Touch ID changes in 5.1 [please see post #67 for latest information]

Hessijames

Good evening!

I would like to spend some thoughts on the recent changes of the Touch ID implementation in 1Password for iOS 5.1 which not everyone might have noticed.

In 5.0, AgileBits implemented Touch ID using the new APIs in iOS 8 thus allowing 1Password users to use a two-stage login:

1) After a configurable timeout, 1Password would request your fingerprint to unlock.
2) After a second configurable timeout, 1Password would request the master password and fail to accept the fingerprint to unlock.

It allowed a fine grained, user customizable tradeoff between convenience and security. I chose a rather conservative setting similar to the one (Dave Teare, AgileBits founder used:
Touch ID would be required immediately, Master password after 30 minutes.

This setting perfectly matched my needs: I would not have to enter the master password twice while in a shop but when losing the iPhone the finder would need the secure master password rather than a replicate of my fingerprint.

With version 5.1, however, the situation changed from perfect to mediocre: The second timeout, the one which allowed me to required the master password after 30 minutes was hardcoded to infinite. The master password will only be required after a device restart (which might never happen) and if Touch ID fails. In the consequence, after considering the (proven security weakness of Touch ID, I had to disable Touch ID completely.

As the reason for the removal, AgileBits mentioned the fact that many users were massively confused by the different timeouts. As I understand the economic implications of an increased number of support requests, there should be another solution than the removal of a feature, namely re-implementing it in a more comprehensible manner or moving it to some sort of expert settings group.

Please, AgileBits, reconsider the removal of the master password timeout.

Hessi

Ben

We appreciate the feedback Hessi. I think you've pretty well hit the nail on the head with the reasoning here. You can write a 4 page document on the settings available that no one except a few advanced users will bother to read, or you can simplify the settings.

I'll pass the suggestion along that we add the old settings as 'advanced' settings, but I will say our developers tend to be on the cautious side about adding more preferences.

Thanks!

steve28

I for one like the new settings. It's FAR better to have more people using touch ID than a simple pin - which is what happens when confronted with needing to enter a good password every 2 min.

And, let's be real about some things here - if needing all of this:

PLUS lifting a usable fingerprint off of something touched, and then spending an hour or so futzing, is the level of "security weakness" that stands between me and my 1P data, I'm ok with that.

Megan

Hi @steve28,

Thanks so much for sharing your thoughts here! That does seem like quite the elaborate set-up. :smiley:

Hessijames

@steve: I am afraid, you and even Megan misunderstood my posting. I did not argue against the (optional) use of Touch ID in 5.0 but against the removal of the adjustable master password timeout in 5.1.

Hessi

deltaon

@Hessijames‌ I actually completely agree with you on this front

Before, I could know that my master password would need to be reentered at some point (10 minutes), thus locking the (substantially more sensitive) store of data in 1Password.

The major problem as I see it is that with the unlocked-til-restart 1Password store on the phone, all a person needs is to know your initial phone unlock passcode (especially bad if you have a simple passcode) to add their own fingerprint to TouchID. There doesn't need to be a situation like steve refers to above where someone 'lifts your prints'

In a scenario where, say, a coworker or someone else has seen you enter your simple passcode and asks to borrow your phone, they can add their fingerprint. Because there's no master password timeout, 1Password will still unlock for them, as its unable to tell the difference between a newly added or preexisting print.

Remington

I think that ultimately the best option would be some kind of visual representation of the settings.

For example a slider like this :

Ben

Thanks for the suggestion, @Remington‌

@deltaon‌ I understand your point but if someone already has physical access to your device and your PIN code... You're already in pretty serious trouble. If someone is watching your PIN over your shoulder, what is to prevent them from watching your Master Password?

Hessijames

@deltaon:
When referring to the security weakness of Touch ID I didn't come across this point but it is definitely another one. To sum it up: The attack surface is significantly larger when using Touch ID. Hence, the software preferences of 1Password should allow for the limiting of the period it can be used.

@Remington:
To be honest, this might be the best and most idiot-proof representation of such a setting. AgileBits did a quite good job in 5.0 with the text label dynamically updated when you change a setting, but your representation is even better even though some additional work for the developer to create the new control.

@bwoodruff:
To answer your question:
-The master password is more complex.
-The frequency you enter the master password is much lower than the one you use to unlock your phone. This is even the case for my current settings which do not use Touch ID and the 1p PIN.

Hessi

Ben

Thanks for the continued feedback on this point. :)

deltaon

@bwoodruff‌ It's going to be much harder to glean a text-based password (the master password) that obscures the character after each entry vs. the simple unlock code's giant circular numbers - there's a pretty specific visual feedback on each number entered that makes it easy to grab at a glance.

