FaceID not sticky

LarryMcJ
LarryMcJ
Community Member

This morning I reverted back to the release version and five times during the day I had to enter my master password. About the same number of times FaceID worked just fine. FWIW, it didn’t do this while running beta 7.7. Any ideas?

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @LarryMcJ:

    Were you prompted for Face ID in the autofill extension, or in the main 1Password app?

  • LarryMcJ
    LarryMcJ
    Community Member
    edited September 2020

    Main app, I always use “Go & Fill” for sites that require a login. FaceID and Security settings are properly configured and it happened about half the time yesterday when opening 1Password.

    Something else that just started occurring when I went back to the release version is upon opening 1Password, FaceID doesn’t always happen instantly. Sometimes it displays the password field and the small FaceID icon below it. Tapping that icon starts the actual FaceID process and the app opens. FaceID should begin immediately after opening the app.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Hmm. Face ID is handled entirely by the OS, so it's hard to say. But if you're trying to use iOS Password Autofill within the 1Password app, that can be a bit confusing and weird since then you're trying to access 1Password indirectly from inside 1Password, and that isn't something Autofill is designed for. It would be better to use Safari, since it's a full-featured, first party browser, and iOS Password Autofill was built specifically for that. Also,

    Sometimes it displays the password field and the small FaceID icon below it. Tapping that icon starts the actual FaceID process and the app opens. FaceID should begin immediately after opening the app.

    That happens when you've dismissed the Face ID prompt (not failed to authenticate), so that you can bring it up again. Face ID should remember that state, but Autofill cannot save it, so you're likely running into that "inception" problem there as well.

    Going forward, I'd recommend you unlock the 1Password app using your Master Password so that it can enable Face ID both there and for Autofill, and then use Autofill in Safari and you should be all set. :)

  • LarryMcJ
    LarryMcJ
    Community Member

    @brenty, there may be some confusion. I am referring to the fact that about half the time I tap on the 1Password home screen icon, it works fine with FaceID. The other half of the time, I'm presented with the password entry box and below it, a small FaceID icon. In the latter instances, I have to tap that small icon in order to start the FaceID process. I believe 1Password should always automatically open with FaceID the same way each time. This is not an issue that occurs "inside" 1Password once it's open. Only in actually opening the app. In all instances that I try to open 1Password, it hasn't been used for more than 30-45 minutes, yet it opens two different ways. Thanks.

  • Thanks @LarryMcJ. I can appreciate that perspective, but that isn't how it was designed. We intentionally occassionally show the Master Password field with the optional Quick Unlock button, instead of defaulting to Quick Unlock. The primary purpose of this is as a visual reminder that you do indeed have a Master Password that you should remember. While Quick Unlock (Touch ID / Face ID / PIN) are handy, they are not what encrypt your data. I'd go so far as to say it may be worth typing the Master Password once in a while when it comes up like this to build up muscle memory for it.

    Ben

  • LarryMcJ
    LarryMcJ
    Community Member

    Makes sense! I only noticed it being prevalent after I switched from using the current beta a couple of days ago. I don't recall seeing this behavior at all in the beta (but I probably just missed it). I may switch back just to see :) As always, thanks for your help!

  • You're welcome! :)

    Ben

  • LarryMcJ
    LarryMcJ
    Community Member

    Sorry to open this again, but I was re-reading @brenty's comment here and it reminded me to ask a question I've been meaning to for quite a while (still pertinent to this thread).

    Maybe it's because I've been using 1Password since the very beginning before AutoFill, but I'm beginning to think I'm actually using 1Password wrong on iOS. My workflow to open a site is to launch 1Password, tap on the site I want, then tap the URL and "Go & Fill" takes me there in the 1Password browser. No more tapping since most sites accept autofill and auto-submit.

    But I read a lot of staff comments here in the forums referring to using Safari as the preferred method. Meaning I'd have to long-press the URL, then tap "Open in Safari", then tap the blue button to fill the credential fields, which is more work than what I've been doing. And if this is the preferred method, why not make the default action upon the initial URL tap. Then make it optional to long-press and "Open in 1Password (browser)".

