New behavior of master password/PIN code [Intentional design as part of 1Password 5.1 update]

Locker

1PW 5.1.1 beta (and 5.1 released)

iOS 8.0.2

Now if I allow to use PIN code, the app will always ask first for the PIN, even after very long time. There is no timeout like in earlier versions that will require the master password. (indeed, if I enter wrong PIN, it will then ask for the master password). I liked the previous behavior when could define the timeout after which it will not accept a PIN at all it would go straight to request master password.

Note: Now that I have iPhone6, I probably will only use the Touch ID, so I'll not 'confront' the case that I described above.

MikeT

Hi @Locker,

This is all intentional as part of the major improvements and simplification of the Security settings in 1Password 5.1 for iOS.

Your PIN and TouchID becomes the first option to unlock your data and if it is incorrect the first time, it'll automatically switch to your master password. It is supposed to ask for TouchID/PIN first every single time 1Password auto-locks and it allows the app to be very consistent with it in both the extension and the app.

We do not plan to change this behavior after hearing a lot of users confirming that this is working more consistently and they're able to follow the security settings without any confusion.

Locker

We do not plan to change this behavior after hearing a lot of users confirming that this is working more consistently and they're able to follow the security settings without any confusion.

That probably ok. I just have to get comfortable with the idea and understand how it influence the overall security. My first reaction was that the PIN is so weak that I didn't want it to be allowed at all after the relatively short period (5-10min) that I myself used it.

Note: I was just surprised to see a request for the PIN even 3 days after last using 1PW, following an "uneventful" update. Perhaps the change was not advertised strongly enough, or perhaps I just clicked OK without reading the blinking bold red text that you did put :p
Anyhow, it's only a one-time event that affect only those that did an update, and from your comment I understand that most people didn't have problem with that, so everything is OK.
Note-to-the-note: OK OK people, I usually use 1PW continuously, so it really rarely happen that I don't touch it for 3 days!

Note 2: Do I understand it correctly that on devices without TouchID, the user will see an option just for a PIN code, and on devices with TouchID, the user will see an option just for TouchID, and never know about the PIN code idea? Not that it matters. (I just had a discussion with another 1PW user, and we were on the two different devices, so it took a while to realize why the other user saw a different picture).

And a generic question: Regarding security, where the TouchID stands in relation to the 4 digits PIN code and the Mater password? Or in other words, how secure is it? Being new to this feature, I assume a lot was discussed already.

MikeT

Hi @Locker,

Note: I was just surprised to see a request for the PIN even 3 days after last using 1PW, following an "uneventful" update.

Right, it is unusual considering the past several years of how 1Password works on iOS and the multi-tasking limitations. Now, it is actually consistent for days and/or weeks.

Note that we automatically expire your PIN/TouchID session in 14 days, like how iOS expires your TouchID if you don't use it in 48 hours.

Note 2: Do I understand it correctly that on devices without TouchID, the user will see an option just for a PIN code, and on devices with TouchID, the user will see an option just for TouchID, and never know about the PIN code idea?

Correct, all TouchID-enabled devices get TouchID only while the rest gets PIN instead.

Regarding security, where the TouchID stands in relation to the 4 digits PIN code and the Mater password? Or in other words, how secure is it

You might find this blog post useful.

rolfl

@MikeT If I hit cancel on the TouchID prompt the app revert to master password on subsequent invocations.

This is a bit annoying when I accidentally invoke 1PW. I just wanted 1PW to go away and keep using TouchID on next invocation,

The only options seems to be to 1) Login with TouchID and switch away with 1PW unlocked, or 2) Hit cancel and switch away, but have to reenter master password next time 1PW launches.

MikeT

Hi @rolfl,

If I hit cancel on the TouchID prompt the app revert to master password on subsequent invocations.

That's intentional for security reasons. Once TouchID is cancelled by the user for some unforeseen reasons, the master password is automatically removed from the iOS keychain, and the user must enter the master password in order to restore it to the iOS keychain.