[SUGGESTION] iOS 8 and Touch ID Integration

Guys, I know you are excited about the new Yosemite and iOS 8 features and already think about integration of some of the feature. I know you won't and perhaps can't tell more about upcoming updates. But in case you think about unlocking with touchID. I would really like to have that feature but with the option to have 2 factors (as Fingerprint can be hacked). Unlock with touchID and a PIN (for example the already configured quick PIN) - this should be still high secure and faster than enter the complex 1Password master password. :)

Comments

  • MrRooniMrRooni

    Team Member

    Thanks for the feedback, @telephoneman‌. Can you go into some more detail about the fingerprint can be hacked? I'd love to read up on it more.

  • fridaynightlightsfridaynightlights Junior Member

    I think Touch ID is a perfect substitute for the quick PIN. People who aren't exactly comfortable with a total replacement with Touch ID can still enable the Master Password.

  • MikeTMikeT Agile Samurai

    Team Member

    Hi guys,

    Just to be clear, even if we do add TouchID, it will not be mandatory by default. Just as TouchID on iOS devices requires you to have a passcode, you still have to have a master password to encrypt the data initially. TouchID cannot take over the encryption key on its own.

    Once you do create or enter the master password, you can then choose to enable TouchID to take over the PIN code or the master password if we go that way and it is likely to be on a timer. It will be optional and you will choose how it works, the same way you can choose how PIN works since it can replace your master password in the recent versions.

  • It might not be very safe to be able to unlock your iPhone and 1Password with the same password (fingerprint), I read somewhere a few months ago that you could use the fingerprints on the iPhone (those present when you touch your iphone) to create a plastic replica of your fingerprint and then recreate it to unlock your iPhone, if that is true and can be done it might not be safe enough.

  • edited June 2014

    @MikeT @ssdeg7 @MrRooni‌ that was ssdeg7 wrote is meant. The plastic replica (its approved by several computer newspapers)- as my iPW stores high sensitive data I would suggest to let users choose to use fingerprint (which is easy) and enter the quick pin. This should be still secure and way faster than the complex master password. Sure optional a user could also choose only to use fingerprint- but there should be an option to use the PIN in addition.

    Suggested workflow:

    • Use master password as it is in 1PW
    • Add option to unlock with touch ID with Option to choose Unlock PIN in addition

    I don't know how the new APIs work, but I would assume that iPhone would never ask again for 1PW Masterpassword after 1PW is initially "registered" in touch ID. I would assume that IOS Device password for initial general unlock of TouchID should be enough to unlock the 1PW vault. isn't it?

    General Idea is to improve and make unlock process more comfortable and faster without loosing security. (TouchID is extreme fast - I love it on my 5S - most impressive gadget Ive seen a long time). My Master password is complex and it must remain complex, but typing this in the little iPhone screen is hard stuff - especially when I'm in a hurry. So just authenticate with my finger and quick enter the PIN should be fast and still secure enough. Just the fingerprint is way more faster and comfortable but as the plastic finger trick is there... Maybe I'm paranoid, but I would feel more secure when there is a way to control authenticate by a PIN which only I know :) - but yes - The unlock PIN just optional for TouchID not mandatory for the non paranoid guys ;)

  • MikeTMikeT Agile Samurai

    Team Member
    edited June 2014

    Hi guys,

    You're talking about the dummy fingerprint mold, that takes a lot of efforts but yes, it can fool the fingerprint scanner. It's better than other scanners that only requires a simple printout.

    There are pros and cons of any authentication methods. We have many users who are choosing to store their master passwords in iOS keychain and configuring 1Password to never prompt for the master password nor the PIN code.

    As you guys already mentioned, for these users, the fingerprint would be secure to use if they enable this rather than having nothing.

    TouchID encourage the iPhone users to have a passcode on their devices and that's always a good thing.

    However, let's just see what we can do with TouchID, and go from there. We probably would have an option to enable PIN in additional to TouchID to make it slightly more secure for some of you. :P

  • Hi, I'd also like to see integration of TouchID in 1Password. But just as a replacement for the current quick PIN not for the master password. At least I'd like to have an option after how many minutes (1min, 5min, never) I need to enter my master password.

