Question regarding password autofill in ios 12

In ios 11, when I used the share sheet to call up 1P to enter my password, if the 1P app was not unlocked (i.e. I hadn't entered my master password within the last hour in my case), I would be prompted to enter my master password before I could access the relevant saved password - as expected. Following this, the 1P app and the share sheet integration in Safari would remain accessible using FaceID (this is on an iPhone X) for the next hour, before locking again and requiring the master password thereafter. The point is that I was able to unlock the 1P app by entering the master password in the Safari share sheet, and the app would remain unlocked (protected via Face ID)

In ios12, if I unlock 1P using the password autofill function in Safari, the behaviour has changed. Now when I do this and then subsequently click on the 1P app, the app is locked, and I have to enter my master password a second time to unlock the app (even though I had entered my master password just before while using the safari password autofill feature).

Not sure if it matters, but under advanced - security, always show lock screen for password autofill is toggled on.

Comments?

Comments

  • geekaygeekay
    edited September 2018

    I just tried this on iOS 12 with iPhone SE. Not sure if it is relevant, but it seems like - as long as we leave the app (not even killing it) after filling in the master password through any means, even for a split second, it'll automatically lock itself.

  • Yes, but there is a difference in the behaviour now. Prior to ios12, once you entered the master password (either in the 1P app or via the share button in the browser), further attempts to access stored passwords that occurred within the time window set in the security settings for 1P would only require a PIN or Touch ID or Face ID, until that time window expired. With ios12, this no longer appears to be the case. Entering the master password via the share button in safari does not seem to have any impact on the status of the 1P app itself. If I enter the master password in safari to access a stored password, then immediately leave safari and open the 1P app, I am asked for my master password again, even though I just entered it, and I am well within the time window set in the app to allow biometric or PIN authorization.

    Can @Ben or @brenty or anyone else from Agile Bits weigh in on this?

  • BenBen AWS Team

    Team Member

    @cryptomanic

    I’m not able to reproduce that behavior here. Do you have ‘lock on exit’ turned on in 1Password > Settings > Security? If so that would explain it.

    Ben

  • I did have that toggled on. I might be wrong, but I think I had it turned on in previous versions too, without this effect. But I have now turned it off and will monitor to see if this issue persists.

  • BenBen AWS Team

    Team Member

    :+1:

    Ben

  • Nope. Toggling that switch made no difference.

  • brentybrenty

    Team Member

    @cryptomanic: I think there may just be some confusion with iOS 12 Password Autofill, which is not actually 1Password, but rather an OS feature Apple has allowed 3rd party apps to integrate with. 1Password does not control the "unlocking" behaviour of iOS Autofill, or its UI. I'm not sure I understand what you're trying to accomplish though. Can you clarify what you're trying to achieve? Maybe there's something I can suggest.

  • @brenty

    I am not sure I can explain it more than I did in my first two posts in this thread. But basically, I don’t want to be asked over and over again for my master password after I enter it once from within safari (either in the password auto fill function or in the 1P lock screen overlay - I have tried both with the same result) and am within the lockout time set in 1P. Once I unlock 1P with my master password (whether this is done in the app or the browser), I would like it to stay unlocked for the time set in the app and only ask for touchid or faceid for reverification during that time. This was the behavior in iOS 11 and earlier when unlocking 1P via the share button in safari. When the password auto fill feature is enabled, it no longer functions this way, even when 1P is set to always show the 1P lock screen. The only way I can get it to work as desired is to leave safari, open the 1P app, and unlock using my master password, then go back to safari - in that case, I will not be asked to re-enter my master password for the duration of the time set in the 1P app settings.

  • brentybrenty

    Team Member

    @cryptomanic: Even though I'm sure you knew exactly what you meant yourself, you really weren't clear about specifically what behaviour you want, so thank you for clarifying! :)

    I don’t want to be asked over and over again for my master password after I enter it once from within safari (either in the password auto fill function or in the 1P lock screen overlay - I have tried both with the same result) and am within the lockout time set in 1P. Once I unlock 1P with my master password (whether this is done in the app or the browser), I would like it to stay unlocked for the time set in the app and only ask for touchid or faceid for reverification during that time.

    That's how it works here, so I'm not sure why it would be different in your case. Whether I use only iOS Autofill or open 1Password from there, I'm just prompted for biometrics (Touch
    ID, in my case). The only exception I'm aware of is that iOS Autofill requires the Master Password a few times at first before biometrics are enabled, but after that the password is not required. You haven't mentioned the specific iOS and 1Password versions you're using, or your security settings. Maybe there's something different about your setup.

