How do the Master Password and TouchID settings work? [see FAQ, post #15]

sdagley
sdagley
Community Member
edited September 2014 in iOS

It seems like Touch ID unlocking only works until the Master Password lock kicks in (i.e. My master password lock is set for 10 minutes and after that timeout Touch ID unlocking is disabled until I re-enter the Master Password). Is there any way to change the behavior so that Touch ID unlocking works until the device is restarted? If not, please consider this a feature request.

«1

Comments

  • Stephen_C
    Stephen_C
    Community Member

    The touch id FAQ may help you.

    Stephen

  • sdagley
    sdagley
    Community Member

    The FAQ explains the behavior I'm seeing. My request for an option to change the behavior to allow Touch ID to unlock 1Password after master password entry until the device is re-started (as with iTunes store authentication) . There's no way to do that with the current preference settings. Even once a day would be better than what's currently offered as it makes 1Password seem schizophrenic since you've got two separate timers duking it out to see who can lock you out first.

  • jeremybrooks
    jeremybrooks
    Community Member

    That's not how it is working for me. My settings are:

    Request After 10 Minutes
    Touch ID enabled
    Request Fingerprint After 2 Minutes
    Lock on Exit enabled

    The app requests the password, but TouchID does nothing. I have tried disabling Lock on Exit, but there's no difference (other than having to wait 2 minutes for it to lock). Touch ID seems to be 100% non-working for me.

    Any ideas?

  • kop48
    kop48
    Community Member

    Agreed - I wish the behaviour was more akin to how iTunes purchasing works.

  • invalidptr
    invalidptr
    Community Member

    Wow, this is just broken. Can't believe I had to "read the doc" to understand this. +1 for iTunes method.

  • invalidptr
    invalidptr
    Community Member

    Another interesting aspect, you've giving me the impression my vault is not locked when using Touch ID. Your UI has "Lock Now" grouped with "Change Master Password" and "Request After". Indeed, when trying to divine this behavior invoking "Lock Now" meant I'd never see Touch ID work because your associate "Lock Now" with "Re-enter your Master Password". There really was no way for me to test Touch ID in my normal configuration unless I enabled "Lock on Exit" for testing purposes.

    I'm realizing you are treating Master Password and Touch ID as completely separate. I predicate users will think of them as the same. If I enable Touch ID, I want to use Touch ID. I had my "Request After" set to 5 minutes (from prior usage) and Touch ID set to 2 minutes. So there is only a 3 minute window where I would have seen this work.

  • Dragon
    Dragon
    Community Member
    edited September 2014

    to treat them the same, they'd have to store the master password somewhere other than only in memory. I believe they're avoiding this at all costs for security.

    Indeed, touch id replaces the quick unlock code. Quick unlock code only works when the vault itself is unlocked, due to master password being in memory.

    If the app is closed or killed by iOS then master password will be needed again, else, quick unlock/touch id can be used as an intermediate security measure to access an already unlocked vault.

  • Morten Jonsen
    Morten Jonsen
    Community Member
    edited September 2014

    This feature is useless if I still have to type in the master password. :(

    I don't get why Agilebits favour an unsecure password over a secure fingerprint?

  • hawkmoth
    hawkmoth
    Community Member

    You folks are aware that you can set the interval between times when your master password is required to as long a 30 days now, aren't you? Do you have the option set to use the keychain in the Security settings?

  • Luke Bosman
    Luke Bosman
    Community Member

    Hawkmoth, I'm slightly unclear about your last question. I have iCloud keychain enabled in my iPhone settings app. I don't see any option within 1Password to use the keychain. I have now set (Master Password to expire after 30 days) and (Touch ID to expire after one minute and to lock on exit) which, so long as nobody steals any of my digits, seems like a good compromise.

  • steve28
    steve28
    Community Member
    edited September 2014

    Here's a setup that's "TouchID Only except after restart":

    1. Settings->(scroll to bottom)->Advanced->"Use iOS Keychain" -> ON
    2. Settings->Security->Touch ID-> ON
    3. Settings->Security->Request fingerprint... (set as desired)
    4. Settings->Security->Lock on Exit-> Set to on if you want to have to Touch ID everytime you open the app
    5. Settings->Security->(in the top section)->Request After-> 30 days

    In this setup, you will have to enter your master password once when you first open 1P app. From then on, Touch ID will be the only authentication asked for until 30 days has gone by, or until you restart - then you will have to enter your master password again.

