Enabling TouchID on iPhone Reduces Security to Your iPhone's PIN (!)
Many of us have important passwords in 1password and correspondingly have a strong password.
You should be careful enabling TouchID on iOS (iPhones and iPads).
Assume someone gets your iPhone PIN and you have enabled TouchID. Here is what they can do:
- Unlock your phone with the PIN
- Add their fingerprint to the phone with the PIN
- Go to 1password on your iPhone and use their newly added fingerprint to unlock 1password
Seems like one solution is for 1password (and any other app) to detect if a new fingerprint has been added and then re-require your 1password password. This assumes, of course, that 1password can detect if a new fingerprint has been added.
Best,
Robert
Comments
-
I'm not sure this helps with your concern, but if your phone is reset, 1Password will demand the master password before Touch ID will work again. Also, 1Password folks recommend that users not use a simple four digit unlock code for the phone to help make it much more unlikely that someone could guess it. I have my phone set to erase itself if there are 10 unsuccessful attempts to unlock it.
Just some mitigating ideas.
I'd bet that Apple doesn't provide application developers any way to keep track of fingerprint revisions. And I'm sure 1Password is entirely dependent on Apple protocols for using Touch ID.
0 -
Feature Request: On devices with Touch ID, please offer the option to use a PIN, as is currently available on devices that do not have Touch ID. This would address the concern above, and another for a scenario that I can share if you want to contact me. Others have requested this feature, including
ucs308 on 23 Sep 2014.0 -
Yes, it's true others have requested this, and when version 5 was first released, it had that feature. But so many users were confused about how to use the options that the developers simplified it to the way it works now - Touch ID only on devices that have the option, PIN on those that don't. I liked the flexibility of the original better myself, but I can testify that the forum was full of posts from folks who couldn't get it to work.
0 -
Hi @R9E,
Thanks for taking the time to write in here! Hawkmoth has it right: we certainly recommend that you use a PIN stronger than 4 digits, and that you never share this PIN with anyone. He's also right in saying that Apple does not let developers have much info with respect to TouchID. As I understand it, 1Password will send a request to the iOS to match the fingerprint and receive a yes or no response. That's pretty much it.
TouchID is a great new technology and we're excited to see how it continues to develop, but it is important that users are aware of its limitations.
Hi @ACohen,
Thanks so much for sharing your thoughts here. If there is something about this scenario of yours that we can help with, please let us know - we're here for you!
0 -
Getting back the option to use a passcode instead of Touch ID on Touch-ID-capable devices is a request I would like to support.
It didn't occur to me that it is indeed possible to add a fingerprint to your device once your passcode is compromised, even if your device is locked with Touch ID. Apps like 1Password that can be unlocked with Touch ID alone would be at risk as well, something which has been discussed to exhaustion in this thread here: https://discussions.agilebits.com/discussion/29534/touch-id-changes-in-5-1-please-see-post-67-for-latest-information/p1 (hopefully with a solution soon).
It seems like Touch ID raises more and more questions the longer you think about it.
0
![[Deleted User]](https://w9.vanillicon.com/v2/9d1b176a985b7220d73f88997272e1f1.svg)
