Touch ID and 1P Security
AgileBits routinely emphasizes the importance of strong and unique passwords. Let's say I have followed this advice and have a 25-character password that must be entered to open the 1P app on iOS (tedious to enter, but strong). And let's say I have a 10-character device password on my iPhone 6.
When I activate the Touch ID feature in 1P, my understanding is that my 1P password now will be stored in the iOS keychain. And to open 1P, I now simply use Touch ID. But, in this example, haven't I just replaced a strong 25-character password with a weaker 10-character password that controls access to the 1P app and all the stored passwords within the app?
If I want a comparable level of security, would I need to have to a 25-character device password on my iPhone 6?
Comments
-
Hi @pomme4moi,
This is an excellent question. I'm going to ask @jpgoldberg to step in on this one, but this knowledgebase article should give you a good start on understanding how this works:
https://support.1password.com/how-safe-is-touch-id/
Thanks!
0 -
Thank you bwoodruff. I look forward to jpgoldberg's response ...
0 -
I'm also interested in why 1Password appears to require entering my password after my iPhone has been restarted, but doesn't require password entry after a fingerprint has been added or deleted from Touch ID.
As pomme4moi stated, enabling Touch ID support in 1Password replaces the security of my current 1Password password with the level of security associated with my iPhone's unlock passcode.
Imagine this scenario... Suppose I have a 4-digit numeric "Simple Passcode" that I use to unlock my iPhone. If this passcode is guessed by someone, they can unlock my iPhone and add their fingerprint to Touch ID. If my iPhone has not been restarted since the last time I ran 1Password, they won't be required to enter my 1Password password when launching 1Password. This person can simply use their newly-entered fingerprint to access 1Password.
This Apple tech document (About Touch ID security on iPhone and iPad; https://support.apple.com/en-us/HT5949) describes how the Apple stores (iTunes Store, App Store, and iBooks Store) require entry of my Apple ID password after:
- Restarting your device
- Enrolling or deleting fingers
This prevents someone from purchasing Apple content by only knowing my iPhone's unlock passcode. That knowledge won't gain them access to the Apple stores even though I've configured the use of Touch ID.
Do 3rd-party apps have the ability to detect when a fingerprint has been added or deleted from Touch ID? If not, it appears that the security of 1Password, as described by pomme4moi, is only as secure as my iPhone's unlock passcode.
0 -
@pomme4moi wrote:
But, in this example, haven't I just replaced a strong 25-character password with a weaker 10-character password that controls access to the 1P app and all the stored passwords within the app?
If I want a comparable level of security, would I need to have to a 25-character device password on my iPhone 6?
From the support article that @bwoodruff linked to above:
Touch ID is designed to minimize the input of your Master Password, but your Master Password will be needed for additional security validation:
- After restarting your device
- After canceling the Touch ID prompt
- To change your Master Password
I need to update that to also indicate that 3 failed fingerprint reads will also revert to the Master Password.
So you have not replaced your Master Password. All your data is still encrypted with your Master Password. You are merely granting access to the 1Password app via Touch ID. If someone doesn't have your fingerprint, they only get 3 tries to fake it before 1Password reverts to prompting for your Master Password. If you are concerned about someone being able to forge your fingerprint and get an accurate read from it in 3 tries, we would recommend foregoing the Touch ID feature in 1Password on your iOS device(s).
If you are worried that someone will use your actual fingerprint (for a much greater chance of success), you can force the Master Password requirement if you are in a position to plan ahead or act quickly. From that same article:
If you cancel the Touch ID prompt in 1Password, no matter how soundly you sleep, your fingerprint cannot then be used to unlock your 1Password data. The Master Password will be required. But remember that they can still use your fingerprint to unlock the rest of your device.
@hughscott wrote:
Do 3rd-party apps have the ability to detect when a fingerprint has been added or deleted from Touch ID?
Unfortunately, they do not. We are only able to require a device passcode — whatever its strength may be — be set before allowing folks to enable the Touch ID feature in 1Password. This was added in iOS 7 IIRC, and it is a huge step in the right direction. Once upon a time, it was possible to set a PIN Code in 1Password without even requiring a device passcode. (We simply didn't have a way to determine that available to us.) Perhaps Apple will further improve this in the future. They've already made progress in this direction, so we remain optimistic.
If you are using a weak device passcode, then what you describe is indeed a concern. However, we highly recommend that you use a stronger device passcode than a mere 4 digits. When you enable Touch ID, you are, in part, relying on the security of your device passcode to protect your 1Password data on your device. Having a strong device passcode should be your top priority if you are as concerned about security as it sounds like you are.
For a bit more background, you may be interested to read our How we securely store the Master Password in the iOS Keychain support article.
I hope that helps. It is certainly great that you are thinking about these things. Please let me know if you have additional questions or concerns.
Cheers!
0 -
Thank you hughscott. My interpretation of your response is that, with Touch ID, the passwords stored in 1P are only as secure as the device password. Looks like I better set a stronger device password! Thanks again, very helpful.
0 -
The long and short of it, as Khad mentioned, is when you enable Touch ID, you are, in part, relying on the security of your device passcode to protect your 1Password data on your device. :)
Thanks!
0
