TouchID issues

neilobrien · July 2019

Hi guys - Long time user and (very) occasional poster.......things just work, right? ;-)

I'm going to jump on the same train as this one but thought instead of extending that thread, I'd start a new one for clarity.

On my MacBookPro, 1P stops prompting for my fingerprint sometime after enabling TouchID in the 1P settings. What I mean by that is that I enable it and it works. It prompts me for my fingerprint and all is good in the world. After some time (usually next day), when I open 1P, it no longer prompts for the fingerprint and I must enter my Master Password. It does not state any reason why TouchID is not offered. It appears to survive after reboot and an app restart. It just seems to stop after a period of time.

The only way to recover from this is to disable and re-enable TouchID in the 1P settings and it starts to work again......until the next day when it stops again. It's not that big of a deal, which is why I've been tolerating this for so long, but unfortunately I can't tell you when it started.

Disclaimer: My laptop is heavily policy-fied by my employer and TouchID for logging into the laptop is disabled. However, that has always been the case and TouchID for 1P did work consistently in the past. Like I said above, I can't say exactly when it started.

It's mildly annoying but not a deal breaker. Hope you can help.
Thanks,
Neil

1Password Version: 7.3.1
Extension Version: 4.7.5.90
OS Version: OSX 10.14.5
Sync Type: Not Provided

ag_ana · July 2019

Hi @neilobrien!

When you are prompted for your Master Password, do you see the Touch ID button below the Master Password text field, or is that not showing at all?

neilobrien · July 2019

Hi ag_ana,

No, I see nothing and like I said above, it doesn't display any reason why it's not available.

Thanks,
Neil

littlebobbytables · July 2019

Hello @neilobrien,

Given your disclaimer I'm unsure what troubleshooting we may even be able to try, it sounds like the MacBook is pretty well locked down :(

The first thing our developers have recommended trying if Touch ID is not behaving is to disable it both in 1Password and then at the macOS level. Basically turn it off and on again. That sometimes helps but I'm not sure if you'll be able to.

Something else we've been suggested to look for is contained within a diagnostic report but if the MacBook is that locked down I'm going to work on the belief that your employer wouldn't want you sending a diagnostic report to us either. If that seems likely I think I can guide you through where to look for a particular log entry, let us know and I'll start putting some steps together. Now this by itself won't help, it's very much in the discovery stage but maybe we get lucky.

neilobrien · July 2019

Thanks for the response.

Aren't there 1P specific logs we could gather to why it can't get the TouchID? You're right about sending laptop diagnostics, that's a non-runner

TouchID is not actually enabled at macOS level, we don't (can't) use it for logging into the laptop itself:

However, It is used for internal authentication stuff, but I've verified that using the internal auth stuff is not the trigger for it breaking. I also connect my macbook to an external monitor, at which point 1P tells me that TouchID is not available when the lid is closed. Connecting and disconnecting to the external monitor is not the trigger either.

I honestly can't say for sure that some policy is breaking it but would be nice to understand what 1P logs can tell us?

Thanks,
Neil

littlebobbytables · July 2019

Hi @neilobrien,

Can you try deleting any and all registered fingers with Touch ID as a form of disabling Touch ID. So maybe the following.

Disable Touch ID in 1Password.
Delete any registered fingerprints.
Restart the Mac.
Enrol your fingerprint.
Enable Touch ID in 1Password.

Our diagnostic reporting tool does amongst other things gather together 1Password logs but I was doubtful as to whether you'd be allowed to run the tool at all and it sounds like my suspicion was correct. In that case, if you find the above doesn't see any difference can you try the following.

Using Spotlight launch the Console application, it comes with every installation of macOS..
Open a Finder window and use the menu option Go > Go to Folder... (keyboard shortcut ⇧⌘G).
Paste in the following path and click the Go button. The path to us is: ~/Library/Containers/com.agilebits.onepassword7/Data/Library/Logs/1Password/com.agilebits.onepassword7.log
A file titled com.agilebits.onepassword7.log should be selected, drag this file to the Console icon in the macOS dock.
This should open the 1Password application log file in Console. Use the search field and see if there are any entries that include the text OPKeychainUnlockService.

I don't believe posting the results here would reveal anything sensitive but if you have any concerns then don't post, instead just let us know if anything was returned and whether any of the entries hinted towards a failure. We can shift the conversation to email if we need to know exactly what was being logged.

neilobrien · July 2019

Thanks,

There are a lot of OPKeychainUnlockService messages. I've included ones from today only. When I opened 1P for the first time today, it had stopped working. I disabled/enabled it in 1P settings and it's working again. I will completely disable/enable TouchID as you've instructed.