  • Luke Bosman
    Luke Bosman
    Community Member

    Aha. Use iOS keychain is in advanced and not in Security. Thanks.

  • David Catalano
    David Catalano
    Community Member

    +1 on this being confusing. I'm sure we all agree that apps should default to being more secure. That said, if someone enables TouchID the default "Request after" should be 30 days. Otherwise it completely negates the purpose.

  • Megan
    Megan
    1Password Alumni

    Hi everyone!

    I sincerely apologize if this has been confusing. I do hope that @steve28's advice has been helpful.

    Please keep in mind that, as stated in the TouchID FAQ: "1Password’s security ultimately relies on your Master Password. For this reason, it is impossible to disable it entirely." We've tried to make this option as flexible as possible by offering the 30 day prompt for your Master Password, but we want to make sure that you're not going to forget your Master Password because you never type it in anywhere. ;)

    Thanks so much for all your feedback here. We'll do what we can to ensure that the documentation on this feature is as clear and concise as possible.

    If you have any further questions, please don't hesitate to ask!

  • skatch
    skatch
    Community Member

    Another +1 on this being confusing. I expected that enabling TouchID would simply let me using the sensor as an option anytime I'd normally be prompted for the Master Password. Currently, the separate timeouts for password vs TouchID feels like a regression to 1Password 3's confusing security options.

    Maybe there are tech reasons this isn't feasible? If I set the Master Password timeout to 30 days, is my Master password stored in my device's RAM and more susceptible to hacking? (i.e. should I avoid doing this?)

  • invalidptr
    invalidptr
    Community Member

    Could some please clarify "Use iOS Keychain" have to do with all this?

  • Salva
    Salva
    Community Member

    I just got here thinking that there was a bug with 1password. As, skatch, I gave for granted that activating Touch ID would allow me to replace the master password in my iPhone, and I had not even seen the option to use it yet! :S

    Apart from make it clearer, I think the default values, when you activate the option, are a bit weird. With a 10min lock for the master password, and a 2 min lock for the Touch ID, doesn't that mean that Touch ID is only useful if I use 1P, and the need to use it again between 2-8min later? Maybe I don't need it as often as other people, but what are the chances?!

  • steve28
    steve28
    Community Member

    @invalidptr‌ - you have to allow storing go the master password in the iOS keychain because otherwise when you quit the app (or rather when the OS quits it for you) it loses the login state. I guess they leave it as an option because some people might not want to trust the Apple keychain with things??

    Anyway, this is in step 1 of post #12 above.

  • Megan
    Megan
    1Password Alumni

    Hi @skatch‌, @invalidptr‌, @salva,

    Again, I do apologize for the confusion. TouchID is not meant to be a replacement for your Master Password. It is a convenience feature that acts as a replacement for the Quick Unlock Code, which extends the amount of time that you can access your 1Password database without entering your Master Password. As I've mentioned before, we don't recommend that you never enter your Master Password. We have two different time-outs available in the Security Settings to allow you to set a short period of time after which you will be prompted for TouchID (or the Quick Unlock Code, if you prefer), and a longer period of time after which your Master Password will be required.

    If I set the Master Password timeout to 30 days, is my Master password stored in my device's RAM and more susceptible to hacking? (i.e. should I avoid doing this?)

    If you have 'Use iOS keychain' enabled in Settings > Advanced, 1Password will store the Master Password in the iOS keychain. It is stored temporarily and is never synced to your other devices. If TouchID fails, or you enter your Quick Unlock Code incorrectly, the Master Password is deleted from the keychain and the Master Password will be required immediately to unlock 1Password.

    Please note, if you choose not to enable the 'Use iOS keychain' option, you will not have as reliable an experience with TouchID or the Quick Unlock Code. This is because the iOS will occasionally need to close apps that are stored in the background to reclaim memory resources. If this happens to 1Password, you will be prompted for your Master Password the next time you switch to 1Password, despite what timeout your Security Settings have enabled.

    With a 10min lock for the master password, and a 2 min lock for the Touch ID, doesn't that mean that Touch ID is only useful if I use 1P, and the need to use it again between 2-8min later?

    You're reading the settings correctly here. We've done our best to include a multitude of options here so that you can tailor your security settings to find the balance between security and convenience that works for you.

