Question about Face ID/Touch ID on iOS

jlanis
jlanis
Community Member

Most modern banking apps have Touch ID/Face ID login functionality built-in to their OS apps. Sometimes, using the native app Face ID to login is more convenient than using 1Password (even though 1Password supports Face ID as well). For instance, if 1Password doesn't have the correct App URL field, it's necessary to manually search for the login each time within 1Password.

Here is a real life example scenario that occurs every time I use the Citi Mobile app, to illustrate my point:

1) Open Citi Mobile App
2) Tap on Password field, then tap "Passwords" to open 1Password
3) Search for Citi login within 1Password, select it
4) At this point, 1Password closes but the password does not autofill. I need to tap on the password field again to have it autofill. (Possibly a bug from Citi mobile, I don't know).
5) Dialog appears "Deleting your User ID will turn off Citi Mobile Snapshot". I suspect this is popping up because the username is being autofilled, and Citi Mobile app is detecting this and thinks (erroneously) that the username is being changed when in fact it's not.
6) Tap "Cancel"
7) Password field autofills, success!

Now, if I compare that user experience with simply using the native Face ID login functionality that the Citi Mobile app provides, I bypass most these steps and the user experience is vastly improved.

The reason why the user experience is so poor in this example is probably because Auto Fill, Citi Mobile App, and 1Password all have to work together in harmony. Which, as you can see from the example above, is not the case unfortunately.

My question: Is it safe to assume that using the native Face ID login is not any less secure than using 1Password? I assume that the password in this case would be stored in....iCloud Keychain (or somewhere???) when using the native app's Face ID functionality.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • jlanis
    jlanis
    Community Member

    A lot of mobile banking apps have Touch ID / Face ID integrated natively. In some cases, this is a lot more convenient than having to use 1Password for these apps (which can sometimes be very cumbersome, especially Citi Mobile app).

    My question is, if I were to bypass 1Password and simply use the native Touch/Face ID integration for these apps, how secure would it be compared to using 1Password?


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Sync Type: Not Provided

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited April 2019

    @jlanis: I tend to use biometrics to unlock my banking apps on iOS, where available. Touch ID and Face ID are both very secure. But the question of whether or not using that would be more secure than using 1Password to sign in each time depends solely on you. These are rhetorical questions, but they're important for you to consider:

    • Are you using a strong passcode for your device?
    • Are you using a strong Master Password for 1Password?
    • Based on that, which is going to be more secure for you personally?
    • And does the convenience of using one or the other factor into your decision?

    Ultimately it's not really something I can answer for you; it's up to you, since its your information in question.

    But for me personally, with apps that I access regularly, I just use 1Password to sign in the first time (where available), and then use biometrics to unlock those apps day-to-day, since I know I've got a strong passcode on the device, I've got 1Password secured separately from the OS and other apps with biometrics and a strong Master Password, and I can disable biometrics easily (five taps of the side button) if needed.

    Maybe looking at it this way helps: I stay signed into some websites, so I don't need to login each time I visit them, on devices I control -- and there's not a convenient and secure biometric option I can use there instead on websites. If my device gets compromised, then I will need to assume those accounts are/will be compromised too and change the passwords and/or otherwise lock the accounts.

    Now, apps are a bit different. On iOS, there's a good security model that not only protects against compromising them, "staying signed in" is also less risky when you can biometrics are available, compared to staying signed into a website -- it's wide open to someone with the device. Even if someone grabs my iPhone from me after I've unlocked it, they would still need either biometrics or the password to access my financial apps or 1Password itself. So there's a layer of protection for those apps even when they can access my contacts, email, etc., since I'm using a strong passcode (which is required to modify biometrics setting) -- though there are other concerns with that. So for my purposes, it makes sense to use these security features in addition to securing my actual login credentials in 1Password.

    One thing that often factors into this for me is that many financial apps are terrible, in that they don't support the 1Password iOS extension or iOS 12 Password Autofill well or at all. Some I need to copy and paste my password. Others don't even allow that. I actually use the Citi app myself as well, and while it's not as bad as some, I can say I am also not a fan of how they have things setup. Not really anything we or Apple can do about that. It's their app, and they're not breaking any App Store rules or anything, just offering a not-so-great user experience. So I used 1Password to sign in initially, and then unlock it in normal use with biometrics.

    On the other hand, I'll call out Simple here for really making good use of the security and convenience features that are available, both for signing in (1Password, Autofill) and unlocking. I actually have to sign in again there fairly regularly, I think due to updates, but because they support all of these things well, it's not really much of an inconvenience: I just use 1Password to sign in, and then, because it's secure and convenient_ I use biometrics there to unlock the app when I access it normally.

