Touch ID changes in 5.1 [please see post #67 for latest information]

2

Comments

  • @Hessijames‌ Thank you for kicking off this very lively thread, it's great to hear such passionate feedback from our customers. We have not made any decisions about this topic yet, and do not have anything to report.

  • buckeye
    buckeye
    Community Member

    The real risk of turning on TouchID for 1password is "if someone has your device and knows its pin/pass, you're in trouble across the board". For example, you may give out your device 4 digit pin to a friend or your kid to use your iPhone temporally. They could easily add a fingerprint to the TouchID with the pin, and then use the TouchID to open your 1password, thus bypassing your strong master password.

  • For example, you may give out your device 4 digit pin to a friend or your kid to use your iPhone temporally. They could easily add a fingerprint to the TouchID

    Right. So, knowing that, obviously you wouldn't want to do that.

  • [Deleted User]
    [Deleted User]
    Community Member

    Unless I'm missing something the adjustable master password auto-kick-in is still missing in vs 5.1.1.

    Does this mean that you have decided against it? Or is it planned for a future version?

    If it won't get reimplemented in the forseeable future I have to move my important stuff out of 1P. (I will continue using it for forum logins etc. though.)

    Thanks for info.

  • Zodler
    Zodler
    Community Member

    I also saw it's not in the new version. I have stopped using this software and advice anyone I know not to use it. Not having this is unheard of. A password manager that can unlocked everything with your fingerprint without you having control over it? Very bad idea.

  • [Deleted User]
    [Deleted User]
    Community Member
    edited November 2014

    I have stopped using this software and advice anyone I know not to use it.

    I wouldn’t stop using it completely, but as it is now the usage scope of 1P is definitely limited.

    I use to have (roughly) two categories of information stored in 1P:

    • Category A: Important stuff (financial, Apple IDs, server logins, email account data, etc.; typically accessed infrequently)
    • Category B: Not-so-important stuff (e.g. forum logins; typically accessed frequently)

    Without configurable master-passwort auto-kick-in 1P is not adequate for both categories anymore: I can either…

    • Disable fingerprint (= always demands MPW) and use it just for category A; using it for every-day stuff (category B ) would be too cumbersome. In this case I would let handle Safari all of my cat. B stuff.

    • Enable fingerprint (= never demands MPW) and use it just for category B; using it for critical data (category A) is ruled out in this mode. In this case I would transfer all my cat. A stuff to another application.

    Very bad idea.

    I’m wondering what the reasoning behind that decision was. Bad idea to trade-in essential operability (i.e. security) for a slightly less cluttered preferences screen, if it was that… (?)

  • Hessijames
    Hessijames
    Community Member
    edited November 2014

    @mot‌

    I’m wondering what the reasoning behind that decision was. Bad idea to trade-in essential operability (i.e. security) for a slightly less cluttered preferences screen, if it was that… (?)

    AgileBits already commented on that (see my first posting):

    As the reason for the removal, AgileBits mentioned the fact that many users were massively confused by the different timeouts.

    So it was clearly an economic decision whether to re-implement the setting in a comprehensive manner (see @Remington‌ 's solution) or just remove it. As we all know, the latter option was chosen being the one against additional security.

    I am afraid, this reminds me of the history of wi-fi sync. First, the only non-cloud sync option was removed because "nobody used it", then replaced by a hacked implementation of a beta USB sync that never worked flawlessly then re-implemented several versions later.

    Considering the changes in Touch ID and wi-fi sync one can clearly see that the target group of 1Password are rather standard users who want to avoid typing passwords than the security aware users who want to have a clear understanding of the implementation* and security parameters and make a reasoned decision on which ones to use and how. The whole bunch of 5-star votes in the iTunes store along with the comments that declare the auto-filling of passwords pure magic underline my observation.

    I must admit that I am deeply worried that the statements of AgileBits in this thread do not mention any plans to re-implement the configurable timeout.

    Hessi

    • At least as far as the insight can be on a closed source product. Unfortunately, there are a large number of bad products around using AES with ECB or pretending to create 256bit entropy out of a 4-digit pin code.
  • A password manager that can unlocked everything with your fingerprint without you having control over it?

    This is not a fair statement. You have control over it. You can turn Touch ID off if you'd like. This would arguably be the most secure option.

  • [Deleted User]
    [Deleted User]
    Community Member

    You can turn Touch ID off if you'd like. This would arguably be the most secure option.

    Indeed ;-) And that’s exactly what I’ll have to do if the situation remains like this.

