Different authentication for different vaults? TouchID makes this more interesting.

deadshort
deadshort
Community Member
in iOS

Would it be possible to apply different authentication rules to different vaults? In particular, I'd like to be able to use TouchID and to allow computer sleep for a vault with the zillion less important items (Agilebits Forum login, etc), but really really do not want those enabled for the more important ones (Amazon, banks, etc.)

I find that phones and TouchID have stretched the convenience vs. security question. The inconvenience of using a decent passphrase and a secure re-lock scheme (lock on sleep, etc) is significant on a phone, and the incentive to use TouchID is hard to resist. But weakening procedures lowers security for truly valuable keys too much for my comfort.

My current workaround is to use two different products. I'd much rather have a Usually Open and an Always Closed Vault.

Thanks.

1Password Version: OSX 6.2.1 / IOS 6.3.1
Extension Version: Not Provided
OS Version: OSX 10.11.4 / IOS 9.3.1
Sync Type: Not Provided

Comments

  • Ben
    Ben

    Hi @deadshort

    Thanks for taking the time to write in.

    Would it be possible to apply different authentication rules to different vaults?

    This would not be possible using our current architecture. It would require a massive re-engineering of how we handle vaults. That is not to say that we wouldn't ever consider doing so, but it would definitely be a long term project.

    We do have an article on Touch ID that you may be interested in:

    How safe is it to use Touch ID to secure my vault?

    Sorry I don't have the answer you were hoping for.

    Ben

  • deadshort
    deadshort
    Community Member

    Fair enough.

    How about adding a "require full authentication" option for items? Is that also architecturally difficult?

  • Ben
    Ben

    How about adding a "require full authentication" option for items? Is that also architecturally difficult?

    Yes. And we actually used to have this option in 1Password 3 for iOS (long before Touch ID was a thing). In those days 1Password was unlocked by a 4-digit PIN (always). Once the app was unlocked each item had an individual security level -- high or low. Low security items could be opened without any further interaction, but items marked as high security required that you type your Master Password.

    One of the problems we ran into was that many folks would leave all of their items as low security, and then they would never type their Master Password. This lead to them forgetting it. That was totally devastating. As the items were actually encrypted using the Master Password it wasn't possible to export / upgrade them without it. Since they had forgotten it, they were stuck. They could still access the v3 app using their PIN, but to upgrade they had to manually copy over all of their items, by hand.

    It was quite a painful process, and it added a level of complexity that only benefited a small minority of customers. In the end it seemed it hurt more than it helped, and so was removed with v4.

    Ben

This discussion has been closed.