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @martinlange,

    Thanks for sharing your thoughts with us. We probably are not going to make TouchID a replacement for the master password (note, this is not possible without having a master password since we use your MP to encrypt/decrypt the data), it would be optional as mentioned earlier in the thread here and it should be optional to use it for PIN code as well.

  • How hard would it be in settings just to have a panel called "Security Options"? Within that setting have it so you that can check what you want to use when starting your app. You can choose TouchID and Pin or just TouchID or just PIN or any combination of the three. That way you have flexibility and still require a master password for the encryption and decryption (also so they can use their keychain on other devices). You can require it so that one is always required and will allow a much greater flexibility all while still offering peace of mind in security.

  • MikeTMikeT Agile Samurai

    Team Member
    edited June 2014

    Hi @english06,

    How hard would it be in settings just to have a panel called "Security Options"?

    Not sure what you mean, we already have that. It's in Settings > Security inside 1Password, which shows you all the related security options and would be the place to configure TouchID along with your MP and PIN.

    You can require it so that one is always required and will allow a much greater flexibility all while still offering peace of mind in security.

    Just to be clear, you cannot use 1Password without having a master password, no way around it. Using TouchID will require the master password in some ways. You can enable to have the master password stored in your device keychain, just like the PIN code, which would reduce you to only need to unlock it once per reboot or you can choose not to have this and only use TouchID after you unlock the app, which would require the master password once per app session.

  • A few months ago, long before the WWDC 2014 i thought about great new features which iOS 8 can have. One of them where the expansion of the TouchID so i can be used for every Application. I talked about this with other people and with developers. The all say that the can't imagine how this would be helpful. My example in every discussion was the unlock of 1Password. I have a password 30 letters long it a mix of letters, numbers and some other symbols like Question-marks etc. and it takes al long time to enter this password on my iPhone and iPad. So TouchID would make my live more easy. With that every person i talked to was the same onion than my - it would be a really great feature. When i watched the WWDC live on my Apple TV i was really really happy that the announced exactly the feature that i wanted :) So now it's your turn to implement the new TouchID feature and i hope you will do this as quick as possible. It would be great if this feature comes with one of the next 3 Beta-Versions of 1Password. I know that you canÄt suit an update with the iOS 8 API used until iOS 8 is released in public, but you can use this for the beta versions.
    I don't know exactly how difficult it is to include the TouchID but a few developers ho are my friends were live at the WWDC and talked to dev's from Apple and other companies and they said that it's not to difficult to include it and in their opinion the coding is really fast.
    And i Have another idea: Not everyone want's to use TouchID or the have a device that doesn't support TouchID. So my idea is: Release a version for the same price as i actually is and release an In-App-Purchice for the TouchID Option so people who want's it can buy the feature for a low price, let's say $0,89 or max $1,99 so this pea pole would be happy and also the persons who doesn't want the feature are happy because the don't need to pay for a feature they can't/doesn't want to use. The absolutely best deal would be if the TouchID feature will be added in a free update but i think this would not happen.

    So i think i don't get an answer to this question but i'll try it: Do you plan to include the TouchID API and if yes when do you plan to release the first iOS Beta with this feature? You wold make me really really really happy if you answer to my question or if you just release a new Neta with the feature enabled in the next few days :)

    And one last idea: For the next Version - 1Password 5 - rewrite the whole application with the new language Swift. This language is not only easier to learn and write. Big applications that are recoded with Swift are often faster and run better.

    So i think thats enough for today :)
    I really hope you are doing a statement or at least an answer to my post.
    And sorry for my bad english at some points of the text but i'm from Germany and had english language only at school and thats's nearly nothing. The rest i learned for my self but i could be better. But better than nothing ;)

  • MikeTMikeT Agile Samurai

    Team Member

    . I don't know exactly how difficult it is to include the TouchID but a few developers ho are my friends were live at the WWDC and talked to dev's from Apple and other companies and they said that it's not to difficult to include it and in their opinion the coding is really fast.

    It is probably easy and quick to add the TouchID APIs to majority of the apps that do not have encryption nor their own locking system.

    However, it does not mean it'll be easy to change over to TouchID for apps that already had its own locking system, and one of them happens to be 1Password. We would have to overhaul our entire locking system to work with TouchID and make it flexible since not everybody can use or want to use it.

