptrinvalidptr Junior Member

    Another interesting aspect, you've giving me the impression my vault is not locked when using Touch ID. Your UI has "Lock Now" grouped with "Change Master Password" and "Request After". Indeed, when trying to divine this behavior invoking "Lock Now" meant I'd never see Touch ID work because your associate "Lock Now" with "Re-enter your Master Password". There really was no way for me to test Touch ID in my normal configuration unless I enabled "Lock on Exit" for testing purposes.

    I'm realizing you are treating Master Password and Touch ID as completely separate. I predicate users will think of them as the same. If I enable Touch ID, I want to use Touch ID. I had my "Request After" set to 5 minutes (from prior usage) and Touch ID set to 2 minutes. So there is only a 3 minute window where I would have seen this work.

  • DragonDragon Junior Member
    edited September 2014

    to treat them the same, they'd have to store the master password somewhere other than only in memory. I believe they're avoiding this at all costs for security.

    Indeed, touch id replaces the quick unlock code. Quick unlock code only works when the vault itself is unlocked, due to master password being in memory.

    If the app is closed or killed by iOS then master password will be needed again, else, quick unlock/touch id can be used as an intermediate security measure to access an already unlocked vault.

  • edited September 2014

    This feature is useless if I still have to type in the master password. :(

    I don't get why Agilebits favour an unsecure password over a secure fingerprint?

  • You folks are aware that you can set the interval between times when your master password is required to as long a 30 days now, aren't you? Do you have the option set to use the keychain in the Security settings?

  • Hawkmoth, I'm slightly unclear about your last question. I have iCloud keychain enabled in my iPhone settings app. I don't see any option within 1Password to use the keychain. I have now set (Master Password to expire after 30 days) and (Touch ID to expire after one minute and to lock on exit) which, so long as nobody steals any of my digits, seems like a good compromise.

  • steve28steve28 Junior Member
    edited September 2014

    Here's a setup that's "TouchID Only except after restart":

    1. Settings->(scroll to bottom)->Advanced->"Use iOS Keychain" -> ON
    2. Settings->Security->Touch ID-> ON
    3. Settings->Security->Request fingerprint... (set as desired)
    4. Settings->Security->Lock on Exit-> Set to on if you want to have to Touch ID everytime you open the app
    5. Settings->Security->(in the top section)->Request After-> 30 days

    In this setup, you will have to enter your master password once when you first open 1P app. From then on, Touch ID will be the only authentication asked for until 30 days has gone by, or until you restart - then you will have to enter your master password again.

  • Aha. Use iOS keychain is in advanced and not in Security. Thanks.

  • +1 on this being confusing. I'm sure we all agree that apps should default to being more secure. That said, if someone enables TouchID the default "Request after" should be 30 days. Otherwise it completely negates the purpose.

  • MeganMegan

    Team Member

    Hi everyone!

    I sincerely apologize if this has been confusing. I do hope that @steve28's advice has been helpful.

    Please keep in mind that, as stated in the TouchID FAQ: "1Password’s security ultimately relies on your Master Password. For this reason, it is impossible to disable it entirely." We've tried to make this option as flexible as possible by offering the 30 day prompt for your Master Password, but we want to make sure that you're not going to forget your Master Password because you never type it in anywhere. ;)

    Thanks so much for all your feedback here. We'll do what we can to ensure that the documentation on this feature is as clear and concise as possible.

    If you have any further questions, please don't hesitate to ask!

  • skatchskatch Junior Member

    Another +1 on this being confusing. I expected that enabling TouchID would simply let me using the sensor as an option anytime I'd normally be prompted for the Master Password. Currently, the separate timeouts for password vs TouchID feels like a regression to 1Password 3's confusing security options.

    Maybe there are tech reasons this isn't feasible? If I set the Master Password timeout to 30 days, is my Master password stored in my device's RAM and more susceptible to hacking? (i.e. should I avoid doing this?)

  • invalidptrinvalidptr Junior Member

    Could some please clarify "Use iOS Keychain" have to do with all this?

  • I just got here thinking that there was a bug with 1password. As, skatch, I gave for granted that activating Touch ID would allow me to replace the master password in my iPhone, and I had not even seen the option to use it yet! :S

    Apart from make it clearer, I think the default values, when you activate the option, are a bit weird. With a 10min lock for the master password, and a 2 min lock for the Touch ID, doesn't that mean that Touch ID is only useful if I use 1P, and the need to use it again between 2-8min later? Maybe I don't need it as often as other people, but what are the chances?!

  • steve28steve28 Junior Member

    @invalidptr‌ - you have to allow storing go the master password in the iOS keychain because otherwise when you quit the app (or rather when the OS quits it for you) it loses the login state. I guess they leave it as an option because some people might not want to trust the Apple keychain with things??

    Anyway, this is in step 1 of post #12 above.

  • MeganMegan

    Team Member

    Hi @skatch‌, @invalidptr‌, @salva,

    Again, I do apologize for the confusion. TouchID is not meant to be a replacement for your Master Password. It is a convenience feature that acts as a replacement for the Quick Unlock Code, which extends the amount of time that you can access your 1Password database without entering your Master Password. As I've mentioned before, we don't recommend that you never enter your Master Password. We have two different time-outs available in the Security Settings to allow you to set a short period of time after which you will be prompted for TouchID (or the Quick Unlock Code, if you prefer), and a longer period of time after which your Master Password will be required.

