Touch ID as an alternative to the Master Password

asbjornu
asbjornu
Community Member
edited November 2015 in iOS

I recently tried 1Password on an iPhone with Touch ID and was dumbfounded and disappointed that the Main Password still needs to be entered even after Touch ID has been enabled. Why can't Touch ID function as an alternative to the Master Password and not just the pin code?

For most people, the Touch ID would be much more secure than almost any chosen vault password, so for iOS enabled phones, they would be more secure not having a password for the vault at all and just using Touch ID. I realize that might be bad for people who lose their phones and thus are forced to create a new Touch IDs, so I understand why you would want a password in-between Touch ID and the vault.

But not having to enter the password more than once on a Touch ID enabled phone makes the incentivizes people to increase the strength and length of that password considerably. By forcing people to enter it as often as they have to now, it incentivizes people to have short and easy to type (i.e. weak) passwords.

Can't you just use Touch ID to encrypt the vault password and then use the decrypted password to unlock the vault? If not, why not?

1Password Version: 6.1
Extension Version: Not Provided
OS Version: iOS 9.1
Sync Type: iCloud
Referrer: forum-search:touch id without password

Comments

  • Ben
    Ben

    Hi @asbjornu

    Thanks for taking the time to write in.

    Can't you just use Touch ID to encrypt the vault password and then use the decrypted password to unlock the vault? If not, why not?

    Yes, this is essentially what we do now. We store the Master Password in the iOS keychain, and your Touch ID grants you access to your iOS keychain. The Master Password can become cleared from the keychain though, and is always cleared when the device reboots. With the auto-lock and lock on exit settings set appropriately you can avoid typing your Master Password the vast majority of the time:

    https://support.1password.com/guides/ios/settings-security.html

    It will still be required when the device reboots, of course.

    Even with these settings it is absolutely critical that you have a strong and memorable Master Password. Your data is still encrypted using the Master Password, and so if you forget it, your data is gone.

    I hope that helps. Should you have any other questions or concerns, please feel free to ask.

    Ben

    P.S. Don't forget to backup your data!

  • asbjornu
    asbjornu
    Community Member

    Thanks, @bwoodruff. What I'd like is a design that didn't require a Master Password, since having to type it incentivates the user to make it short and weak.

    I have family members and friends that are basically computer illiterate, but they do have a finger print and iPhones with Touch ID. Locking their vaults with Touch ID would make the vaults much more secure than a weak password that is easy to remember and type.

  • Ben
    Ben

    @asbjornu

    This isn't possible with current technology. The idea is that you no longer have to remember a multitude of passwords, but you do still have to remember one, and it has to be strong and unique. There really isn't a way around that at the moment.

    In addition to other technical issues with what you are proposing most devices do not have fingerprint readers. Yes, of course all modern iOS devices do, but that excludes a huge portion of the computing population... What about OS X? Windows? What about older iOS devices, even? If your data were encrypted with your fingerprint information none of those other devices would be able to decrypt it. And even on iOS, where finger print reading is prevalent among new devices, iOS doesn't give 3rd party applications access to the actual fingerprint data that would be needed to do the encryption. All iOS gives us, essentially, is a "yes" or a "no." That simply isn't enough to encrypt your 1Password data with.

    We make every effort to find a proper balance between security and convenience, but as a part of that balance it is necessary to remember (and occasionally type) a strong and unique Master Password.

    Thanks!

    Ben

  • asbjornu
    asbjornu
    Community Member

    @bwoodruff Thanks for the detailed explanation. I agree that "yes" or "no" isn't sufficient to encrypt a password database. ;)

  • Ben
    Ben

    You are most welcome! I'm glad the explanation helped. If we can be of further assistance, please don't hesitate to contact us.

    Ben

This discussion has been closed.