Feature request: Require a 2 character password with fingerprint login

The ability to login using a fingerprint has two big downfalls:
1. It causes the user to forget the master password
2. It allows anyone with access to your finger to unlock your account. Anyone asleep or held against their will is vulnerable.

Here is my solution:
Require the first and last characters of the master password to be input in conjunction with the fingerprint login. Two characters total. If they are incorrectly entered then the fingerprint login option would be disabled. This would also help people to remember their password each time.

I think it is madness for anyone who cares about their online security to enable fingerprint login as it stands now. I think this suggestion would solve that problem.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:fingerprint

Comments

  • It would also prevent "fake finger" type attacks.

  • I have a better solution for people who don't trust fingerprint login: Don't enable it. :)

  • brentybrenty

    Team Member

    @user552200: (Un)fortunately the full Master Password is needed to decrypt your data. It is quite literally "all or nothing". With Touch ID, a secret is stored in the Keychain which allows your registered fingerprint to unlock the Master Password to unlock. But there's no way to store only part of the Master Password, since the whole thing needs to match. Also, it would be much easier for someone to discover two characters you type than a full password.

    pervel 's comment may sound obvious, but it's an important point: Touch ID is an optional convenience that each of us can choose (or not) for ourselves. However, it's important to note that using Touch ID with 1Password is very secure. It's "weaknesses" are the same any of us could potentially face: the fact that our fingers themselves could be used against us.

    As I mentioned, the Master Password itself is not stored, but rather an obfuscated token is kept in the system Keychain which can be used to unlock the keys which decrypt your data. It's functionally equivalent to the Master Password for 1Password's purposes, but should someone gain access to it they still won't know your Master Password. You can read more details about this in our knowledgebase:

    About Touch ID security in 1Password for iOS

    And two things I find really useful are 1Password Settings > Advanced > Security to require the Master Password occasionally, but also using a stronger Master Password since I don't need to enter it as frequently.

    I hope this helps. Be sure to let us know if you have any other questions! :)

  • @brenty I understand that it is all or nothing with the Master Password. The user could provide any two characters for the mini-password. It could be recommended by 1Password to use a mini-password which helps them to remember the Master, but this would obviously not be mandatory.

    Once the user has unlocked the obfuscated token using their fingerprint they would then have a second obfuscated token to unlock, albeit a much easier two-character mini-password.

    It is only once both tokens have been unlocked that the user would gain access to the full obfuscated token which unlocks the 1Password file.

  • brentybrenty

    Team Member

    Once the user has unlocked the obfuscated token using their fingerprint they would then have a second obfuscated token to unlock, albeit a much easier two-character mini-password.

    @user552200: The problem with this is that you've effectively just encrypted your data with a two character "mini password" if that decrypts the Master Password which in turn decrypts your data. It would be more secure to just use a 4 character Master Password. I wouldn't recommend that though; I'm just using it as an example. Definitely choose a long, strong, unique Master Password and either enter it manually or unlock with Touch ID, as either of these options will keep your data safer.

    Did you try the advanced settings I suggested? I find it handy to require the Master Password on restart, that way I can quickly shut off my iPhone if necessary. I hope this helps! :)

  • user552200user552200
    edited November 2016

    @brenty Is it technically possible to limit the number of "mini password" guesses which can be made before the Touch ID login feature could be turned off?

    Or would it be possible to limit the number of Touch ID approvals that a user can perform before the Master Password is required? In other words, to require the full Master Password every X successful Touch ID logins.

    If not, then you are right and my suggestion would not work.

  • @brenty How about requiring the Mini Password when you open the 1Password app? If it is incorrectly entered then 1Password removes the secret from the iOS Keychain. The Master Password would remain fully protected.

  • brentybrenty

    Team Member
    edited November 2016

    Is it technically possible to limit the number of "mini password" guesses which can be made before the Touch ID login feature could be turned off?
    Or would it be possible to limit the number of Touch ID approvals that a user can perform before the Master Password is required? In other words, to require the full Master Password every X successful Touch ID logins.
    If not, then you are right and my suggestion would not work.