Mon Jul 22 13:45:42 2019| 70301008 [LOCKSERVICE:(Main Thread):<OPKeychainUnlockService: 0x60000351c610>] E secretForKeychainUnlockForProfile: | Failed to decrypt data with secure enclave: (null)
Mon Jul 22 13:45:42 2019| 70301008 [LOCKSERVICE:(Main Thread):<OPKeychainUnlockService: 0x60000351c610>] E secretForKeychainUnlockForProfile: | Failed to decrypt data with secure enclave: (null)
Mon Jul 22 13:45:42 2019| 70301008 [LOCKSERVICE:(Main Thread):<OPKeychainUnlockService: 0x60000351c610>] E secretForKeychainUnlockForProfile: | Failed to decrypt data with secure enclave: (null)
Mon Jul 22 13:45:43 2019| 70301008 [LOCKSERVICE:(Main Thread):<OPKeychainUnlockService: 0x60000351c610>] E secretForKeychainUnlockForProfile: | Failed to decrypt data with secure enclave: (null)
Mon Jul 22 13:45:43 2019| 70301008 [LOCKSERVICE:(Main Thread):<OPKeychainUnlockService: 0x60000351c610>] E secretForKeychainUnlockForProfile: | Failed to decrypt data with secure enclave: (null)
Mon Jul 22 13:45:49 2019| 70301008 [LOCKSERVICE:(Main Thread):<OPKeychainUnlockService: 0x60000351c610>] E secretForKeychainUnlockForProfile: | Failed to decrypt data with secure enclave: (null)
Mon Jul 22 13:45:49 2019| 70301008 [LOCKSERVICE:(Main Thread):<OPKeychainUnlockService: 0x60000351c610>] E secretForKeychainUnlockForProfile: | Failed to decrypt data with secure enclave: (null)
Mon Jul 22 13:45:50 2019| 70301008 [LOCKSERVICE:(Main Thread):<OPKeychainUnlockService: 0x60000351c610>] E saveSecretForKeychainUnlockForProfile: | Failed to encrypt data with secure enclave: (null)
Mon Jul 22 13:45:55 2019| 70301008 [LOCKSERVICE:(Main Thread):<OPKeychainUnlockService: 0x60000351c610>] E secretForKeychainUnlockForProfile: | Failed to decrypt data with secure enclave: (null)
Mon Jul 22 13:45:55 2019| 70301008 [LOCKSERVICE:(Main Thread):<OPKeychainUnlockService: 0x60000351c610>] E secretForKeychainUnlockForProfile: | Failed to decrypt data with secure enclave: (null)
Mon Jul 22 13:45:55 2019| 70301008 [LOCKSERVICE:(Main Thread):<OPKeychainUnlockService: 0x60000351c610>] E secretForKeychainUnlockForProfile: | Failed to decrypt data with secure enclave: (null)
Mon Jul 22 13:45:58 2019| 70301008 [LOCKSERVICE:(Main Thread):<OPKeychainUnlockService: 0x60000351c610>] E secretForKeychainUnlockForProfile: | Failed to decrypt data with secure enclave: (null)
Mon Jul 22 13:46:20 2019| 70301008 [LOCKSERVICE:(Main Thread):<OPKeychainUnlockService: 0x60000351c610>] E secretForKeychainUnlockForProfile: | Failed to decrypt data with secure enclave: (null)
Mon Jul 22 13:46:20 2019| 70301008 [LOCKSERVICE:(Main Thread):<OPKeychainUnlockService: 0x60000351c610>] E secretForKeychainUnlockForProfile: | Failed to decrypt data with secure enclave: (null)
Mon Jul 22 13:46:20 2019| 70301008 [LOCKSERVICE:(Main Thread):<OPKeychainUnlockService: 0x60000351c610>] E secretForKeychainUnlockForProfile: | Failed to decrypt data with secure enclave: (null)
Mon Jul 22 13:46:20 2019| 70301008 [LOCKSERVICE:(Main Thread):<OPKeychainUnlockService: 0x60000351c610>] E secretForKeychainUnlockForProfile: | Failed to decrypt data with secure enclave: (null)
Mon Jul 22 13:46:20 2019| 70301008 [LOCKSERVICE:(Main Thread):<OPKeychainUnlockService: 0x60000351c610>] E secretForKeychainUnlockForProfile: | Failed to decrypt data with secure enclave: (null)
Mon Jul 22 13:46:20 2019| 70301008 [LOCKSERVICE:(Main Thread):<OPKeychainUnlockService: 0x60000351c610>] E secretForKeychainUnlockForProfile: | Failed to decrypt data with secure enclave: (null)
Mon Jul 22 13:48:24 2019| 70301008 [LOCKSERVICE:(Main Thread):<OPKeychainUnlockService: 0x60000351c610>] E secretForKeychainUnlockForProfile: | Failed to decrypt data with secure enclave: (null)
Mon Jul 22 13:48:24 2019| 70301008 [LOCKSERVICE:(Main Thread):<OPKeychainUnlockService: 0x60000351c610>] E secretForKeychainUnlockForProfile: | Failed to decrypt data with secure enclave: (null)
Mon Jul 22 13:48:24 2019| 70301008 [LOCKSERVICE:(Main Thread):<OPKeychainUnlockService: 0x60000351c610>] E secretForKeychainUnlockForProfile: | Failed to decrypt data with secure enclave: (null)
Mon Jul 22 13:48:24 2019| 70301008 [LOCKSERVICE:(Main Thread):<OPKeychainUnlockService: 0x60000351c610>] E secretForKeychainUnlockForProfile: | Failed to decrypt data with secure enclave: (null)
Mon Jul 22 13:48:29 2019| 70301008 [LOCKSERVICE:(Main Thread):<OPKeychainUnlockService: 0x60000351c610>] E secretForKeychainUnlockForProfile: | Failed to decrypt data with secure enclave: (null)
Mon Jul 22 13:48:29 2019| 70301008 [LOCKSERVICE:(Main Thread):<OPKeychainUnlockService: 0x60000351c610>] E secretForKeychainUnlockForProfile: | Failed to decrypt data with secure enclave: (null)
Mon Jul 22 13:48:30 2019| 70301008 [LOCKSERVICE:(Main Thread):<OPKeychainUnlockService: 0x60000351c610>] E saveSecretForKeychainUnlockForProfile: | Failed to encrypt data with secure enclave: (null)
Mon Jul 22 13:48:47 2019| 70301008 [LOCKSERVICE:(Main Thread):<OPKeychainUnlockService: 0x60000351c610>] E clearSecretFromKeychain | Failed to remove Symmetric Key from Secure Enclave: -25300
Mon Jul 22 13:49:53 2019| 70301008 [LOCKSERVICE:(Main Thread):<OPKeychainUnlockService: 0x1104faf38>] E saveBiometricPolicyDomainStateData | Failed to store policyDomainState: (null)

