Feature request: Touch ID + PIN for unlocking 1Password iOS app

password123
password123
Community Member

Hi Agilebits Team,

Is there any consideration for implementing a fingerprint + PIN unlock for the iOS app? The Venmo (payments) and Robinhood (stocks) apps do and it would be nice if 1Password were to follow suite.

I understand that the fingerprint hash is stored in the iOS secure enclave and everything, but from a user standpoint, our only options right now are between entering our master password each hour, or breeze through with Touch ID. An fingerprint + PIN would straddle that balance between security + convenience rather well.

Most users already use their fingerprints to secure their phones. However if you're passed out drunk (yes, there are other worries), it'd be trivial for someone to access your 1Password app. Apps like Venmo that require a PIN would at least require the thief to hit you with a $5 wrench repeatedly. ;)

Thanks again for creating such a useful product. I hope to see fingerprint + PIN in the future.


1Password Version: 6.5.4
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: iCloud

Comments

  • Hi @password123

    Thanks for writing in with this suggestion.

    Apps like Venmo that require a PIN would at least require the thief to hit you with a $5 wrench repeatedly. ;)

    If you're making the reference I think you're making... :+1:

    Is there any consideration for implementing a fingerprint + PIN unlock for the iOS app?

    At the moment there is not. We've got quite a few irons in the fire and this isn't on the roadmap. Maybe something we can consider further down the road though. :)

    Ben

  • password123
    password123
    Community Member

    Thanks for the prompt response Ben!

    If you're making the reference I think you're making... :+1:

    Yup making feature requests on security matters, I think it's sometimes important to think of the use case.

  • Drew_AG
    Drew_AG
    1Password Alumni

    Ah yes, that one's a classic! :lol:

    Thanks again for taking the time to send us your feature request (and for the excellent reference). We're here for you if you need anything else. Have a great weekend! :)

  • Ivan_K
    Ivan_K
    Community Member

    Thumbs up for the idea.

  • Thanks, @Ivan_K. :)

    Ben

  • jc_grey1ing
    jc_grey1ing
    Community Member

    Hi,
    I believe the pin code request and explanation from @password123 was very well crafted, and I don't think the urgency of this request is understood.

    We are facing not only criminals (physically) threatening you, but government (border posts) intrusions and also malware etc. If this option is not in the immediate roadmap then I need to reconsider protection of sensitive information.

    Don't get me wrong - I have been using and advertising 1Password from the very first version and would highly anticipate the pin code feature as essential & crucial. Today I have data in 1P that if leaked will be crippling to myself.

    I'm more than willing to be a guinea pig for this feature, and I'm also open to listen to better solution suggestions if available - but I'm not able to let this been swept under the rug. Solutions I'm considering currently are:

    1. Use 1Password.com website whilst traveling

      • Have no 1Password on your phone / laptop
      • Have only the absolute essential sensitive info on the 1Password website
      • I have to accept 1password.com will be hacked sometime in the future
      • If a criminal / government physically confiscate / hack my phone / laptop they will not find any sensitive data
      • But you are trusting you have internet access
    2. Using different phones with different 1Password sensitive data sub-set

    3. Enabling of a hardware key like Trezor with seed + pin + passphrase

    Suggestions welcome.

  • Ben
    Ben
    edited June 2017

    If this option is not in the immediate roadmap then I need to reconsider protection of sensitive information.

    It isn't on the immediate roadmap, and it doesn't look likely that it will be for some time to come, if ever. If anything we're looking to simplify the code that handles locking and unlocking 1Password, not make it more complex. Options are great, but they add complexity, and complexity isn't necessarily a good thing.

    Today I have data in 1P that if leaked will be crippling to myself.

    You're certainly not alone in that. All of us here at AgileBits use 1Password too.

    Solutions I'm considering currently are:

    If you feel Touch ID is not adequate to secure your information we recommend disabling it and unlocking 1Password using your Master Password. You can also disable Touch ID entirely for your device and then use a PIN to unlock 1Password.

    Thanks!

    Ben

    ref: OPI-2886

  • thefella
    thefella
    Community Member

    I think a PIN + the Touch ID is a great idea as well. In fact, I tweeted about this the other week. As someone else said, it bridges the gap between the hassle/complexity of typing in your master password and the ease of pressing a finger against the outside of your phone, which as stated could be done while your passed out drunk. (Or asleep next to a jealous lover, or had your finger cut off by an angry loan shark looking for a very late payment).

    Just wanted to give my +1 for this idea, as I think it wouldn't be too hard to implement from a dev point of view.

    Conor

  • @thefella,

    If you're in a position where a loan shark is cutting off your finger to activate your Touch ID I don't think the addition of a PIN is going to protect you. If anything it may cause more problems for you (a la xkcd: Security).

    I think when planning your security it is important to understand the perceived threats and think about what defenses will actually help in those situations.

    In any event, we do appreciate the feedback, but at this time this is not on the roadmap. It adds a layer of complexity that we are not willing to take on at this time. That may change in the future, but for now if you do not want to rely on Touch ID we recommend unlocking using your Master Password.

    Thanks.

    Ben

  • Piggy
    Piggy
    Community Member

    Touch ID + PIN is a good idea and I hope it can be added in the future. I would also like to request that you consider adding support for authentication codes from solutions like Google Authenticator and Authy (which is a better end-user solution, but does not require any extra work for the developer adding this kind of authentication support.) I personally don't want to have to authenticate like this every time I use 1P. My use case would be for the current 1P requirement of using the master password periodically.

    Thank you for considering this request.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Touch ID + PIN is a good idea and I hope it can be added in the future.

    @Piggy: It's really no good to require users to remember an additional passcode, and this does not add any real security unless it is long and random (which makes it harder to remember). However, using a longer, stronger Master Password does improve your security, and Touch ID is a great convenience that does not sacrifice it. We don't have any plans to have this also require a PIN, and with Apple's new Touch ID lockout feature built into iOS 11 there's even less reason to add additional complexity in this area.

    I would also like to request that you consider adding support for authentication codes from solutions like Google Authenticator and Authy (which is a better end-user solution, but does not require any extra work for the developer adding this kind of authentication support.)

    1Password has supported TOTP for years (I use it with my Google accounts and many others), and we recently added an automatic TOTP copy feature that makes it even easier to use:

    1Password 6.8 for Mac & iOS: The Picnic Edition

    I personally don't want to have to authenticate like this every time I use 1P. My use case would be for the current 1P requirement of using the master password periodically. Thank you for considering this request.

    1Password already supports setting a Touch ID "timeout" in Settings > Advanced > Security, so the Master Password is required periodically even when Touch ID is enabled. I hope this helps!

This discussion has been closed.