    I'm not looking to fuel a change...I just wondered what is the in-house preferred method. Thanks!

  • ag_ana
    ag_ana
    1Password Alumni

    @LarryMcJ:

    Thank you for the feedback! Personally, I visit the website in Safari first, and then I use autofill from there, instead of launching the website from 1Password directly. So you don't have to unlock 1Password twice :+1:

  • LarryMcJ
    LarryMcJ
    Community Member
    edited September 2020

    Thanks, but my use case won’t allow that. I need to open 10-15 sites daily and many are portals whose URL is complex, not memorable and not even associated with the company. I could make a folder of logins in Safari but that’s counterproductive since they already exist in alphabetical order in 1Password.

    Your method would work great if I was always going to sites like Apple.com and eBay.com. But even then, I’d still have to tap at least once more to get to the login page and using 1Password takes me right to it. And unlocking 1Password twice isn’t a big deal when using FaceID.

    Perhaps I should restate my question. If opening a site from within 1Password, is there an advantage to opening in Safari (long press)? If not, I’ll probably continue using Open & Fill with one tap.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @LarryMcJ: You're not wrong. :) Indeed, for those of us using 1Password on iOS for a long time, what you described was the only option for filling for years. So I can relate to that. But since then we've gotten iOS extensions and, more recently, iOS Password Autofill. Given that, we do recommend using Safari now because it's possible to fill there reliably in most cases; and, Safari being Safari, and 1Password being 1Password, the former will always be a better browser experience, given the more than a decade of work Apple has put into making it good enough for most of their customers to use daily.

    So, to answer your questions directly, the advantage with Safari is compatibility and features, since most of the web is designed to support it nowadays, and it has a lot of great functionality that Apple has built into it. Cheers! :)

  • LarryMcJ
    LarryMcJ
    Community Member

    Thanks, @brenty, which is why I opened the question with "Maybe it's because I've been using 1Password since the very beginning before AutoFill". I think you've confirmed this is just a mindset and I either have to use 1Password as I always have, or move to Safari. I think I'll choose the latter, but because so many sites I routinely visit don't have memorable names, I'll create a LOGINS folder in Safari (for frequently visited sites) that includes the memorable site name and a URL for the associated login page. And for the occasional login I'll still use 1Password but just long-press and open with Safari. Thanks, again!

  • AGAlumB
    AGAlumB
    1Password Alumni

    Sure thing! For now either way works, but I do find that Safari works better, and that gap will only continue to widen over time since it's got Apple behind it, and we've got to focus on making 1Password the best password manager we can, with browsing being well down the list of priorities. :)

  • ooglek
    ooglek
    Community Member

    I'd like to add to this seemingly-related chat. This is 1Password on IOS 13 (haven't updated yet).

    My iPhone is acting wonky, with occasional resets -- black screen with a circle spinning icon, then back to the lock screen after 5-20 seconds.

    Once it does and I try to go to a website in Google Chrome, I click "Passwords" then "1Password."

    Even if I've entered my Master Password before, after the reset, I need to enter it again. OK, not unreasonable.

    However, if I enter the Master Password in the dialog through the Passwords integration, even if my phone does NOT reset, if I try to use Passwords > 1Password in Google Chrome or other apps, I MUST enter my Master Password again.

    ONLY if I enter my Master Password when opening the 1Password.app on my phone does FaceID start working, both for the 1Password App and in the Passwords Integration.

    Am I correct that, if:

    1. I reboot my phone, or my phone resets due to a crash or bug
    2. I have not entered my Master Password recently and FaceID for 1Password is not "enabled" (it's enabled in the app, but not accepted as verification yet)
    3. I enter my Master Password through Password Integration in another, non-1Password IOS App

    FaceID is STILL not enabled.

    It is only enabled IF I enter the Master Password in the 1Password App.

    Is this correct?

    Is that working as expected?