    I hope this helps, but we're here if you have any further questions! :)

  • warpspeed
    warpspeed
    Community Member
    edited September 2014

    Having the same issue with Touch ID here. Turn it on, it works a couple of times, then it stops working and needs master password.

    Dropbox sync seems to be working okay for me so far. But I updated Dropbox twice before installing IOS8, and on the first update, it did a database update apparently.

    So for those using Dropbox, perhaps ensure you're using an up to date Dropbox app, and also fire up the Dropbox app and let it sync for a few ticks.

    Edit: Actually I think I know what my problem is, there's a setting that says ask for Master Password after.... which defaults to 10 minutes. I'm going to try setting that to 48 hours and see how it goes. I suspect that might be what's doing it.

  • warpspeed
    warpspeed
    Community Member

    Despite setting that option to 48 hours, 1Password is asking me for my Master Password again, rather than using Touch ID.

  • skatch
    skatch
    Community Member

    Thanks @Megan‌. Very helpful details there.

  • hawkmoth
    hawkmoth
    Community Member

    That said, if someone enables TouchID the default "Request after" should be 30 days. Otherwise it completely negates the purpose.

    I disagree with this statement. I would never want this application to default to 30 days between times when I must enter my master password. I want to be prompted at least once a day so I can keep the muscle memory going that I need to remember my master password. If some users want a longer interval, such as 30 days, it's always there as an option. But the defaults should be in favor of enhanced security in this security application, not for diminished security.

  • Megan
    Megan
    1Password Alumni
    edited September 2014
    Hi @warpspeed‌ I've split your comments from the original discussion: Dropbox sync and TouchID deactivating, and moved them into an existing thread discussing TouchID. When things get busy like this, it's best to keep all conversations in one place as much as possible.

    Please take a look at the TouchID FAQ referenced above, and my posts #15 and #20 for details on how TouchID works. If you have any further questions, we're here to help!
  • dbabq
    dbabq
    Community Member

    I followed the instructions above, and I'm still not getting to use touch ID. I have a brand new iPhone 6, and am running 1Password 5.0.1.

  • Hi @dbabq‌

    Please see my comment in this post and see if that resolves the issue for you. I assume you mean you are not being asked to unlock with touch ID at all, correct?

    Thanks.

    Ben

  • mikebore
    mikebore
    Community Member

    Thanks steve28 and Megan. I think I understand this now.

  • digitaldog
    digitaldog
    Community Member

    In this setup, you will have to enter your master password once when you first open 1P app. From then on, Touch ID will be the only authentication asked for until 30 days has gone by, or until you restart - then you will have to enter your master password again.

    Expect it does ask for Master Password after 1 hour (the max limit I can set) as I explained in another post here. It sounds like you're saying that if setup as you suggest, short of 30 days OR a restart, we never need to enter the Master Password but rather can unlock with TouchID, is that correct? If so, despite all the settings suggested, it doesn't. It asks for a Master Password based on the setting for Frequest Fingerprint After (max 1 hour).

  • Megan
    Megan
    1Password Alumni

    Hi @digitaldog,

    I'm replying to your similar post in this thread. I do apologize that this issue is confusing you, but we'll be able to help you a lot better if we keep the conversation going in one thread only. Otherwise we may end up answering your question twice, which could end up being more confusing for you ... and it not very efficient for us.

    Thanks so much for your understanding!

  • Paul Ruseau
    Paul Ruseau
    Community Member

    Okay. I've read all these posts.
    Here's the problem. My husband can't remember a long and strong master password he rarely needs. We share the same vault on our iPhones. He has effectively been without access to every important username and password sitting in out vault because I insist on a long and strong master password.
    So we just got new iPhones. My #1 feature I was looking forward to was touch ID so he could finally be able to get into this very important data. Except he can't because that isn't how it all works :(

    So I'm still stuck with a choice of him having no access to critical data, or having to have crappy security with a master password easily memorable, I.e. Weak.

    I realize reading this thread how challenging all this is. But my scenario can't be unique. If I get hit by a bus tomorrow my family is actually in a really tough spot with no access to any financial data, bank accounts, etc. since I use long and strong everything.

    Sure, I could enter my master password in his phone and every 30 days remember to reenter it on his phone, but that's dumb.

    I guess I could just WRITE IT DOWN, but that seems even dumber.

    feeling stuck, still

This discussion has been closed.