Unlock older iPad or Mac Vault with TouchID on iPhone [Under consideration]

english06

This is a general suggestion that in my head I think would be feasible and an extremely useful feature for many people. Currently TouchID will be found on most iPhones due to the 2 year upgrade cycle that is standard for phones. This is the not the case for iPad's which were just updated with TouchID or Macs that obviously don't do that. My suggestion would be a service similar to how knocktounlock.com works. When the master password prompt fires on the iPad or Mac a call is made to the connected iPhone (whether through bluetooth or wifi ala continuity or a general iCloud call). The user then receives a prompt on their phone's notification screen. They would place their thumb on their iPhone which would unlock the phone and open the 1Password app (1Password would open up directly since it is the app that woke the phone to display the notification, similar to messages notifications). That unlock would then send them to the 1Password app where another TouchID prompt would be waiting to verify their thumbprint again and authenticate the app on the iPad or Mac that requested authentication.

To the user this would be a seamless process: password prompt on Mac, place thumb on TouchID on iPhone, 1Password on their Mac/iPad unlocks. This authentication could even be done while your iPhone remains in your pocket without you even looking at it.

To me this seems like a killer feature if it is possible. I have no doubt it is a lot of work and that is also assuming that the correct calls can even be made between devices. I feel like they should be able to communicate with each other securely, but may take a little digging to make it work.

MikeT

Hi @english06,

This has been requested a lot and I'll add your vote to our list.

Keep in mind that on the desktops, we do not keep your master password anywhere. Without a secure storage to keep your master password, there is no way to authorize you on the desktop, even with Touch ID in place. Touch ID is merely an authentication process, it's not an authorization process.

It is not likely we will ever send your master password over the air just to accommodate this feature, it must be local only and never leave your device.

jackr

The new Mac+iDevice app MacID seems to handle this correctly. Partnership opportunity?

hawkmoth

I gave MacID a spin a couple of days ago. One thing it requires is that you store your Mac's password in the app on the iOS device. So for it to work with 1Password, I assume that you would also need to store your master password in another application besides 1Password itself, something AgileBits discourages. Maybe if MacID technology were incorporated in 1Password itself?

Separately, if my desktop machine were in a public space, I probably would have been more attracted to MacID than I ended up being. At home, it seemed like more trouble than just typing in the computer's password when I wake it up. It certainly requires more fumbling with devices. But for an office environment, its feature that locks the computer when you walk away seems particularly appealing. And in an office environment or on a laptop, it would make it more likely that a user would have a strong password guarding the OS. also a good thing.

I ended up deleting it.

Megan

Hi @jackr,

Thanks for letting us know about this! As Hawkmoth suggests, we'd have to look very closely into just how they are working their magic. Security and convenience is always such a delicate balance. :)

jackr

@hawmoth: on what basis do you say

One thing it requires is that you store your Mac's password in the app on the iOS device.

This explicitly contradicts claims at the MacID site (claims that the password never goes over BT, and that MacID/iOS never sees the Mac password). "Store the password somewhere," yes, but "on the iOS device" ... controversial. There are several of these "thumb -> iOS -> Mac" apps out, but MacID is the first one that at least claimed to be avoiding this mistake. That was exactly what I meant by suggesting they "do it right." Did you snoop the message stream or something?

@Megan & @hawkmoth: good that you're doing a thorough, cautious 1Password job about this. Knowing you would is why I made the suggestion to y'all rather than to MacID.

hawkmoth

@jackr - It's now been awhile since I gave MacID a spin, but I am sure I had to enter my Mac password in the MacID app on my iPhone to set it up. I don't know whether it was transmitted to the Mac to unlock it, but the setup definitely required the Mac password on the iOS device. It may not be sending the password itself over Bluetooth, but it's communicating something to the Mac side to cause it to unlock.

Caution: I'm working strictly from memory here.

jackr

Just unpaired and re-paired to check. I had to enter the Mac pw on the Mac, but not the iPhone.

hawkmoth

So much for being sure.

ag_kevin

Hi @english06 @jackr ,

To offer a little developer perspective, it's true MacID does not need to store your Mac's password on the phone. What it may be doing (I don't claim to know the exact procedure, this is just my opinion) is store a token made up by MacID on your phone. When you use MacID, it asks your phone to authorize your your fingerprint. Upon successful fingerprint scan, it sends the token back to the Mac over bluetooth. When MacID gets the right token, it unlocks your Mac. I would imagine (hope) that it also uses a secure method to generate, store, and send the tokens over bluetooth, to prevent someone else from using a fake MacID app and sending the same token, and to prevent another wireless device nearby from detecting the token.

However, note that MacID does need to store your Mac's password on the Mac itself. Right now, you don't need to store your Mac's 1Password master password anywhere. To implement such a feature it would likely need to store the master password somewhere on the Mac. If we were to implement such a feature, we would have to very carefully consider how to store that master password (or derivative) in a way that keeps it secure and not accessible to other applications on your Mac, and we'd have to be absolutely certain that no other app could pretend to be doing the fingerprint check in place of your copy of 1Password.

That's not to say it's impossible, just that it's implementation needs very careful planning, and the benefit would need to outweigh any risks involved.

Thanks for the votes for the feature. I too, think it's a great idea.

jackr

What I'm looking for, primarily, is "unlock 1Password-Mac vault by fingerprint scan on iPhone," analogous to the existing ability to unlock 1Password-iOS by fingerprint scan. I mentioned MacID as an example, and possible model or partner, for the "remote unlock" workflow, rather than the specific example of unlocking the Mac itself.

I don't for a moment doubt that this is a major risk requiring excruciating care. I'm just saying I'd rather trust that to y'all than to the (unknown) MacID author.

ag_kevin

Thanks for the vote of confidence! I just wanted to explain a little bit of how it works, and to stress the importance of the care that must be taken to do it right. We'll certainly add your vote for the feature's consideration.

johonee

Sorry to say that I do not know how to unlock iPhone or iPad.
But I do know how to get back data with locked iPhone or iPad.
If you have backed up your iPhone or iPad data in iTunes before, and one day found some important data lost, such as photos, messages, contacts, notes, etc. You can use FonePaw iPhone Data Recovery to scan your iTunes backup files and find those lost data for you.
Hope it helps.

AGAlumB

@johonee: Thanks for sharing! Fortunately that shouldn't be necessary, since you can create a backup of your 1Password data at any time to save to the computer. Better safe than sorry. Cheers! :)

rctneil

Adding my +1 to this. I can understand the difficulties here but definitely a request from me.

AGAlumB

@rctneil: Thank you! Difficulties aside, it would be so cool if 1Password could do this in the future. :sunglasses: :+1:

The future, Conan?