    But this also means that I will move the not-so-critical 90% of my records out of 1P. (Yes, I’m too lazy to type my MPW 10 times during 1h of web browsing.) Bummer! It’s somehow sad to use 1P only for 10% of my logins. 1P was really a great application.


    BTW, the current all-or-nothing situation is likely to promote another very bad thing:

    Among the users that feel that touch-only is not secure enough for their credit card data and decide to enable MPW-always, there will be many users that – like me – get tired to type their 25-char MPW for each and every forum login.

    But instead of moving the not-so-important logins out of 1P they will simply change their good MPW to a more convenient 8-char easy to type MPW.
    And this is rather contradictory to the main principle of 1P: using a really strong MPW.

  • Zodler
    Zodler
    Community Member

    That's not the point. I do not want to turn off the touch id. The whole point is to have touch id. A correct form of touch id. A touch id that expires after a certain amount of time set by the user. This is so simple and you already implemented it. You just have to put in an advanced menu where it can't confuse the noobs.

  • I understand your perspective, and will certainly pass the feedback along to our development team.

  • [Deleted User]
    [Deleted User]
    Community Member

    @bwoodruff, any news on the issue? More precisely: Do you know if the reimplementation of the functionality is still planned, or is it likely that the current state will become a permanent one?

  • Hi @mot‌

    I unfortunately do not have any further information to share at this time. Anything at this point would just be speculation.

  • Hessijames
    Hessijames
    Community Member

    @bwoodruff‌
    In my opinion, after two months of a discussion with several AgileBits employees involved it is about time for a decision. I consider this in the best interest of AgileBits as well as the customers to avoid re-enacting the wi-fi sync drama.

    Patrick

  • We appreciate the feedback. I'll remind our developers that this is still a concern.

  • [Deleted User]
    [Deleted User]
    Community Member
    edited December 2014

    I'll remind our developers that this is still a concern.

    Ehm, yes, that would be very kind. Waiting 2 months didn’t make it go away ;-)

    Actually it is a very crucial concern, at least within my personal usage habits:

    As I already tried to point out here and here, with the current (crippled) functionality it is impossible to use 1P for the daily, cheap logins and for the sensitive logins/data. It’s either to insecure for the sensitive stuff (with Touch-always) or to uncomfortable for the daily stuff (with MPW-always).

    Recently I’ve started to use 1P in MPW-always mode and, in consequence, to delegate the daily stuff to Safari (keychain). If I know that the current limitation is likely to be perpetual, I’ll phase-out all the daily logins from 1P’s vault, so that I’ll only have to maintain one database for them.

  • Drew_AG
    Drew_AG
    1Password Alumni

    Thanks again for the feedback, we really do appreciate it! As always, we can't make any promises but we will definitely let our developers know.

    For now, if you want to keep the Touch ID option enabled but would still like to switch to the master password at certain times, my best suggestion is to use the Lock Now option in 1Password (under Settings > Security) which will immediately lock 1Password and require the master password the next time you unlock it. Or you can bring up the Touch ID prompt and tap Cancel, which will also switch to requiring your master password. I realize that's not the same as having a separate auto-lock setting for the master password, but I wanted to mention it as a possible workaround.

  • Hessijames
    Hessijames
    Community Member

    @Drew_AG‌
    I am unsure if informing the developers over and over again will get us any closer to a solution as they should already know according to numerous statements of AgileBits employees in this thread. What we need - I feel the urge to repeat myself - is a decision and the honesty to convey it. What we do not need is an ever growing number of community managers expressing their gratitude for this magnificent idea combined with the omnipresent promise to inform the developers.

    Please excuse my candidness but I am sure that we really need to end this discussion loop and start actually working on the problem.

    Patrick

  • Ben
    Ben
    edited December 2014

    Hi Patrick ( @Hessijames‌ ),

    No excuse needed. I agree that some candidness is in order here.

    We acknowledge that there are some folks who have a very strong preference here to have us do things differently and we aren't ignoring that. The fact is that the changes we have made have greatly simplified the previously overly complex Touch ID options and the amount of technical support requests for Touch ID related problems has decreased significantly since the change.

    We're always looking for ways to do things better, and if we can add more flexibility without adding a whole lot more complexity we'll certainly consider that. I can't say for certain, but I can't really see reverting changes that have achieved the desired outcome. The previous preferences were unable to accomplish their stated purpose reliably, and because of the architecture of iOS we were unable to make them do so. As such unfortunately we had to remove them. We've made the options less complex, simpler to understand, and reduced confusion. The battle between security and convenience is a constant challenge. In this case we feel we've made the best choice for both sides. If setting the preferences is so confusing that they produce an unintended result, that is a loss for both sides.

