Suggestion: allow TouchID + security code to unload 1Password

Hi Eric ( @ericg314 ),

Thanks for the suggestion! If you're concerned about being asked to unlock your phone with your fingerprint, we recommend that you disable Touch ID before entering a high security zone (such as an airport).

Since one never knows when law enforcement may strike, one cannot know ahead of time when one needs to disable Touch ID. I still think my request would be a nice feature to have.

@ericg314: That's a good point! I hope that none of us are ever in that position, but of course one never knows.

I'll just add that this may not be technically feasible at this time, since in both cases (using PIN or using Touch ID), the Master Password is being stored in the iOS Keychain to enable you to use these to unlock 1Password, since the Master Password is always needed in order to decrypt the data.

I don't believe it's possible to have iOS require two separate pieces of information to get it to grant access to the Keychain item, but we can certainly consider adding something like that in a future version. Thanks for the suggestion! :)

You're most welcome! Thanks for being passionate enough to take the time to leave us feedback on how you'd like 1Password improved in the future. We couldn't do what we do without your support! :)

Indeed. It's only useful so long as it can be done in such a way where it fails if either (or both) is incorrect without telling you which. :)

@RichardPayne: It's important that it is not revealed which has failed. After all, if there's no indication whether it's the PIN, the fingerprint, or both which is invalid, that provides no information that could make it easier.

For example: Touch ID accepted. Please enter PIN tells us we don't have to bother with any other fingers, just keep trying PIN combinations. Something like this gives us information that helps narrow the search significantly. It's like websites that tell you flat out that the password is wrong, while acknowledging you've entered a valid username: time to brute force that password!

And in the case of authorities (or criminals, or both) trying to get you hand over your data, that can slow down their progress significantly, especially given that a 4 digit PIN is not particularly secure on it's own. Essentially they need to get both of them right on the same try to get anything useful. :pirate:

It's secure enough to prevent random jobsworths invading your privacy which is, I thought, what was being discussed. It revolves around the difference in legal rights rather than an outright security issue.

I'd rather have actual security than simply making them jump through hoops. And that's probably the only way it would be worth the effort.

If it gets to the stage of them trying to crack your PIN then they'll just get a court order to require you to reveal the master password.

"Oh no! I forgot my PIN!" :naughty:

Doesn't work here. If they can show that you've used it recently then you'd be done for obstructing the course of justice.

:scream: