Feature Request: TouchID improvement / 2 factor / additional pincode (Government Protection)

theElvis
theElvis
Community Member
edited September 2014 in iOS

TouchID the Problem

I love TouchID and the implementation into 1Password latest update (it's much better than to enter your holy password into the public everytime)

Anyway it's the holyest thing i have on my system and it has 2 flaws:
• it's difficult to force me to speak out my password, it's easier to grab my finger and open the app
• the government already has my masterpassword (in this case all my fingerprints)

Solution & Feature Request

Could you please add an optional quick (4digit) PIN (not my long password), if i use my fingerprint instead of my long password?
If i enter a wrong PIN after i used TouchID - i have to enter the whole long password.
This would be a great additonal security layer (which was already built in a similar way, long time ago in 1Password.)

Thank you

Comments

  • theElvis
    theElvis
    Community Member
    edited September 2014

    I hope there is a way to implement this and really protect the masterpassword (which must be in the keychain, which can be opened by Touchid anyway?)

    thank you Dragon to explain it! :-)

  • Dragon
    Dragon
    Community Member

    The master password is not saved anywhere, it's why it needs to be typed in each time the app is opened even if a long lock period is set. Touch I'd only acts as a temporary lock on an already unlocked vault.

  • Hi, @theElvis‌. If you are concerned about someone using your fingerprint for Touch ID, the best thing to do is disable Touch ID. Then you will have the option to enable a PIN code instead of using Touch ID. Adding both PIN code and Touch ID at the same time is not something we currently plan to do.

    @Dragon, When you enable the PIN code or Touch ID, your Master Password actually is stored in iOS's keychain. This allows us to completely lock 1Password and still only require a PIN code or Touch ID based on the user's preferences. When the user enters his PIN code incorrectly or does not pass the Touch ID scan, the Master Password is deleted from the iOS keychain, and the user is required to enter it to unlock 1Password.

  • theElvis
    theElvis
    Community Member

    @RobYoder - PIN code? - you mean my massive long master password, right, i hate to type in everytime?) - I cannot find a PIN Code option anymore.

    I hope you got me right, i am just asking for the advantages of the Touch ID, with the extra security a Universal Password Storage deserves.
    TouchID is easy and intuitive but definitely not secure for such sensitive data.
    An optional extra layer for advanced user would be really great.
    I would be happy if you could discuss the issue in your team.

    _Note:
    It would be great if you clearly communicate that you store the masterpassword in the often cloud hosted iOS Keychain, when using PIN Code or TouchID
    _

  • Megan
    Megan
    1Password Alumni

    Hi @theElvis,

    I apologize for the confusion. The PIN code (or Quick Unlock Code) as it is sometimes called, is an option for users who do not have TouchID, or who do not wish to enable it. As @RobYoder says, we do not currently have any plans to enable both a PIN code and TouchID at the same time.

    With security software, there's always a delicate balance between security and convenience. If you are unsure about the security of TouchID, then you might wish to either enable a PIN code (as Rob suggests) or simply use your Master Password to open 1Password. We've got a bunch of great tips in our Towards Better Master Passwords article that can help you create a Master Password that is both secure and easy to type. This will allow you to be secure, while only sacrificing a little bit of convenience.

    _Note: It would be great if you clearly communicate that you store the masterpassword in the often cloud hosted iOS Keychain, when using PIN Code or TouchID _

    Your Master Password is only stored in the iOS keychain if you have enabled that option in the Settings > Advanced pane in 1Password. If you choose not to enable this option, you may see less reliable behaviour, as the iOS will occasionally close background apps when it needs to recover memory for active apps. When this happens, you will be prompted for the Master Password the next time you switch back to 1Password.

    I hope this helps, but as always, we're here if you have any further questions or concerns!

  • theElvis
    theElvis
    Community Member
    edited September 2014

    Thank you Megan.

    TouchID is a better option than typing a long, complex password in public everytime.
    Anyway, i hope Agile carefully considers if TouchID alone is enough to protect the keychain in this world and maybe has interest in providing best security? ;)

    Again, i would welcome an additional security layer especially for this sensitive data.

  • Megan
    Megan
    1Password Alumni

    Hi @theElvis‌

    Thanks again for the feedback here! I just want to clarify here, we are not implying that TouchID alone is enough to protect your keychain. That is why we encourage you to periodically enter your Master Password. :) Your Master Password should be your highest level of security for your sensitive data.

    As I mentioned above, everyone has to find their own balance between the convenience of TouchID, and the security of the Master Password.

  • wehurlbert
    wehurlbert
    Community Member

    Hi Megan,

    I have an iPhone 5s running iOS 8 and 1password 5.0.1. I would like to continue to use a PIN for 1Password. If in the 1Password Security page I have Touch ID turned off, there is a blurb under the Touch ID switch which says "Alternatively, you can use a PIN code ...", but I get no option to enable using a PIN. Any ideas?

    Thanks,
    -Wayne

  • Megan
    Megan
    1Password Alumni

    Hi Wayne ( @wehurlbert‌ ),

    I sincerely apologize for the confusion here. That statement, as you may have discerned, is not correct. I've filed a bug report to have it removed. Unfortunately, if you're using TouchID on your device, then TouchID is what you will be allowed to enable in 1Password. The PIN code will be available to users who do not have access to TouchID.

    I hope this helps to clear things up, but we're here if you have any further questions or concerns! :)

  • theElvis
    theElvis
    Community Member
    edited September 2014

    Megan, i slowly get the idea (i usually thought it's a bug, but it sounds like a feature)

    You wrote:

    That is why we encourage you to periodically enter your Master Password.

    I am often asked to enter my masterpassword instead of my TouchID.
    Could you give me more details, when this is the case? (after a few minutes?)
    If so, my request here is obsolete, because, the keychain is usually protected in the cases i wrote.

  • oshloel
    oshloel
    Community Member

    You can set how often you are asked for your master password in the Security Settings menu - anything from a couple minutes to every 30 days. Note that "Use iOS Keychain" also must be turned on under the Advanced Settings for this to hold between 1pw5 restarts. 1pw5 will also ask for your master password upon restart/reboot of the phone similar to how the phone itself ignores TouchID and requires entry of your phone PIN upon phone restart.

  • theElvis
    theElvis
    Community Member

    found it, thank you! - the security settings are really a bit confusing / not explained.

    I still wish to get the combination of PIN + TouchID :-)

  • Megan
    Megan
    1Password Alumni

    Hi @theElvis‌

    As @oshloel‌ says, you can configure your Security settings to determine how frequently you are asked for the Master Password. If you have any further questions about TouchID, please see our TouchID FAQ, which should get you all sorted out!

    Of course, if you have any further questions, you know where to find us. :)

  • theElvis
    theElvis
    Community Member

    I still don't feel good with the half-secure solution :( and still would love to have the comfort and security of TouchID with another Pincode layer. :(

  • Thanks for the feedback, @theElvis‌

    I don't feel "half-secure" is an accurate description, but we appreciate the suggestion.

  • Anohan
    Anohan
    Community Member

    I, too, would really really really appreciate the ability to use both a 4-digit passcode with Touch-ID. Having just Touch-ID is not enough for my people. Please consider adding this feature in making future updates to 1Password. (1Password is pretty awesome.)

  • Thanks for the feedback, @Anohan! :)

This discussion has been closed.