iOS security [Security vs Convenience — Consider practicality and likely threats]

scotty321
scotty321
Community Member
edited August 2018 in iOS

The reason we use 1Password is because we are paranoid about unauthorized people gaining access to our private information, such as our financial information or email passwords. So, keeping in mind that our goal is to have the highest level of security:

For the iOS version of 1Password, which security option provides the absolute highest security? TouchID or PIN Code?

The downside to TouchID is that any common criminal or police officer can violently force your finger onto the fingerprint sensor. They can even render you unconscious and then use your fingerprint. One of our close friends was walking home late at night a few months ago and these criminals banged him over the head with a pipe — they knocked him unconscious, and stole all of his possessions. They took his wallet, his iPhone, his sportjacket, even his shoes. They could have easily used his fingerprint to unlock his 1Password vault, if they were savvy enough. Even a known traveling companion could simply use your fingerprint while you’re sleeping. It just seems like such an easy “hack” to get your fingerprint onto the sensor against your will. Not to mention that recent laws in USA have declared that Americans are not protected against being forced by government officials or police officers to force our fingerprint onto our fingerprint sensors. It just seems like the fingerprint sensor is such an easy attack vector that you can’t fully defend yourself against.

The downside to the PIN Code is that all casual observers (criminal or not) can casually observe you typing in your PIN Code. In which case, everyone would then know your PIN Code. Even a friend sitting next to you can glance over to see your PIN Code as you’re typing it in, and then he could be forced to reveal your PIN to someone else... or use it himself. And if you’re unlocking your 1Password vault in a public place with lots of security cameras (such as an airport), your PIN Code can then be recorded by the cameras which then creates a permanent archived video footage of your PIN Code.

So it seems like neither one of these is the perfect solution, but which one is best?

And are there any better security solutions that we’re not considering?

I’m sure it sounds laughable that we’re typing up all of these paranoid situations, but if we want to be truly serious about security, we have to consider these situations seriously.

Thanks!
Scott


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @scotty321

    A PIN cannot be set for 1Password on Touch ID enabled devices. Touch ID is considered more secure than a PIN (the entropy is greater). In theory the most secure option is to not enable any convenience options such as Touch ID and to instead use a strong Master Password and enter that when you need to unlock 1Password. The difficulty is that at some point you reach a level where things are so locked down that 1Password is practically unusable. It is worth considering which options to enable or disable to balance security and convenience for yourself based on what attacks you are likely to face.

    Consider these scenarios you mentioned for example:

    They could have easily used his fingerprint to unlock his 1Password vault, if they were savvy enough.

    Sure; but in this type of petty theft the goal of the attackers is not to steal your data. It is to get in, get out, and unload the merchandice before the police catch up to them. They aren’t out to perform international espionage. I’ve referred to this cartoon by xkcd a few times on this forum but I think it is especially apt when folks start down this path:

    xkcd: Security

    And if you’re unlocking your 1Password vault in a public place with lots of security cameras (such as an airport), your PIN Code can then be recorded by the cameras which then creates a permanent archived video footage of your PIN Code.

    I’d pose the question: So what? In order to do anything with that information an attacker would need access to the video recording and your device (i.e. a targeted attack). Consider who has access to that video footage. Are you likely to be targeted by those individuals? If so are they likely to steal your device from you?

    If you are in a position where you are likely to be targeted by governments, for example, you may need to consider enabling less convenience options than you would as an average person. But if that is the case you may also want to consider the risk of carrying such sensitive data on your person at all in places where government actors have access to you.

    There are people who do have to worry about such attacks (whistle blowers, perhaps, for example), and 1Password can potentially help. That said that sort of circumstance is extremely rare, and for the vast majoriy of us it is much more vaulable to consider more realistic threats.

    So is it possible to use a 50 character Master Password which is the only way to unlock 1Password and have it auto-lock after 1 minute and every time you close the app? Sure. But I’d bet that would get frustrating to the point of making 1Password an impractical solution, defeating the purpose. Here is my recommendation for the average citizen who wants to increase security above the default settings:

    • Choose a strong unique password that can be memorized (perhaps a diceware password)
    • Enable Touch ID
    • Set 1Password to clear Touch ID if the device restarts[1] (requiring the Master Password)
    • If you are about to enter a potentially hostile environment (such as a border crossing) restart your device and don’t unlock 1Password while in that environment

    [1] The setting for that can be found in 1Password > Settings > Advanced > Security > Require Master Password

    So, keeping in mind that our goal is to have the highest level of security:

    The highest level of security is burrying your phone on the moon in 24” thick concrete encased steel, but that isn’t a very practical solution. :)

    Ben

  • I’m sorry if I wasn’t clear when I said:

    A PIN cannot be set for 1Password on Touch ID enabled devices. Touch ID is considered more secure than a PIN (the entropy is greater).

    Touch ID has more entropy than a PIN which makes it more secure, and is the reason why on Touch ID capable devices the option for a PIN (which will disable Touch ID) is in the advanced section. As I mentioned it isn’t possible to enable a PIN on a Touch ID enabled device. I really wouldn’t recommend using a PIN on a Touch ID capable device, but again you have to evaluate what threats you are likely to face and make your determinations based on those threats and the relative conveinence of the options offered.

    Ben

  • Ben
    Ben
    edited August 2018

    @scotty321,

    I’m sorry but I don’t believe we’re on the same page here. I’ll say it again:

    As I mentioned it isn’t possible to enable a PIN on a Touch ID enabled device.

    You can of course use either Touch ID or a PIN code, but you cannot use both. Enabling a PIN will disable Touch ID, and vice versa. That was my point. As Touch ID has more entropy we generally consider it to be the more secure option, but it is up to you to evaluate what threats you may face and make your security decisions accordingly.

    Ben

  • Ben
    Ben
    edited August 2018

    The answer to that is incredibly subjective and situational. There isn’t really a valid “this one” or “that one” answer (there is no “absolute”). That said Touch ID is generally considered more secure for most use cases, and a strong Master Password (without either Touch ID or a PIN) would be the most secure.

    Ben

  • You're welcome. :smile:

    Ben

This discussion has been closed.