AGAlumB · July 2019

@neilobrien: Since it sounds like you're not running an outdated version of macOS which doesn't have support for using the Secure Enclave with Touch ID, that's a bit strange. lil bobby 's suggestions are good, so give that a try. But I think there might be something else going on. Did you maybe setup this Mac using a Time Machine backup from another one or using Migration Assistant? Your comment that "TouchID for 1P did work consistently in the past" tells me there's probably more to the story than you've let on so far. :)

neilobrien · July 2019

@brenty I promise there's nothing that I'm hiding :-)

So those log messages are expected/normal? Is there something in the log I should look out for that would imply that it's fixed?

This is the first MacBook I've had with TouchID and it was a fresh install, nothing restored nor migration assistant used. I've had it since March 2018 and it did work consistently and somewhere along the line in the last 6 months (rough guess) it started to act up.

I'll try @littlebobbytables suggestions and see how it goes.

AGAlumB · July 2019

@neilobrien: Thanks for clarifying. Yeah, those log messages are something I'd expect to see with that consistency for an issue with an older version of macOS. That's the confusing part. Definitely give his suggestion a try (as I would have suggested the same had he not beat me to it) and let us know how it goes. :)

neilobrien · July 2019

@brenty @littlebobbytables @ag_ana

Hi Guys,

Tried the suggestions but same problem has returned. I'm not going trouble you any further with what may be an applied policy on my side that's overwriting/overriding something periodically. If you have no further suggestions, I guess I'll need to live with it.

One thing I noticed is that when it's broken and I have my laptop lid closed and on external screen, 1P tells me TouchID is not available because the lid is closed. So 1P is determining that TouchID is enabled. But for whatever reason (a reason I would have thought would be in the logs) it's unable to get the TouchID when the lid is open.

Thanks for your help,
Neil

littlebobbytables · July 2019

Hi @neilobrien,

There is one more thing we can try based on those log entries but it isn't a trivial thing. Basically it would involve forcing macOS to create an entirely new keychain for your macOS user account which also includes some stuff relating to the secure enclave. The developer that wrote up the explanation went as far as recommending the user has a full disk backup before proceeding so they have some concerns. I don't think it's as risky as a full backup makes it sound but it certainly isn't as trivially simple as say, try restarting the Mac.

If this is something you would like to explore let us know here and we'll contact you directly. I love that the support forum allows us to reach people we didn't even know were having problems but I wouldn't want somebody following these steps unless we had deemed to was the only option left available.

neilobrien · July 2019

Thanks @littlebobbytables ,

If you could let me know what needs to be done, I'll see what's involved and consider it. My fear would be creating some irreparable security issues on the laptop that would require me to re-image.

Thanks,
Neil

littlebobbytables · July 2019

Greetings @neilobrien,

No problem, I'll send an email to the address you're using here in the support forum.

TouchID issues

Comments