Touch ID issues on iPhone 5S iOS 8.1
Introducing Touch ID as an extra convenient was wonderful. There are how ever some issues, which if are taken care of, will make Touch ID feature even more great. I'm using version 5.1.2 on iPhone 5S with iOS 8.1.
In some cases 1Password bypasses Touch ID and falls back to Master Password authentication. Examples of those cases are:
when Touch ID fails (a finger print is not recognized after 2 retries) or when the user taps the Cancel button when prompt for Touch ID. This is of course how it should be. The problem is that the Touch ID option will go away and will not comeback (even after the application restarts) until the user has filled in the master password. Only after a successful unlock using the master password the Touch ID prompt reappears at the next run. This is a problem because the user could accidentally have tapped the Cancel button or because the Touch ID is still not 100% perfectly recognizing finger prints (2 retries is really not enough!).
The correct behavior should IMO be:
1. If for whatever reason (a bad fingerprint read, tapping Cancel, ...) the Touch ID is bypassed to master password authentication, the user should get the Touch ID prompt at next run of the application (restarting (with or without killing the app)). Bypassing the Touch ID regards only once (the current session). Alternatively there should be a way (e.g. a button right next to master password field) to reinitiate the Touch ID manually.
2. The number of Touch ID retries should really be more; 5 sounds reasonable to me. Again a button to reinitiate the Touch ID (if the user wishes) is never wrong.
Thank you!
Comments
-
Hi @Omid,
Thank you very much for the feedback & suggestions for Touch ID! I can't make any promises, but I can certainly forward that to our developers.
In case you're curious, some of the things you mentioned work that way for specific reasons. The thing to keep in mind is that your master password is absolutely, 100% necessary for unlocking your 1Password vault. Your master password is used to encrypt/decrypt a key, and that key is used to encrypt/decrypt your 1Password vault. In order to use Touch ID, we store the master password in the iOS keychain. When you authenticate with Touch ID, that allows the master password to be retrieved from the iOS keychain and used to unlock 1Password.
When the master password is stored in the iOS keychain, it is protected in a few ways - but even so, it's only stored there temporarily, and we aggressively remove it from the keychain if Touch ID authorization fails, if you tap Cancel, if Touch ID or the device Passcode are disabled, and so on (it's also removed from the iOS keychain when you restart your device). This is largely for security reasons. The point is that once you see the prompt for your master password, that means your master password has been removed from iOS keychain. We can't put the master password back in the iOS keychain until you re-enter it, which means there's no way to prompt you for Touch ID again until you enter the master password.
Having said all that, there are some things we could change, such as when to remove the master password from the iOS keychain. So it's definitely possible for some of your suggestions to be implemented. It basically comes down to that fine line between convenience and security. ;)
Thanks again, we truly appreciate the feedback!
0