TouchID: 1Password v internet banking apps

I've read in several posts that 1Password is not informed when changes to a device's TouchID setup are made. Hence, anyone who knows your device passcode (often a 4 digit PIN) can access a TouchID-enabled vault after adding their own fingerprint in the iOS settings panel ( = low security).
At the same time, I am using at least two Swedish internet banking iOS apps that denies one access through TouchID when a fingerprint has been added (or removed or edited). I have tried it myself. TouchID login is then no longer available, you have to provide other codes. In 1Password, this would mean your Master Password.

It seems to me that this should be a key concern with AB. Could anyone tell me how it is that banking apps are able to get this information (i.e., changes to TouchID), but not 1Password?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • BenBen AWS Team

    AgileBits Team Member

    Hi @kalash!

    Great question. It is possible this has changed in an iOS update. I'll check in with our developers and see what if anything we might be able to do in this regard.

    Thanks!

    Ben

  • Any updates on this @Ben ?

  • brentybrenty

    AgileBits Team Member

    @kalash: Nothing to share at this time, but it's something we're exploring. :)

    ref: OPI-3419

  • So, another 9 months have passed.... Any update? I still regard it the single most compromising feature of 1Password, since there are occasions where I need to share my passcode with someone else.

  • brentybrenty

    AgileBits Team Member

    @kalash: Nothing to announce at this time.

    Keep in mind that if you share your passcode with someone else (I wouldn't, but I guess it's your call), you can always change it afterward.

    It's something we're interested in, and if we can do it reliably we'll add this feature. "Banking apps" have a lot less to deal with compared to 1Password's lock mechanisms (which apply both to the main app and extension, with regard to timers, app state, and device state), so it's not as simple as you might think. ;)

  • BenBen AWS Team

    AgileBits Team Member

    I can’t make any promises, but I can say that this is something our developers have been taking a close look at recently.

    Ben

  • primeprime
    edited October 2017

    Personally I don’t get sharing a password of a phone with people (unless it’s my wife, but that’s it). You open yourself to some major issues and asking an app developer to fix your issue to me, isn’t the way.

    Now if you must do this, just turn off the Touch ID to 1Password and make it you have to put in your master password to unlock, and not a finger.

    An app developer can only do so much, we’re the people who needs to be careful and responsible of our own security. Internet security starts with us, the user.

  • BenBen AWS Team

    AgileBits Team Member

    I think the much more common scenario is sharing of an iPad, prime. Many families can’t justify the expense of an iPad for each family member, and so one may be shared. I agree it isn’t an ideal situation, as iOS is a single user platform. It really isn’t designed to have multiple users share a device. But it is a very common scenario, especially with iPads.

    Ben

  • @Ben true, but these people will most likely keep the fingers on the Touch ID, so the whole adding an finger and removing it all the time wouldn’t be an issue. And why I said for this, just remove Touch ID for 1Password and now the master password is needed. A person can add a finger all they want and it won’t work for 1Password, security starts with the user ;)

  • BenBen AWS Team

    AgileBits Team Member

    I don’t disagree, prime. :)

    Ben

  • @Ben should have worded it better. My apologies :)

  • BenBen AWS Team

    AgileBits Team Member

    I got what you’re saying. :)

    Ben

  • I suppose it may be common that users sharing an iPad all have their fingerprints enrolled, so my case doesn’t really apply there.

    My most common use case is for music control when friends are over, or a party. You’re playing music through your phone or iPad, and there’s always that guy who has to queue a few tunes. Hence, that guy ‘just has to’ have your passcode. Once you’ve given that out, just because that guy had such a strong urge to listen to his own music, you’ve basically given access to all your passwords on hundreds of sites.

    My point is, it’s a problem.

  • primeprime
    edited October 2017

    @kalash as I said, then make it so the Touch ID is off in 1Password. This makes it so you have to use the master password to get in 1Password. Unless the password to your phone password is the same for 1Password, this is the best idea.

    You can also activate Guided Access. You can lock an app so it’s the only app that can be used unless you use a passcode (different from the phone itself). I actually did this to an iPod Touch at a party. Music app was the only app anyone can access, so anyone can play music, and have zero access to the iPod Touch.

    Screenshot below

  • Theoretically, I completely agree with you, @prime, and your suggestions are sound. But then again, password managers exist because people generally aren’t very thoughtful when it comes to security, so I wouldn’t say the idea that developers shouldn’t have to babysit users really applies here, by definition. Its key selling point is smart security for dumb/lazy users. The same really goes for touchid.

    Simply put, I don’t think most 1P users (the majority of which I must assume use it with TouchID) will be mindful enough that, when briefly asked for their code by some dude who wants to be in charge of the music, they will either go into 1P and turn off touchID, or enable guided access.

  • BenBen AWS Team

    AgileBits Team Member

    We don’t want to encourage folks to share their passcodes, but as I mentioned our developers are taking a look into this.

    Ben

  • Cool ;)

  • primeprime
    edited October 2017

    @kalash it’s cool if they add it, but It’s never ever safe to assume your data is safe if you tell people your password to your phone. Even if AgileBits adds this feature. Just be careful.

  • BenBen AWS Team

    AgileBits Team Member

    :+1: :)

    Ben

  • brentybrenty

    AgileBits Team Member

    My most common use case is for music control when friends are over, or a party. You’re playing music through your phone or iPad, and there’s always that guy who has to queue a few tunes. Hence, that guy ‘just has to’ have your passcode. Once you’ve given that out, just because that guy had such a strong urge to listen to his own music, you’ve basically given access to all your passwords on hundreds of sites.

    @kalash: Ah that's interesting. I just set iOS Settings > Display & Brightness > Auto-Lock to Never in that case. That way no one needs my passcode, and therefore can't get into my security settings or 1Password. Guided access is great too, but either way "some dude who wants to be in charge of the music" never get's my code. :lol:

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file