    @user552200: You're really close on both of these. Neither is possible, but instead after 3 failed Touch ID attempts the secret is removed from the iOS Keychain so that the full Master Password is required.

    How about requiring the Mini Password when you open the 1Password app? If it is incorrectly entered then 1Password removes the secret from the iOS Keychain. The Master Password would remain fully protected.

    I'm probably not articulating this very well, but this goes back to my earlier point about the full Master Password being required. In order for something like this to work, the Master Password-derived secret would need to be unlockable with the "mini password", at which point you might as well just use a really weak password to encrypt all of your data in the first place, because that's all that's required to to decrypt it. "Onion-like" layering like this needs to be considered carefully, because it not only adds complexity but also makes it easier to overlook flaws like that.

    And ultimately Touch ID allows greater convenience with better, hardware-enforced security: instead of a two-character password, you have a one-finger password. And a fingerprint has a much higher barrier to reproduce. After all, it's trivial to try various passwords (even though there are limiting factors when it comes to trying many). The attacks against Touch ID require physical access to both your fingerprint and the device, which raises the bar considerably. Even though a finger can be used against you, someone who is in a position to use your actual finger against you could more easily guess a two character password, discern it from looking at prints on the screen, or observe you entering it.

    And at this point, we're talking specifically about 1Password, ignoring the context of iOS itself. You can use Touch ID to protect the device, 1Password, both, or neither. Personally, I use a long passcode on my iPhone along with Touch ID, and Touch ID for 1Password, with Settings > Advanced > Security set to "After device restart". I actually use a slightly different setting of "After 1 day" on my iPad, since I use it less frequently, so there's a lot of flexibility to customize it depending on your use.

    iOS in general and Touch ID in particular have an excellent security model and track record, but if, despite that, you choose not to trust it, you don't have to use it. We just don't want to try to build a house of cards that confuses or gives a false impression of security. It's fascinating stuff though. :)

  • Thanks for replying again @brenty Your time is very much appreciated.

    Here's my (hopefully!) last message on the topic, as I'm not sure you that we are on the same page, as per your quote here:

    In order for something like this to work, the Master Password-derived secret would need to be unlockable with the "mini password", at which point you might as well just use a really weak password to encrypt all of your data in the first place

    My suggestion would only unlock the ability to attempt to login using Touch ID. Once the Mini Password is entered the user is still faced with the Touch ID hurdle.

    Is it not possible to require the input of a Mini Password on the 1Password app before the Touch ID login option is displayed? I'm pretty sure I use other apps which only offer the Touch ID login option once some other hurdle has been jumped (e.g. a website login request).

    On a not unrelated note, could the 1Password secret that is being held by iOS Keychain be revealed to another app if the user was using that app and had logged in using Touch ID? If so, then it would be huge security risk, as any app which requests Touch ID login would be able to gain access to the Master Password secret.

    Thanks again, and sorry for annoying you!

  • I forgot to make it extra clear that if the Mini Password was incorrectly entered X times, then the app would delete the iOS Keychain secret.

  • brentybrenty

    Team Member

    My suggestion would only unlock the ability to attempt to login using Touch ID. Once the Mini Password is entered the user is still faced with the Touch ID hurdle.

    @user552200: "Unlock the ability to attempt to login using Touch ID" isn't (as far as I can tell) something that's cryptographically feasible, and it's important that 1Password's security is enforced by encryption and not rules (which can be broken). Definitely an interesting idea though, and perhaps it could be possible in the future.

    Is it not possible to require the input of a Mini Password on the 1Password app before the Touch ID login option is displayed? I'm pretty sure I use other apps which only offer the Touch ID login option once some other hurdle has been jumped (e.g. a website login request).

    It may be that they're doing something a bit different than it appears, but I'd be interested to take a look at any apps like that if you'll post links. I haven't encountered this myself, but it never hurts to see what others are doing!

    On a not unrelated note, could the 1Password secret that is being held by iOS Keychain be revealed to another app if the user was using that app and had logged in using Touch ID? If so, then it would be huge security risk, as any app which requests Touch ID login would be able to gain access to the Master Password secret.