  • @brenty

    I am using ios 12 as released last week. 1P is the latest version available on the ios app store. Using iPhone X. Same behaviour on iPad Air 2, with same versions of ios and 1P and settings described below.

    Settings in 1P are as follows:

    • Security: Lock on exit on (have tried this off as well, as per @Ben 's suggestion, but it made no difference). Autolock 1 min. Face ID on.
    • Advanced - security: Require master password after 1 hour. PIN code off. Password autofill on. Always show lock screen for Password autofill on (have tried this off as well, does not seems to affect the behaviour described above and below).

    To reproduce the issue:
    1. Start with being signed out of 1P altogether (i.e. iP is in the state where the master password is required to be entered and Face ID cannot be used - e.g. after power on of device, or after "require master password after" period expires).

    1. Browse to site in safari where credentials stored in 1P are required

    2. Position cursor on user name field

    3. Use password autofill feature on keyboard. Master password must be entered first (see step 1). Success.

    5A. Exit safari (home button or swipe up). Open 1P app. Master password will be required rather than Face ID even though master password was entered seconds ago. (In ios 11, where password autofill was not available and 1P was used through the share button in safari, unlocking 1P in safari via the share button was equivalent to unlocking the 1P app itself, and in this step (5A), the master password would not be required a second time).

    5B. Alternatively, or in addition to 5A, open a new safari tab and browse to another site where stored credentials are required. Position cursor on user name field and attempt to use password autofill feature from the ios keyboard. Master password required again, even though it was just entered in another tab.

    One wrinkle - I do generally use private tabs in safari (the black coloured tabs instead of the white coloured tabs). Is this what is getting in the way of the 1P signed in state being maintained? If so, it seems like the only way around it would be to either stop using private tabs, or turn off 1P password autofill and revert to the pre-ios12 behaviour of using the share button.

  • Argh - I typed in a long detailed response to the previous post by @brenty and it disappeared. Will attempt to recreate it, and apologies in advance if this lands up being a duplicate post.

    My setup:

    • ios version 12 (as released by Apple last week)
    • 1Password - most recent version in ios app store
    • use iPhone X and iPad Air 2 - same behaviour observed on both devices

    1Password settings:

    • Security - lock on exit: on (I have tried this off, as suggested by @Ben, but it makes no difference)
    • Security - autolock: 1 minute
    • Security - Face ID: on (this would be Touch ID on the iPad)
    • Security - clear clipboard: On
    • Security - conceal passwords: on
    • Advanced - security - require master password: 1 hour
    • Advanced - security - PIN code: off
    • Advanced - security - always show lock screen for Password Autofill: on (I have tried this off as well, but it makes no difference)

    Steps to reproduce this issue:
    1. Start with 1P in a state where the master password is required (e.g. device freshly powered on, or time specified in Advanced - security - require master password has been exceeded).

    1. Open a new tab in safari and navigate to a site where credentials stored in 1P are required

    2. Position cursor in user name field. Use PAF (password autofill) function of ios keyboard. Master password will be required. Select credentials. Login. Success.

    3. Leave safari (home button or swipe up). Tap on 1P app. Master password will be required, even though the master password was just entered, and we are within the time specified in Advanced - security - require master password. In ios 11 and below, where there was no PAF and 1P was accessed in Safari via the share button, after entering the master password in safari, 1P would not require the master password to be re-entered (as long as we were within the time specified in Advanced - security - require master password) and Face ID or Touch ID would be required at this step, instead of master password.

    4. Alternatively to step 4, or in addition to step 4, open a new tab in Safari and navigate to another site where credentials stored in 1P are required. Position cursor in user name field. Use PAF (password autofill) function of ios keyboard. Result: master password will be required, even though it was just entered in the other tab.

    I have found that this problem can be mitigated by either:
    1. Disabling PAF and reverting to use of the share button in Safari instead of PAF (i.e. pre-ios 12 behaviour). This has the undesirable effect of preventing credentials stored in 1P from being available in apps where the share button is not available, where PAF would be available when entering credentials
    2. Prior to step 1 in "steps to reproduce this issue", open the 1P app and enter the master password. A small inconvenience, but an interruption in the normal workflow, and needs to be repeated whenever the time specified in Advanced - security - require master password is exceeded.

    I am not sure if this is part of the issue, but I tend to use "private tabs" in safari (grey/black rather than white) -could this be preventing 1P from accessing its signed in/not signed in status?

