Quick Unlock: indeterminate duration until master password is required
The Quick Unlock option seems like a great idea in theory, but as far as I can tell it really won't work for me, at least not without one crucial change.
The problem for me is that the time at which the state of the app switches from "unlock with PIN" to "unlock with master password" is indeterminate. The app has to exit for this transition to occur, right? (Or I have to manually force a "lock" state or kill the app). The problem: if I unlock with master password, do my business, and immediately put my iOS device to sleep (by locking the screen), the 1PW app may literally never exit. I'm pretty sure that, on modern iOS, apps are only forced to exit due to resource shortages. When the device is sleeping there are no resource shortages. During this time my vault is vulnerable (due to the vastly decreased security of a PIN vs. a master password). The only protection in place for all my secrets is the device PIN and the 1PW quick unlock PIN. That's not nearly as secure as my 1PW master password.
I'm fine with the reduced security of the quick unlock PIN, as long as I know, with 100% certainty, that the state of reduced security has a finite and known duration. As far as I can tell, this is not the case.
I should not have to manually kill the 1PW app to ensure the vault is locked. The time it takes the system to kill the 1PW app is indeterminate. This makes the quick unlock feature unusable to me. There really should be a separate user-specifiable timer which determines when the transition from PIN to master password occurs. Actually I don't see why the timer I specify for auto-lock isn't used for this, when quick unlock is enabled.
1Password Version: 7.2.1
Extension Version: Not Provided
OS Version: 12.0.1
Sync Type: Dropbox
Comments
-
The lock service does admittedly have a number of complexities due to the currently available options that we'd like to simplify. In the mean time you may want to see if adjusting the 1Password > Settings > Advanced > Security > Require Master Password setting helps. Additionally, selecting 'Lock Now' in 1Password > Settings will always require the Master Password.
Ben
0 -
I did not know about that Require Master Password setting. I think that's exactly what I was looking for. Thanks, Ben!
0 -
On the other hand...with quick unlock enabled, I just killed the 1PW app via the app switcher, and then restarted it, and...no password or PIN prompt. It was ready for business. Isn't the vault supposed to fully lock, requiring master password, after killing the app? Two attempts, same result. IPad, iOS 12.0.1.
0 -
On the other hand...with quick unlock enabled, I just killed the 1PW app via the app switcher, and then restarted it, and...no password or PIN prompt. It was ready for business. Isn't the vault supposed to fully lock, requiring master password, after killing the app? Two attempts, same result. IPad, iOS 12.0.1.
No, it isn’t. If you have Lock on Exit and Quick Unlock enabled force quitting the app and relaunching should cause you to be prompted for Quick Unlock (i.e. PIN), not Master Password. If you don’t have Lock on Exit enabled then 1Password will not lock at all when quitting. It won’t lock until the auto-lock timeout is reached. When it is reached, it’ll prompt for Quick Unlock, unless the timer for the Master Password lockout has also been reached.
Ben
0