    I'm sorry that this is not the answer you are looking for, but I hope you understand our struggle to offer utility without compromising security. We're not saying 'never,' but it wasn't working out with the current state of things.

  • @Hessijames‌ Hi there. I was looking back through the thread to see what all has been said. I wanted to re-address something that you mentioned in an earlier post:

    AgileBits already commented on that (see my first posting):

    As the reason for the removal, AgileBits mentioned the fact that many users were massively confused by the different timeouts.

    That certainly was one of the reasons. People were massively confused by how the timeouts needed to be set up.

    There is also a technical reason we ran into that I haven't seen discussed yet (if it was, and I missed it in my quick scan of the thread, I apologize). Essentially, we couldn't get the original timeout settings to play very nicely with the new iOS extension. As I understand it from my conversations with development the extension APIs just are not accommodating what we want to do with timeouts at this time. Extensions are a very new system to iOS and are far from being mature yet. We definitely want to add back the Master Password timeout and will do so when it is technically feasible to keep the entire Touch ID system from being fragile and prone to failure.

  • [Deleted User]
    [Deleted User]
    Community Member

    I have to agree that this is an inexcusable vulnerability and I'm frankly appalled that this hasn't been addressed yet. Part of the reason why I continue to use 1Password is because I feel that my data is safe and because I am confident that AgileBits has made the right choices to keep everything secure, without me having to worry about vulnerabilities other than a compromised master password. After reading (and seeing) about Touch ID a bit more, I don't understand why AgileBits was even willing to take that risk. The fact is: when my iPhone is stolen and it happens to have a usable fingerprint on its display, a thief might be willing to replicate it and by that not only gain access to my phone, but also 1Password. Many users might not know or underestimate this risk and as such, AgileBits is not serving their users' best interests when it comes to data security. I have to say, my confidence in AgileBits has taken a hit because of this.

  • Stephen_C
    Stephen_C
    Community Member

    I think you are very much over-reacting to this latest scare about touch id. There is absolutely no evidence that the "manufactured" finger print worked to unlock the German minister's phone (and I very much doubt it would). I also rather doubt anyone has a close-up portrait of the finger(s) or thumb you use for touch id (unless, of course, you've had a brush with people who have needed to take finger prints—but that's another matter!).

    Stephen

  • Hessijames
    Hessijames
    Community Member
    edited December 2014

    @Stephen_C‌

    @Eitot is completely right. TouchID was broken several days after its initial roll out and TouchID is still broken. So far, there has not been any arguments against this finding. And - frankly speaking - this will not change when there is no technical discussion of people with both the will and basic knowledge to take part. Eitot clearly mentioned which fact he was referring to in the video being the creation of a fake fingerprint from a display fingerprint which should be very clear to everyone who actually watched the video. (The link for the English Version is in the description)

    Let's face the facts: The current TouchID settings of 1Password are highly insufficient to ensure moderate security without disabling the feature completely. This will not change by involving a growing army of community managers but simply by involving developers and assigning an appropriate priority.

    Patrick

  • Stephen_C
    Stephen_C
    Community Member

    This will not change by involving a growing army of community managers but simply by involving developers and assigning an appropriate priority.

    If you refer to my role do please note that I do not speak in any way for AgileBits, which exercises (no doubt to its regret) no control over my opinions or posts. I am merely a volunteer here trying to help when appropriate—but also expressing my own views from time to time. :)

    Stephen

  • [Deleted User]
    [Deleted User]
    Community Member
    edited December 2014

    To elaborate on my earlier post: at around 32 minutes, the presenter demonstrates how easily he can extract a fingerprint right from the iPhone's display using a scanner. Within a minute he has a digital copy. The reproduction is of course a lot more elaborate and requires a bit of know-how, but the risk should still be obvious: if the iPhone is stolen and if it indeed does have a usable fingerprint (which isn't that unlikely for an all-touch smartphone), the phone and 1Password are vulnerable. I don't want to start a debate on the pros and cons of Touch ID here, but this topic deserves serious consideration. The master password is there for a reason, it should only be relinquished temporarily if the security risk is minimal. Touch ID cannot guarantee the same level of protection as a master password, but is effectively treated the same when it comes to unlocking.

  • Drew_AG
    Drew_AG
    1Password Alumni

    Hi @Eitot and @Hessijames,

    Thanks for your feedback about this. Having users who are as passionate as we are about 1Password and security certainly helps us make improvements!

