1Password's Touch ID implementation doesn't look secure. Is it?

volkov
volkov
Community Member
in iOS

Hello there,

First of all, I want to tell you that I love 1Password. :+1:
I love it so much that I couldn't hold myself back any longer from informing you of this 1Password's incorrect Touch ID implementation.

The iOS app allows you to protect your data with Touch ID, not with the iOS device's passcode.
In facts, unlike the iPhone's passcode, the user needs to be present and put his own finger in order to unlock the device.

However, with the current 1Password's implementation, I can add a new fingerprint in the iOS settings and the 1Password app will automatically accept authentication through this new fingerprint, not asking me to confirm my 1Password's master password.

In other words, enabling the Touch ID authentication is tantamount to securing your password with your poorly secured iOS device's passcode. Which means that anyone who knows my iOS device's passcode can access all my passwords.

The proper implementation is the following: when a new fingerprint is added, the keychain must be reset. This way, if someone adds a new fingerprint on my device, he cannot access my passwords. When opening the app, a warning would tell him that the KeyChain item has been reset and that he needs to retype his master password.

Your article perfectly states this issue:

Your device must be unlocked for the secret to be accessible

That's not the way this should be handled. The user must have unlocked Touch ID for the secret to be accessible, not just unlocked the device. What you describe in this article is true for regular KeyChain items, not for items you really want to secure with Touch ID.

Apple does provide APIs in order for you to secure data with user's fingerprints and to invalidate those data if a new one is added.

I think you should consider implementing this. :)

Many thanks,
A 1Password user

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Ben
    Ben

    Hi @volkov,

    Thanks for taking the time to write in, and especially for that link to the API reference. I've asked our developers to look into the feasibility of adding this to our Touch ID implementation and consider doing so if feasible.

    While you're device passcode is required to add additional fingerprints, I agree this would be a very nice addition.

    In the mean time if you are concerned someone may have your device passcode you may want to consider changing it, and may also want to consider something stronger than a simple 4-digit PIN:

    How to set up a complex passcode on your iOS device

    Thanks!

    Ben

    ref: OPI-3847

This discussion has been closed.