    If I set the Master Password timeout to 30 days, is my Master password stored in my device's RAM and more susceptible to hacking? (i.e. should I avoid doing this?)

    If you have 'Use iOS keychain' enabled in Settings > Advanced, 1Password will store the Master Password in the iOS keychain. It is stored temporarily and is never synced to your other devices. If TouchID fails, or you enter your Quick Unlock Code incorrectly, the Master Password is deleted from the keychain and the Master Password will be required immediately to unlock 1Password.

    Please note, if you choose not to enable the 'Use iOS keychain' option, you will not have as reliable an experience with TouchID or the Quick Unlock Code. This is because the iOS will occasionally need to close apps that are stored in the background to reclaim memory resources. If this happens to 1Password, you will be prompted for your Master Password the next time you switch to 1Password, despite what timeout your Security Settings have enabled.

    With a 10min lock for the master password, and a 2 min lock for the Touch ID, doesn't that mean that Touch ID is only useful if I use 1P, and the need to use it again between 2-8min later?

    You're reading the settings correctly here. We've done our best to include a multitude of options here so that you can tailor your security settings to find the balance between security and convenience that works for you.

    I hope this helps, but we're here if you have any further questions! :)

  • warpspeedwarpspeed
    edited September 2014

    Having the same issue with Touch ID here. Turn it on, it works a couple of times, then it stops working and needs master password.

    Dropbox sync seems to be working okay for me so far. But I updated Dropbox twice before installing IOS8, and on the first update, it did a database update apparently.

    So for those using Dropbox, perhaps ensure you're using an up to date Dropbox app, and also fire up the Dropbox app and let it sync for a few ticks.

    Edit: Actually I think I know what my problem is, there's a setting that says ask for Master Password after.... which defaults to 10 minutes. I'm going to try setting that to 48 hours and see how it goes. I suspect that might be what's doing it.

  • Despite setting that option to 48 hours, 1Password is asking me for my Master Password again, rather than using Touch ID.

  • skatchskatch Junior Member

    Thanks @Megan‌. Very helpful details there.

  • That said, if someone enables TouchID the default "Request after" should be 30 days. Otherwise it completely negates the purpose.

    I disagree with this statement. I would never want this application to default to 30 days between times when I must enter my master password. I want to be prompted at least once a day so I can keep the muscle memory going that I need to remember my master password. If some users want a longer interval, such as 30 days, it's always there as an option. But the defaults should be in favor of enhanced security in this security application, not for diminished security.

  • MeganMegan

    Team Member
    edited September 2014
    Hi @warpspeed‌ I've split your comments from the original discussion: Dropbox sync and TouchID deactivating, and moved them into an existing thread discussing TouchID. When things get busy like this, it's best to keep all conversations in one place as much as possible.

    Please take a look at the TouchID FAQ referenced above, and my posts #15 and #20 for details on how TouchID works. If you have any further questions, we're here to help!
  • I followed the instructions above, and I'm still not getting to use touch ID. I have a brand new iPhone 6, and am running 1Password 5.0.1.

  • BenBen AWS Team

    Team Member

    Hi @dbabq‌

    Please see my comment in this post and see if that resolves the issue for you. I assume you mean you are not being asked to unlock with touch ID at all, correct?

    Thanks.

    Ben

  • mikeboremikebore Junior Member

    Thanks steve28 and Megan. I think I understand this now.

  • In this setup, you will have to enter your master password once when you first open 1P app. From then on, Touch ID will be the only authentication asked for until 30 days has gone by, or until you restart - then you will have to enter your master password again.

    Expect it does ask for Master Password after 1 hour (the max limit I can set) as I explained in another post here. It sounds like you're saying that if setup as you suggest, short of 30 days OR a restart, we never need to enter the Master Password but rather can unlock with TouchID, is that correct? If so, despite all the settings suggested, it doesn't. It asks for a Master Password based on the setting for Frequest Fingerprint After (max 1 hour).

  • MeganMegan

    Team Member

    Hi @digitaldog,

    I'm replying to your similar post in this thread. I do apologize that this issue is confusing you, but we'll be able to help you a lot better if we keep the conversation going in one thread only. Otherwise we may end up answering your question twice, which could end up being more confusing for you ... and it not very efficient for us.

    Thanks so much for your understanding!

  • Okay. I've read all these posts.
    Here's the problem. My husband can't remember a long and strong master password he rarely needs. We share the same vault on our iPhones. He has effectively been without access to every important username and password sitting in out vault because I insist on a long and strong master password.
    So we just got new iPhones. My #1 feature I was looking forward to was touch ID so he could finally be able to get into this very important data. Except he can't because that isn't how it all works :(

    So I'm still stuck with a choice of him having no access to critical data, or having to have crappy security with a master password easily memorable, I.e. Weak.

    I realize reading this thread how challenging all this is. But my scenario can't be unique. If I get hit by a bus tomorrow my family is actually in a really tough spot with no access to any financial data, bank accounts, etc. since I use long and strong everything.

    Sure, I could enter my master password in his phone and every 30 days remember to reenter it on his phone, but that's dumb.

    I guess I could just WRITE IT DOWN, but that seems even dumber.

    feeling stuck, still

This discussion has been closed.