Touch ID security weaknesses

edited November 2016 in Lounge

The Chaos Computer Club in Germany always recommends not to use biometric identification as a security features (see e.g. hacking the fingerprint Similar hacks are known for face recognition etc. Thus I am convinced not to use such authentication methods.

Now my questions:

From my point of view this feature is heavily compromising security in favour of usability (even when considering, that you provide options to enforce the Master-Password to login: it feels strange that there is a simple way of accessing my most precious data). Does this reflect the general strategy at 1Password? And if yes, why was this decision made?

I read multiple times, that the Master-Password ist not stored anywhere, but together with the Secure-key it forms the decryption key of the 1Password data. If the password is not stored, how is it possible to decrypt the data file with Touch-ID?

Thanks for your help;-)

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:touch id


  • dancodanco Senior Member Community Moderator

    The crucial point is that you do not have to use Touch ID at all, so it the user's decision about where the balance between security and usability lies.

  • brentybrenty

    Team Member

    I'm not sure that making a fake finger constitutes a Touch ID "weakness" — at least, no more than the fact that your fingers themselves can be used against you, attached or otherwise...

    This stuff is fascinating though. And danco made an excellent point: this is an option we can choose to use or not. I think this is similar to our Master Passwords, in that 1Password isn't going to shout you down if you choose a weak one. Your data, your decision.

    There are always tradeoffs. Otherwise we'd all be required to memorize (and type) 256-character (as a concession to performance), randomly generated Master Passwords. But I think it's safe to say that we're all using something less than an ideal, super-secure password, so that it's usable. Therefore the tradeoff is that we make them strong enough for the information we're trying to protect, but weak enough for our minds and bodies to manage.

    Regarding using 1Password for Mac in particular with Touch ID, it works nearly identically to the way it does on iOS. In both cases, the Master Password itself is not stored, but rather an obfuscated token is kept in the system Keychain which can be used to unlock the keys which decrypt your data. It's functionally equivalent to the Master Password for 1Password's purposes, but should someone gain access to it they still won't know your Master Password. You can read more details about this in our knowledgebase:

    About Touch ID security in 1Password for Mac

    I hope this helps. Be sure to let us know if you have any other questions! :)

  • Thanks a lot for the detailed answers!

  • brentybrenty

    Team Member

    Any time! Cheers! :)

This discussion has been closed.