To be clear, I love your product - so much so that I trust it a lot more than other password storage alternatives, but would just love to have another setting option to allow for the complex master password to kick back in :smile:

Ben

Understood. :) Thanks for the suggestions.

steve28236

I really dislike the changes. This feature should be reimplemented, perhaps under an advanced menu or something. I could figure out the settings just fine, I guess some people are just a bit slow off the mark.

I use a pin code on my iPad, if I lost my iPad it's insured so it wouldn't be the end of the world. But without the option to timeout the pin code on 1Password somebody could relatively easily access all my 1Password data, including all my bank and credit card details! This is much more worrying, you want us to use the 'Credit Card' category don't you? Otherwise just remove it because it's not secure enough.

hawkmoth

I too preferred having the ability to set an interval when I would once again be asked for my master password, but I'm not much worried about anyone breaking into my 1Password installation on my iPad, even though the PIN code is only four numbers. A thief gets only one chance to enter the PIN code. One error and the app reverts to the master password. I do have a different PIN for 1Password than I do for the device itself.

I want to be required to enter my master password periodically to protect myself from my forgetful memory. :(

MikeT

Hi guys,

Just to let you know, we do automatically reset TouchID/PIN sessions (technically remove the data from the keychain) every 14 days, similar to how TouchID expires after 48 hours of unused activity on your iPhone. There are a couple of things we're doing:

1. As I mentioned above, we remove the data from the iOS keychain every 14 days, requiring you to enter your master password to keep using PIN/TouchID
2. Every reboot will reset the data in the iOS keychain as well
3. Mandate the requirement of device passcode before any PIN/TouchID can be used. This allows you to take advantage of the activation lock and remote wipe offered by Apple's Find My iPhone or iPad feature. If your device is stolen, you can immediately lock it and wipe the data on it by going to iCloud.com.

Hessijames

@MikeT: Thank you for joining the discussion. In my opinion, it is necessary to look into your arguments in detail to carry on the objective discussion:

1. As I mentioned above, we remove the data from the iOS keychain every 14 days, requiring you to enter your master password to keep using PIN/TouchID

+Possibly helps to keep the user from forgetting the master password.

-Does not have any implication on the security.

2. Every reboot will reset the data in the iOS keychain as well

-Does not help to keep the user from forgetting the master password. From my experience, the device only reboots after software updates the frequency of which is only signifficant after major releases such as iOS 8.

-Does not have any implication on the security.

3. Mandate the requirement of device passcode before any PIN/TouchID can be used. This allows you to take advantage of the activation lock and remote wipe offered by Apple's Find My iPhone or iPad feature. If your device is stolen, you can immediately lock it and wipe the data on it by going to iCloud.com.

+-Does have minimal to medium implication on the security

Remote wipe only works if:

a.) You immediately notice the theft.

b.) You immediately find an internet terminal, smartphone etc. to conduct the lock.

c.) The thief does not prevent the phone from contacting the Apple servers or vice versa. There are faraday bags for computer forensics if you do not
want to build them yourself.

If the remote wipe was actually an effective means for protecting passwords I might even use the iOS contacts application to store sensitive data:

-It is protected by the iOS passcode and Touch ID

-The data is encrypted by iOS8 using a key derived from the device key stored in the secure enclave and the iOS passcode

-The data can be remotely wiped

But this does not fulfill my needs for an adjustable, balanced tradeoff between security and convenience, so I use 1Password which did a great job in 5.0. And that's the topic of this thread.

Hessi

steve28

Isn't this solved by having a separate pin for 1p? After 1 wrong attempt, you have to enter the master password. At that point, it's down to someone having physical access to your device, knowing its pass/pin, and guessing your 1p pin on the first try.

If you use Touch ID.... For someone to add their fingerprint to your touchid, they also have to know the device's pin/pass.

So as was pointed out before, if someone has your device and knows its pin/pass, you're in trouble across the board.

Hessijames

@steve28‌

So as was pointed out before, if someone has your device and knows its pin/pass, you're in trouble across the board.

I disagree. 1Password offers an additional layer of security. That is, what the users pay for when buying a password manager, not the fancy icons. And exactly this additional layer, i. e. the master password based encryption and the fine tuning of the tradeoff between security and convenience is the topic of this thread.

Hessi

steve28

@Hessijames‌,

I guess that's the difference, I'm not buying the password manager for extra protection, I'm buying it to allow me to have different random passwords on every site with almost the same convenience as having the same password on every site. That's 99% of the security benefit right there. When I mentally go down the list of risks, it's far more likely that a site I use has a data breach - especially since I have no insight or control there.

I also believe that if someone steals my phone, they're most likely going to sell it before they try to hack it. Or if they have physical access to my stuff, they might as well swipe my wallet with my unprotected credit card.

