1Password PIN overruled when Touch ID autofill is disabled

dvmierlo

While autofill works really well, I do have a serious security issue with new feature.

I do not use Touch ID for 1P. I use a PIN. The reason is that it gives an extra hurdle for unwanted persons access my 1P. With that in mind, enabling Touch ID on autofill doesn't give that extra hurdle since, I'm logged in anyway. But when disabling Touch ID on autofill, iOS12 directly fills in all credentials provided by 1P. The 1P PIN is overruled at this point. This gives an unwanted person the option to open a website (think banking, etc) on my iPhone and login without any hurdles.

Let's say I'm sleeping. A person can take my phone and hold my finger on Touch ID without me knowing, allowing access to everything I protect with 1P.

Call me paranoid, but think what the reason is for using 1P in the first place. It is to protect all your personal and sensitive information.

Ben

Hi @dvmierlo

Please enable 1Password > Settings > Advanced > Security > Always show lock screen for Password AutoFill. That should cause you to be prompted for your PIN code when accessing 1Password data via Password AutoFill.

I hope that helps. Should you have any other questions or concerns, please feel free to ask.

Ben

MrRooni

Hi @dvmierlo. Thanks for getting in touch. This is an issue we're addressing (actually just finishing up the code review on the change) and will be fixed in 7.2.1. In the meantime you can follow Ben's instructions to get the behavior you want out of the AutoFill extension.

dvmierlo

@MrRooni Thank you for your feedback!
@Ben Your suggestion works. Thank you!

Ben

Excellent. Thanks for the update. Glad to hear that worked. :)

Ben

dvmierlo

Hi @Ben and @MrRooni,

With the “always show pin” option enabled, there is still another security issue.

On a login page, where I have not filled in any credentials, I tap on the the password field to make iOS detect the login. At this point, iOS shows the username provided by 1Password on top of the iOS keyboard. After I tap on the username on the iOS keyboard to fill in the password, I have to provide my PIN. Showing the username this way is not secure.

I enabled only 1Password in the iOS autofill option.

Ben

@dvmierlo

I'll review this with the team but my understanding is that is a function of Password AutoFill. It'll work that way regardless of which password manager you're using it (including iCloud Keychain). You may wish to use the 1Password extension and turn off Password AutoFill if you're not comfortable with that.

Ben

dvmierlo

Hi @Ben,

Thank you for your time and effort!

Kind regards, Dennis

Ben

You’re very welcome. :)

Ben