Touch ID is not prompted again after pressing Cancel on the Touch ID dialog [Intentional]

craffert0

If I open 1Password but immediately dismiss it after the touchid prompt, it will require my master password after that. TouchID comes back after the next time I enter my Master Password, but I shouldn't have lost it in the first place.

Drew_AG

Hi @craffert0, I'm sorry you're having trouble with this!

If I open 1Password but immediately dismiss it after the touchid prompt

To make sure I understand, do you mean you open 1Password, unlock it with Touch ID, then immediately switch to another app or the Home screen? Or do you mean you open 1Password, then switch to another app or the Home screen without actually unlocking 1Password?

craffert0

Thanks @Drew_AG‌, it is the latter. I open the app, it prompts me for touchID, and I press the home button to switch back to the springboard. The next time I open the app, it will force me to enter my master password.

Ben

Hi @craffert0‌

I think this is intentional. My understanding is that hitting the home button is equivalent to canceling the touch ID request, which forces 1P to ask for the Master Password.

I will double check with our developers, but I'm pretty sure this is "working as intended."

Thanks!

craffert0

@bwoodruff‌, since the touchID request has an "enter password" field, I don't see why you should ever switch back to the Master Password. And it's pretty typical to accidentally open the wrong app.

MartyS

I agree with @craffert0‌. This bugs me to no end that for whatever reason I need, if I should dare not complete the touch ID request that 1Password seems to think that is reason enough to throw me back into entering my master password. Touch ID itself should return failure if I can't get the correct finger into position after N tries, and that would be a perfectly good reason to clear the master password keychain value. But short of Apple's API telling the application that I have "failed" there isn't any reason to block use of touch ID again in the future. Clicking the home button isn't—or should not be—a failure.

I'm not even sure that having to enter the master password once after a device has been booted should be necessary—Apple's perfectly happy supporting touch ID after the unlock code has been given (thus proving to some level ownership of the device's data). 1Password doing this is probably to somehow "ensure" that the user doesn't forget it completely but the decision to not support touch ID in that case is a stretch except in cases where the data is only local (not synced) on this device.

Drew_AG

@craffert0, 1Password for iOS is designed so that if Touch ID fails when trying to unlock the app (or if you enter an incorrect PIN code on iOS devices without Touch ID), 1Password will ask for your Master Password.

When you get the Touch ID prompt and press the Home button to go back to the springboard, the problem is that the Home button is also used for Touch ID. From your description, doing that is causing Touch ID to fail, which in turns causes 1Password to ask for your Master Password (as I mentioned above).

If you find yourself accidentally opening 1Password on a regular basis, you may want to simply unlock it with Touch ID before leaving the app, so you won't be prompted for your Master Password the next time you open it.

Hopefully this helps explain why that is happening! :)

Drew_AG

Hi @MartyS,

Thanks for your input! I think I can help to explain how things are working here.

But short of Apple's API telling the application that I have "failed" there isn't any reason to block use of touch ID again in the future.

Actually, it sounds like that's exactly what's happening - Apple's API is telling 1Password that Touch ID failed, so 1Password is doing exactly what it's programmed to do when Touch ID fails, which is to prompt for the Master Password instead.

Clicking the home button isn't—or should not be—a failure.

I don't disagree! :) However, keep in mind that we're using Apple's API and hardware for Touch ID. We don't control whether or not it fails or succeeds.

I'm not even sure that having to enter the master password once after a device has been booted should be necessary

This is where it gets a bit more complicated, but in a nutshell: Your master password is used to encrypt/decrypt a key, and that key is used to encrypt/decrypt your 1Password vault. Or to put it another way, your master password is absolutely, 100% necessary for unlocking your 1Password vault. In order to use Touch ID, we store the master password in the iOS keychain. When you authenticate with Touch ID, that allows the master password to be retrieved from the iOS keychain and used to unlock 1Password.

When the master password is stored in the iOS keychain, it is protected in a few ways - but even so, it's only stored there temporarily, and is aggressively removed from the keychain whenever Touch ID authorization fails, or if Touch ID or the device Passcode are disabled. Similarly, it is removed from the iOS keychain when you restart your device. And although that is partly to help prevent you from forgetting your master password, it is also partly for security reasons.

I do hope this clears a few things up, but we're happy to answer more questions if you have them!

craffert0

@Drew_AG‌ thanks for the details.

MikeT

Hi @craffert0,

On behalf of Drew, you're welcome.

We've been trying to reproduce the problem to see if we can work around this somehow. For an example, there might be a status code from iOS we can use to get 1Password to prompt for Touch ID again.

We aren't able to reproduce the master password prompt, it kept asking for Touch ID consistently for us. Can you tell me if you can do this consistently and if yes, can you try doing this 2-3 times in a row? I wonder if it happens more often when the app has been terminated by the iOS in the background.

On my iPhone 5S, unless I tap on cancel on the Touch ID prompt, I can't go back to the home screen consistently, it wouldn't let me half of the times and when it did go to home screen, Touch ID prompt still shows up anyway.

craffert0

@MikeT, after doing some experiments, I realize my earlier bug report was vague. The trick is to hit the home button before the touchid pops up. The touchid screen pops up on the main screen, and then if I cancel, it forces master password again. Which is what also happens if I cancel while in the app. It would be nice if I were given a second chance.

MikeT

Hi @craffert0‌,

In that case, that is intentional. Force cancellation will clear the MP from your iOS keychain and there is no way to get Touch ID to happen again because we no longer have the master password.

The problem is that Touch ID APIs does not give us any options in this case. That's the only prompt any app can use from Apple, it is not customizable to the point where we'd like to add "Skip" or "Cancel for now".

We also believe this is a bug in iOS where it shouldn't be prompting Touch ID outside of 1Password. So, if Apple agrees, then a future iOS update will prevent Touch ID prompts from showing up in the first place when you're on the home screen.

craffert0

@MikeT‌, after the earlier discussions, I figured it was about the Apple API. Thanks for the effort looking into this.

MikeT

No problem, thanks for sharing your experience with us. It'll help Apple improve Touch ID in the future.