Pin security
I use the latest version of 1Password for IOS on my iPhone and I notice that in Settings>Security I do not have an option to use Touch ID, I'm assuming the reason is that I have no finger prints set up. What I do have however is an option to use a pin. There is a support article at https://support.1password.com/touch-id-security-ios/ which covers Touch ID but I cannot find a similar article for Pin security, is there one?? If not how does security work when using a Pin?
1Password Version: 7.2.2
Extension Version: None
OS Version: 12.1
Sync Type: None
Comments
-
Hi @Bagsy
You're correct, if you have a Touch ID device you need to have fingerprints enrolled at the system level for Touch ID to be available in 1Password. Apps don't allow individual setup of fingerprints, they rely on the system's Touch ID being enabled and setup, then the app can trigger various requests for Touch ID as necessary, and the system handles the request and passes the result back to the application.
We do not have a support article for the PIN code.
What we do is encrypt some test data with the PIN code. Store that in the system keychain. When the check is done we decrypt the data in the keychain with the PIN code provided by the user, then confirm it matches the test data.
We also store the credentials to unlock 1Password in the system keychain. The same as we do for Touch ID or Face ID. So some details are similar in that regard.
If successful we access the stored credentials to unlock 1Password and unlock it.
If unsuccessful we remove both items from the system keychain and require the Master Password. It only allows a single check of the PIN code.
Hope that helps, but if you have any questions please let me know.
0 -
Thanks AGKyle. Let me just walk through your explanation to make sure I've got it.
When i switch on PIN Code in Settings>Security and enter my chosen pin for the first time you take some "Test Data", encrypt it with the pin code and store the encrypted "Test Data" in the IOS Keychain on my iPhone.Each time I enter the app I have to key in my Pin Code, you use that Pin Code to decrypt the encrypted "Test Data" held in the IOS Keychain and compare that string with the Original "Test Data". If the "Test Data" strings don't match I am forced to enter the Master Password.
You say that "If unsuccessful we remove both items from the system keychain". If my interpretation above is correct there is only one thing held in the IOS keychain and that is the encrypted "Test Data", Is this correct?
Is the original "Test Data" hard coded within the app or is it resident in a table in OnePassword.sqlite?
You say "We also store the credentials to unlock 1Password in the system keychain. The same as we do for Touch ID or Face ID".
My understanding of this is that when I enable the Pin Code, 1Password stores in the iOS Keychain an obfuscated version of a secret that is equivalent to my Master Password. The secret is used to unlock 1Password when it is determined that the Pin Code entered is correct.
Is my understanding correct?0 -
Is the original "Test Data" hard coded within the app or is it resident in a table in OnePassword.sqlite?
Neither. It's stored in the system Keychain as Kyle explained earlier.
My understanding of this is that when I enable the Pin Code, 1Password stores in the iOS Keychain an obfuscated version of a secret that is equivalent to my Master Password. The secret is used to unlock 1Password when it is determined that the Pin Code entered is correct. Is my understanding correct?
Correct. Except I would change your statement to say "quick unlock" instead of "Pin Code", since it works the same in each case. The only difference is the user input: PIN, Touch ID, or Face ID. You can find more details here:
About Touch ID security in 1Password for iOS
Cheers! :)
0 -
Many thanks brenty. I understand the "Test Data" is encrypted and stored in the IOS keychain. My curiosity was around the Test Data itself. AGKyle stated that "What we do is encrypt some test data with the PIN code." I was just interested in where that "some Test Data" came from in the first place, is it just some random string or a string of data stored within the app or on the database.
0 -
It's a string in the app. We call it "test data" because it's a test to confirm that the PIN was correct. If we take the PIN code, then decrypt the stored keychain item with the PIN code, and the test data that was decrypted matches the data we sent in for encryption then the test was successful and the PIN code was correct. If the decrypted data differs from the string in the app the test failed and the PIN code was incorrect.
0 -
Gentlemen, thank you for the explanations and your quick response. Now I understand what’s going on I have a lot more confidence in the security of the product.
0 -
On behalf of Brenty and Kyle you're most welcome. I'm glad to hear their answers helped. If we can be of further assistance, please don't hesitate to contact us.
Ben
0