    To bring us back to the original topic, I'm assuming you are each saying you'd like to have a separate timeout setting for the master password, like there used to be. Our developers are very aware that many users are interested in having that feature again. As explained earlier in this discussion, "The previous preferences were unable to accomplish their stated purpose reliably, and because of the architecture of iOS we were unable to make them do so." In other words, the previous preferences caused too many problems. If we're able to bring back that feature in such a way that it works well, I'm sure we'll seriously consider doing so.

    In the meantime, if you feel Touch ID is not secure enough for you, please remember that you can always turn it off. Or if you don't want to completely disable the Touch ID option, please see my previous suggestions for easily reverting to the master password.

    Thanks again for sharing your thoughts on this, we do appreciate the feedback! :)

  • [Deleted User]
    [Deleted User]
    Community Member
    edited December 2014

    @Drew_AG‌ A speedy solution would of course be preferable, but I don't get the feeling that the urgency and seriousness of the matter is understood. I only got my iPhone 6 a month ago and never paid much attention to Touch ID, although I was excited to use it. Perhaps I was a bit too excited, because when I saw the video (above) my jaw dropped. I never contemplated that a fingerprint could be so easily extracted right from the screen itself. You might as well write your password on the back of your phone. Having used 1Password with a temporary PIN code before, I wasn't immediately aware that this time limit is not applied to Touch ID. I get the impression that the time limit is considered a convenience feature here rather than an essential security mechanism and it is this dichotomy that gets my goat. The more responsible choice would have been to pass on Touch ID until this issue is addressed by Apple or at least add a clear warning that this usage is risky. The temptation is there to use Touch ID by default, but it may compromise security a lot more than people realise.

    Moreover, I can no longer use the PIN code method anymore. The choice is now between the master password, a temporarily unlocked vault or Touch ID. This doesn't seem like it has been thought through and I cannot stress my disappointment enough. Again, what's the point of a master password if you can bypass it with a fake fingerprint or a petty 4-digit PIN code.

  • Fairgame
    Fairgame
    Community Member

    There is one aspect of Touch ID I did not realize until I have actually used it for a while. I'm convinced that using Touch ID is actually safer in real life scenario than typing MP or PIN every time.

    I travel a lot and use my devices in public places all the time. With all the smart phones out there it is really easy to videotape someone and deduce what has been typed on the screen. Touch ID takes that option away. Video of me unlocking 1PW with Touch ID does not help anyone to subsequently unlock it. Using fingerprint to manufacture a fake one was fairly complicated on youtube demo, definitely more so than observing keyboard entry from recorded video. And with fake fingerprint, at least in case of 1PW, the attaker would have only one shot at getting it right, before MP kicks in (the same MP that has not been recorded because it was not used).

    That said, I would still like to see some timeout on the Touch ID similar to the one used with PIN previously. But I do not feel as strongly about it as I did earlier.

  • [Deleted User]
    [Deleted User]
    Community Member
    edited December 2014

    @Fairgame‌: I see the utility of Touch ID too, which is why I find this so frustrating. Touch ID is absolutely fine for temporary authentication, because the technology is sophisticated enough to resist fake fingerprints unless the recreation is done well (which takes too long for it to be viable). But the crux of the matter is that it can be done and the iPhone might leave enough fingerprints on its screen for someone to attempt this. I shouldn't have to worry that someone might get access to my 1Password library when my iPhone is stolen and Find My iPhone does not kick in, but this is not guaranteed anymore. Without Find My iPhone all the local data is vulnerable once the iPhone is beyond my control. This is what worries me.

    By the way, I've just tested Touch ID with an unrecorded fingerprint on 1Password. It switched to master-password authentication only after the second failed attempt. That's two chances to get it right.

    @ AgileBits: Perhaps there are other workarounds that are worth considering until the issue can be addressed technically. Off the top of my head:

    1. Add an option to use both Touch ID and a PIN consecutively. This is still faster than a master password and a lot securer than just either method.

    2. Add an option to force 1Password to check whether there is an Internet connection and require the master password when it cannot connect, so that a thief cannot access 1Password if they prevent the iPhone from being remotely disabled with Find My iPhone.

  • Hi folks,

    I think we need to take a step back here and talk about attack vectors.

    A common thief doesn't care about your data. They stole your phone to make a quick $150 and want to get the device out of their possession as quickly as possible. They aren't going to be attempting to bypass the touch ID authentication on your device for the purpose of stealing your data. They are simply going to want to wipe it for resale.

    A thief who is truly after your data is going to use the wrench method:

    ">

    (with thanks to XKCD)

    We actually reportedly had a customer who passed out drunk and had someone use their finger to unlock their phone:

    Obviously if this is a concern, then you should probably consider foregoing the convenience of touch ID and instead opt for always entering the Master Password.

This discussion has been closed.