Early Rel. Security Comment: 1Password Continues To Allow Face ID, Even After Unsuccessful Attempts

Options
nimvio
nimvio
Community Member
in iOS

In the app version 7.x.x (the current public release for iOS/iPadOS), there's a security "feature" where the app will stop accepting Face ID after several failed attempts, and from then on, the Master Password is required in order to unlock the app. (In essence, the iOS Keychain data for 1Password app is cleared out, meaning the Master Password is required without a doubt.) However, in the current latest Early Release app (tested on iOS), if I replicate the scenario, it continues to take Face ID without requiring the Master Password.

Also, more importantly, the 1Password app (Early Release) should definitely require the entering of the Master Password any time Face ID/passcode is reset on a system level (such as when a person steals an iPhone and knows the passcode, meaning they can change it, and then can open 1Password using the updated Face ID/passcode.)

1Password Version: Latest
Extension Version: latest
OS Version: macOS 12.x.x (latest)

Comments

  • Avi_1P
    Avi_1P
    edited April 2022
    Options

    Hello @nimvio thanks for testing the iOS Early Access! I've created an issue for this ( issue#14805 ) to have our QA and/or a Security Developer take a look and ensure we're meeting our design specs, thanks for reporting this.

    ref: dev/core/core#14805

This discussion has been closed.