I am willing to accept the calculated risk that someone does a targeted attack on me where they gain knowledge of my device password, use that to add their fingerprint, then Touch ID into my 1p app - and know to do it in that order.

I fully admit that the current implementation has some degree of reduced security, however, the actual increase in risk to me is mathematically very small.

Hessijames

@steve28:
Agreed on the random password point.

I am willing to accept the calculated risk that someone does a targeted attack on me where they gain knowledge of my device password, use that to add their fingerprint, then Touch ID into my 1p app - and know to do it in that order.

They might also just replicate your fingerprint and use it as a walkthrough around the iOS and 1Password security. I agree that this would require both a targeted attack and some motivation.

I fully admit that the current implementation has some degree of reduced security, however, the actual increase in risk to me is mathematically very small.

It is every users decision to use Touch ID or to refrain from using it. It depends on the very personal usage scenario of the app and the stored data and the individual risk assessment.

To sum it up, there is no real point against the master password timeout. @Remington even showed a completely idiot-proof implementation idea.

Hessi

wander69

Please revert to the 5.0 implementation. This thread has focused on the Touch ID scenario. But the same issues arise on an older device that relies on PIN security. And I think those issues are more glaring on an older device.

If my wifi-only iPad 2 goes missing, it's my understanding that breaking my 4-digit device pin is child's play if one has the right tools. If that gives the attacker access to all stored data on the iPad, is it not true that they could test thousands of 1Password quick-unlock PINs at their leisure?

I've always taken great comfort in having my hundreds of 1Password entries protected by a reasonably strong master pw. In the ease of use vs. security debate, I'd vote for security in almost every instance.

There is a "weakaround" for the 5.1 implementation. After you're done using 1PW, you can switch to another app and then switch back to 1PW. When prompted for Touch ID, just press Cancel. On an older device, type an invalid unlock PIN. The next access to 1PW will then require the master pw. It's sort of like locking the safe when you're done. But not as good as a safe that locks itself.

hawkmoth

is it not true that they could test thousands of 1Password quick-unlock PINs at their leisure?

Actually, no. After one incorrect guess, 1Password 5.1 reverts to demanding the master password.

wander69

Agreed. If an attacker accesses the database via the 1PW app, one wrong guess locks everything under the master PW.

But, if an attacker has a copy of iOS storage (obtained by breaking into the device via a physical connection), could they not eventually get the 1Password master PW from the iOS keychain? Aren't any/all keys needed to accomplish that decryption located somewhere in iOS storage? Or, is the keychain (if that's where the 1PW master is kept) somehow protected against such an attack?

Zodler

I completely agree with the original poster. I was baffled and surprised when I saw that the second timeout to entering the password has been removed. I'm really surprised that you as a security software, removed this. I will not use your software anymore and will not recommend it.

The option to require the password after a second timeout is essential for security. This is really bad idea that the software now opens the vault with only your finger. Imagine a scenario where a stronger person can force your hand on the phone and open the vault. With a password in mind, it's harder to get it out.

Very Very bad decisions you made guys.

fra76

Hi!
I completely agree with Hessijames.
I would like to have the choice to decide if the PIN (or QUC) is good enough forever or only for 30 minutes. You could think of an infinite default value as it is in 5.1, but please let the users decide if they want to be asked for the master password after a shorter period of time than 14 days.

Hope you could reintroduce this feature soon!

TheMaJa

Couldn't agree more with the original poster. 1Password 5.1 is not as secure as version 5.0 with the removed setting. If someone steels my phone and reproduces my fingerprint (fingerprints can be found all over the device) before I wipe my device remotely, he can gain access to all my 1Password data. The 14-day timeout mentioned by MikeT is way too long. Please give us back the "5.0 method" as an advanced setting, a security app should be as secure as possible.

reck

The new method is so much better in my opinion, much more convenient and pleasant to use.

My phone instantly locks with a strong password each time it's put to sleep. That's my security barrier. I have no desire to enter my phone p/w and then my strong 1P master password more than I have to.

On top of that as mentioned above you still have to enter the 1P master password:

Every 14 days.
Every time you reboot.
Entering the pin wrong just once will prompt for the password.

This is the perfect mix of security and convenience IMO. I purchased a password manager to stop me having to enter so many passwords and this update is another step towards that.

fra76

I understand your point reck, but letting the user choose will make everyone happy! You could set the expiration time for the PIN to 14 days, while other people could set it to 15 minutes.

Ben

Thank you for the continued feedback on this issue folks.

Hessijames

@bwoodruff‌
is there any feedback from the developers on this issue, especially on Remington‌s slider suggestion?

Thank you in advance.

Hessi