    EXPECTED:
    1. I go to a website, say in Safari
    2. There is a login
    3. I hit "Passwords" and then "1Password"
    4. I enter my Master Password for the first time since reboot or reset or expiration
    5. When I use the Password Integration again, FaceID will be attempted, or at least an option, when using "Passwords" > 1Password to fill the login

  • Hi @ooglek

    That is correct and working as expected. At present the iOS autofill feature doesn't have the ability to store the necessary secret in the iOS keychain that is needed for 1Password to Quick Unlock (e.g. using Face ID). Only the 1Password app itself has that. While I agree that what you've listed under 'expected' would be ideal, that isn't currently possible. Sorry for the inconvenience!

    Ben

  • ooglek
    ooglek
    Community Member

    Thanks for the reply, Ben! It definitely is an inconvenience. Any chance that this may change in IOS 14?

    As a workaround, I've added my 1Password Master Password to the iCloud Keychain. I don't like it, but the inconvenience has unfortunately driven this end-user to lower their security standards as a result.

    I'd be interested on 1Password's Security point-of-view on iCloud Keychain. You've kept all of my secrets safe for the last 11 years, starting with 1P 3.0, so I trust your team and knowledge!

    I found this article (no published date) that dives deep into the iCloud Keychain and potential weak points. It seems that a lot of this happened in 2017, IOS 10.3 addressed a CVE relating to the security of iCloud Keychain, and may have been improved since IOS 12.

    https://hackmag.com/uncategorized/in-the-depths-of-icloud-keychain/
    https://support.apple.com/guide/security/keychain-data-protection-overview-secb0694df1a/web

  • Any chance that this may change in IOS 14?

    It did not; sorry.

    I'd be interested on 1Password's Security point-of-view on iCloud Keychain. You've kept all of my secrets safe for the last 11 years, starting with 1P 3.0, so I trust your team and knowledge!

    I can certainly appreciate that, however it seems it might be a conflict of interest for us to weigh in here. I would say that generally Apple seems to have an excellent track record regarding security, however as a general rule we do not recommend inputting your Master Password into anything other than 1Password.

    Thanks!

    Ben

  • LarryMcJ
    LarryMcJ
    Community Member

    @Ben - I wanted to monitor this for a couple of months and yesterday I finally became irritated enough with being forced to enter my password that today I decided to keep track of how may times I opened 1Password, how many times it complied with FaceID, and how many times it required me to enter my password. I realize I will be randomly authenticated and I'm fine with this, but something definitely isn't right. Today, I was making some changes to a bunch of passwords so it was a good time to document this. The below numbers occurred in a four-hour period this afternoon.

    Opened 1Password - 27 times
    FaceID worked fine - 18 times
    Password required - 9 times

    I can not believe these are expected numbers. No offense, but this is a royal pain to have to keep entering my password at this rate :)

  • @LarryMcJ

    Thank you for the additional information. When you say you opened 1Password... is that the 1Password for iOS app, or Password AutoFill? If it is Password AutoFill, do you have the setting 1Password > Settings > Advanced > Security > Always show lock screen for Password AutoFill enabled?

    I would recommend setting your 1Password settings as such and see if there is any improvement:

    1Password > Settings > Security
    Lock on Exit - Off
    Auto-Lock - 15 Minutes (or whatever timeout selection available you feel is appropriate)
    Face ID / Touch ID - On

    1Password > Settings > Advanced > Security
    Always show lock screen for Password AutoFill - On
    (this last one may sound counter-intuitive, but it turns over the unlock process to 1Password instead of autofill, which is required for the 'Lock on Exit' setting to affect autofill)

    Please let me know.

    Ben

  • LarryMcJ
    LarryMcJ
    Community Member

    @Ben

    My settings have always been configured exactly as you show. But I just now looked at the Autofill setting and it was OFF. I turned it on and I'll let you know if this fixes things. Perhaps this is OFF by default and I recently reinstalled 1Password on a new iPhone, so that might be why it was toggled OFF. Thanks!

  • Thanks @LarryMcJ and on behalf of Ben, you're welcome.

This discussion has been closed.