    You're right that that could be a problem. Fortunately iOS has a gloriously strict security model, so it isn't possible for apps to access each other's Keychain data or local storage. Both require encryption keys to access. macOS seems to be moving more in this direction too over time, but unfortunately there's a long legacy there and making drastic changes like this overnight would just break the apps we depend on.

    Thanks again, and sorry for annoying you!

    Not at all! This is great feedback! :)

    I forgot to make it extra clear that if the Mini Password was incorrectly entered X times, then the app would delete the iOS Keychain secret.

    Ah, gotcha. That sounds like we'd need two secrets in the Keychain then: one for 'mini' and one for the Master Password.

  • user552200user552200
    edited November 2016

    @brenty

    "Unlock the ability to attempt to login using Touch ID" isn't (as far as I can tell) something that's cryptographically feasible, and it's important that 1Password's security is enforced by encryption and not rules (which can be broken). Definitely an interesting idea though, and perhaps it could be possible in the future.

    "Interactive Brokers", for example, uses a login app for its users. You login to their website using your password, Then you open their app. If you have not already entered the password on their website then you can browse inside the app, but you are not given the option to login using Touch ID. It is only once the website password has successfully been entered that the Touch ID login prompt pops up.

    I'm guessing it is probably technically possible to fool an app into requesting a Touch ID login prompt. But I'd wager that the vast majority of attackers would not have this ability, if it does in fact exist. Therefore, I don't think that using a rule based system here would be such a bad thing. This would be an additional rule added on top of the existing encryption. The 1Password user would be made aware that it could be technically possible to force a Touch ID login prompt and therefore bypass the Mini Password, but they would be given that option.

    At worst, it would provide the exact same level of security that the current Touch ID protection provides, All other times, it would provide an excellent protection against all types of "finger hacking", and help the user to remember their Master Password,

  • brentybrenty

    Team Member

    @user552200: Ah, I see. In the case of iOS itself, Touch ID is managed entirely by iOS, so it isn't possible for one app to "fool" another to authenticate. Each app has its own unique signature, and encryption keys for their own data. It seems like what they're doing is a bit different, not offering to even let you login to the app without first doing so on the website, so all of this is handled by the server component. That could, theoretically be susceptible to a person-in-the-middle attack to trick the app into thinking it got the okay from the server. But regardless this could never be possible with the standalone version of 1Password, only the subscription service, since there is no server component otherwise. This almost sounds like we're getting into the realm of multifactor authentication here. Interesting. But ultimately we want 1Password to continue to rely on encryption for its security, since authentication systems can be compromised or bypassed. Definitely interesting to consider the different permutations though. :)

  • user552200user552200
    edited November 2016

    @brenty

    It seems like what they're doing is a bit different, not offering to even let you login to the app without first doing so on the website, so all of this is handled by the server component.

    There is no login required for the Interactive Broker app. Anyone can open it and browse around. The TouchID login option only appears once a successful website login has happened. But I see no reason why this login validation could not come from within the app itself, if the app had stored the password.

    Therefore, I don't think a server component would be necessary, as the validation could be handled entirely within the app. The 1Password app would request that the user create a Mini Password, and it would store this in the iOS Keychain. When the user logs into the app they would first be asked to enter the Mini Password, and if it was correct then the app would give them the TouchID login option. If the Mini Password was incorrectly entered then the TouchID secret key would be deleted.

    There is no server component necessary.

    I don't think it's multifactor authentication either - unless you count the current TouchID login as being multifactor. A secret key is held which unlocks something else. If the user is happy to use create a secret key to unlock their 1Password file, then they should have no problem creating another secret key to unlock the first secret key. It only adds security. The worst possible outcome is that the TouchID login option is made available to an attacker - which already happens under the current implementation.

  • brentybrenty

    Team Member

    Ah, thanks for clarifying. I just meant that in order for the app to not let you in without logging into the website, there has to be a server there. And while this isn't necessarily multifactor authentication, it sounds like it serves a similar function. I thought that was interesting. :)

This discussion has been closed.