  • brentybrenty

    Team Member
    edited September 2018

    @verdi1987: I think we're talking about different things here, since you were referring to 1Password's unlock behaviour and (I believe) cryptomanic is referring to the iOS 12 Password Autofill feature's unlock behaviour, but I appreciate you posting the link here for context. It's confusing enough that one or all of us could be misunderstanding each other. :lol:

  • brentybrenty

    Team Member

    @cryptomanic: Unless I'm misinterpreting your description, it sounds like what you need to look at more are iOS security settings, since those are relevant to the Password Autofill unlock behaviour. What do you have setup in iOS Settings > Touch ID & Passcode?

  • @brenty:
    I assume you are asking whether under Settings - Face ID and passcode - other apps, I have 1P turned on. Yes, it is toggled on to use Face ID (or Touch ID on my iPad). Is there another setting in that menu that you are interested in?

  • verdi1987verdi1987
    edited September 2018

    @brenty, I was referring to 1P's unlock behavior when used with iOS 12 AutoFill. My experience also involves repeated prompts for authentication by 1P after an already successful auth.

    While @cryptomanic is referring to iOS 12 AutoFill unlock, I believe he/she is referencing being prompted for the 1P password (or Touch/Face ID) as opposed to the device authentication for iOS AutoFill.

  • BenBen AWS Team

    Team Member

    Password AutoFill requires authentication every time it is used, unless you have 1Password > Settings > Security > Lock on Exit OFF and 1Password > Settings > Advanced > Security > Always show lock screen for Password AutoFill ON. I just tested with these settings and am no longer prompted for Touch ID on each use.

    Ben

  • @Ben, I am confused as to why "Always show lock screen for Password AutoFill ON" results in not being prompted for authentication.

  • @Ben: Interesting. I am not sure I tested that exact permutation of settings. I will give it a whirl and report back

  • BenBen AWS Team

    Team Member
    edited September 2018

    @verdi1987

    Because with that setting OFF you’re dealing with Password AutoFill instead of 1Password, and when configured that way Password AutoFill always requires unlock for each use. You don’t deal with 1Password’s lock settings at all if that is turned off.

    @cryptomanic

    :+1:

    Ben

  • @Ben: No dice. Same behaviour occurs. When I enter my master password while using the PAF feature in safari, it has no impact on whether I am signed into the app. When I go back to the 1P app immediately after entering the master password to access PAF in safari, I am asked for my master password again.

  • BenBen AWS Team

    Team Member

    @cryptomanic

    Does this behavior change if Touch ID / Face ID is enabled in 1Password? I do believe that is going to be the difference here...

    Ben

  • @Ben, if you disable iOS Settings > Face ID & Passcode > Password AutoFill, you do not get prompted by iOS for authentication during AutoFill. With that setting disabled, there are scenarios that result in repeated auth prompts by 1P.

  • @Ben - Throughout all these posts, I have never not had Touch ID/ Face ID enabled - it has always been on (refer to my previous posts) - so I don't think that is the issue.

  • BenBen AWS Team

    Team Member

    This seems like a case of there being too many settings, and it seems likely that there is a conflict between some of them. Unfortunately I don’t have a definite answer to share here, but what I can say is that with these settings this works for me as you seem to want it to:

    When I use Password AutoFill and unlock and then subsequently launch the 1Password app it is unlocked, so long as that happens before the Auto-Lock timeout is reached.

    Ben

  • @Ben: That is exactly the same as my setup, except I have auto-lock set to 1 min (you have 2 min) and require master password after 1 hour (you have 2 weeks). It doesn't make sense that either of those settings would be causing this problem.

    One thing though - you mentioned "so long as that happens before the Auto-Lock timeout is reached". If the autolock time out is reached, but one is still within the time interval for "require master password after...", the app should ask for Face ID / Touch ID, rather than the master password. What seems to be occurring is that the 1P app is not recognizing that the master password was entered via the interface in safari.

  • verdi1987verdi1987
    edited September 2018

    I've done a screen recording that illustrates what I am experiencing.

    There is nothing particularly sensitive in the recording.

    https://www.dropbox.com/s/jipsu1pvxxioq7f/Master Password prompt.MP4?dl=0

    My expectation is that after successfully entering the Master Password to fill my 1P Discussions login, I would not be prompted again for the Master Password, as I have "Require Master Password" set to Never, "Lock on exit" is off, and auto-lock is 10 minutes.

  • BenBen AWS Team

    Team Member

    The fact that the Master Password is being asked for at all when using the above settings seems to have some bearing on the outcome. If your settings match mine posted above you shouldn’t be asked for the Master Password at all. Since it isn’t happening that way I’d suggest a reinstall of 1Password. Please note that uninstalling 1Password will remove all 1Password data from the device, and so you’ll need to sync your data or backup & restore using 1Password’s built-in backup function.

    Ben

This discussion has been closed.