    Arguably, since Simple makes it so seamless, I could sign out every time and then sign in again when I need to use it. But there is some friction involved with that, and I wouldn't really be protecting against any real threat by doing so. For instance, if someone were able to get into Simple even with biometrics enabled, they'd have free reign over pretty much anything else on the device as well. So I would literally need to disable biometrics completely on my iPhone in order to eke out what would be a small security benefit (password required for everything), which would be inconvenient to the point that I'd be hard-pressed not to use a weaker password sometimes. This comes up a lot when discussing the option of using a "PIN" code for the device or 1Password. Since that's really just another way of saying "weak password composed of only numbers", it's not something we recommend, when there are options available that are even more convenient and secure: biometrics.

    So, to try to address your question more directly:

    Is it safe to assume that using the native Face ID login is not any less secure than using 1Password?

    I'd say "no" generally, with a strong emphasis on "but it depends on your threat model and how you've secured each of those".

    I can't really speak to the larger question of the security of Face ID in general myself, but fortunately Apple does a great job of this already in their Face ID documentation:

    Within supported apps, you can enable Face ID for authentication. Apps are only notified as to whether the authentication is successful. Apps can’t access Face ID data associated with the enrolled face.

    And their Face ID security white paper goes into even greater detail about how all of this works.

    I hope this helps. And while I can't really speak for Apple, I'll be happy to answer any other questions you might have about 1Password. Have a great weekend! :)

  • jlanis
    jlanis
    Community Member

    @brenty Thanks for the detailed response! I have one follow up question that is not strictly related to 1Password, but I couldn't find any information about it online so perhaps you know the answer. From the 1Password documentation:

    When you enable Face ID, 1Password stores in the iOS Keychain an obfuscated version of a secret that is equivalent to your Master Password. The secret is used to unlock 1Password when your face is recognized.

    So essentially, 1Password is using a secondary password (different from the master password) to unlock the vault when biometrics are enabled. This is certainly one way to go about it.

    Is it correct to assume that each app implements this process a little bit differently (i.e, the actual implementation of the sign in process is up to the app developer)? For example, when you unlock your Citi banking app with biometrics, you don't really know what's happening underneath the hood. For instance, you don't really know where Citi is storing your actual password. It could be iOS Keychain, iCloud Keychain, or somewhere else - right?

  • Is it correct to assume that each app implements this process a little bit differently (i.e, the actual implementation of the sign in process is up to the app developer)? For example, when you unlock your Citi banking app with biometrics, you don't really know what's happening underneath the hood. For instance, you don't really know where Citi is storing your actual password. It could be iOS Keychain, iCloud Keychain, or somewhere else - right?

    I think that is safe to assume, yes, and unless the app developer tells you I'm not sure there is really a way to know. It is quite likely though that they are storing it in the iOS keychain. What protections they are using when doing that... well, that'd be for them to say.

    Thanks for the detailed response!

    On behalf of brenty you're welcome. :)

    So essentially, 1Password is using a secondary password (different from the master password) to unlock the vault when biometrics are enabled. This is certainly one way to go about it.

    Hmm. Sort of. The difficulty in explaining this is that we've used some shortcuts to try and help explain the basics of how 1Password works so that most people can understand it. But this leads to some inherent misunderstandings when you start to dig a bit deeper. One of the shortcuts that we use is that we say "your 1Password data is encrypted with your Master Password." This isn't entirely accurate. If we encrypted the data with the Master Password directly then every time you changed your Master Password all of the data would need to be decrypted and re-encrypted, which is something we wanted to avoid. Instead the data is encrypted with a key which is encrypted with the Master Password. So, for the purposes of biometrics, we use terms like "Master Password-equivalents." It isn't literally the Master Password, but it might as well be, and phrasing it that way helps folks better understand what is going on without having to dive into a lot of technical detail (much of which may be above even more technical minds unless they're quite familiar with encryption).

    Does that help?

    Ben

  • [Deleted User]
    [Deleted User]
    Community Member

    My key chain is keeped disabled for know other reason than I just do not try to use it. Nothing wrong with it.
    When you store a secure item like a password or a private key in the keychain, you dictate the conditions under which that item can be accessed later. Among other things, you can tell keychain services that every time it tries to read the item, it should first seek the user’s permission—for example, by authenticating the user biometrically with Face ID or Touch ID. You rely on both the Security and LocalAuthentication frameworks to enable this behavior.
    To access keychain items in general, you use keychain services within the Security framework. When authentication is needed, keychain services then relies on the LocalAuthentication framework to present the appropriate interface to the user. The Secure Enclave then carries out the authentication by, for example, testing the user’s finger against the stored fingerprints. The Secure Enclave passes back a pass/fail result that gates keychain item access. No user space or operating system software ever has access to the underlying authentication data, such as stored fingerprints.
    Set the Face ID Usage Description
    In any project that uses biometrics, include the NSFaceIDUsageDescription key in your app’s Info.plist file. Without this key, the system won’t allow your app to use Face ID.
    Now look at the image.

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for the explanation and for sharing this diagram @kunder!

This discussion has been closed.