    In addition, remember that we're dealing with early betas of iOS 8 and its APIs. There will be bugs with TouchID and other new APIs introduced in iOS 8, developers have to test the APIs and see if their apps will work with it. They have to file bug reports on anything that's broken and missing.

    Whatever's broken or missing can't be added the next day, it often takes weeks and months to get the APIs fixed by Apple. That means apps who want to use these new APIs cannot be released to beta testers until the new betas are out. Once the new betas are released, we have to test the code again and if it works, we release it to beta testers, if it doesn't work, it must be left out until the next iOS beta.

    We're doing our part to test the implementations and to file bug reports with Apple.

    The point I'm trying to make is that we have to be patient here and remember that there are many unfinished parts of iOS and APIs and it's only been a month since WWDC. It's going to take some time.

    Do you plan to include the TouchID API and if yes when do you plan to release the first iOS Beta with this feature?

    We want to, that's all I can say right now. We do not know anything until later when all of the parts are aligned at the right time.

    For the next Version - 1Password 5 - rewrite the whole application with the new language Swift. This language is not only easier to learn and write. Big applications that are recoded with Swift are often faster and run better.

    Please understand that Swift is a very young language, it would be unwise to switch to Swift completely for complex apps that relies on mature APIs and runtime, one of which is 1Password.

    Swift is also in an early beta just like iOS 8 and Yosemite. Developers have this complex issue where they do not know if they have a bug in their own app or if it is a bug in Swift. Many developers just cannot afford to hold back apps to fix issues with Swift, they must deal with their current customers and that means they'll have to stick with Obj-C for now and deal with Swift later. Plus there are many new APIs they can play with now for Yosemite and iOS 8.

    We've seen many bugs reported for Swift and many unfinished parts of Swift that's going to take several months to release. Shift has been shown to be slower than Obj-C in certain areas already, so it's not faster in all areas by any chance.

    Right now, Swift is the least of our concerns. It won't happen for a long time. We're focusing what we can do now, which is iOS 8 / Yosemite and its new APIs.

  • edited June 2014

    Just saw the latest Beta release notes, it looks like I'm going to be very happy, once I have a device with iOS 8. For now, I just follow your emails with glee :)
    And @MikeT, thumbs up for your sane response to Swift etc.!

    PS: Looks like Emoji break your message board :) edited.

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @Jonathan Lang‌,

    Yep, we're having fun playing with the new TouchID and Safari extension. You should find that iOS 8 device quickly, so you can join in the fun. :P

    Which emoji?

  • Its gread that you are working on TouchID. It made me very very happy as i read in the release notes that TouchID is included. I downloaded the Update imidietly. But than i became realy said as i tried to activate TouchID and the slider deaktivates itself only one secound after activation. I tried several things e.g. deleting the whole app and reinstalled it or cleaned the data and set up sync but nothing worked. Then i came to the Beta forum and saw that nearly everyone has the same Problem. Only one person who did a clean install of iOS 8 instead of a Update reported that TouchID is working on his device.
    So i hope you fix the issue very quick because as i said before TouchID would make my life a lot easiert and stress-Free because i don't have to insert a 30 Digits long password i only habe to put one finger on the homebutton and 1Password get's unlocked. I use 1password 30-40 times during a normal day. But if i have a lot to do or i have to work on different networks where every pc in the network has it's own password then i habe to enter the password about 100 times per Day and thats very annoying. Also the quick unlock Option disappeared in the nee Beta so i habe to enter the whole Password again and again.
    Now you Probably think "Then use a shorter password". Saidly this isn't possible because i use one big Keyfile for the whole Passworts for all networks i have to work with and also the passwords for my Bank-Accounts etc. So the password for the Keyfile has to be as save as possible.

    So sorry for the long text but i wanted to let you know why many people including me need TouchID as soon as possible and why it's so Important that it works :)

    And Sorry If there are some mistakes in the Text, i Worte this with my iPhone and because im from germany Auto correct searches for German wordsd's Weich sometimes leads to very funny mistakes. Also the Text is too long for me to find all mistakes :)

  • thightowerthightower T-Dog Agile's Mascot

    I have Touch ID working on 2 iPhones but they also were clean installs. Found out it usually makes for a better less bug prone experience to start new.

    That's not to say it's 100% perfect It clearly has some work to be done but it is by far a much easier to use than previous versions. I hope you guys get to see it soon it.

  • MrRooniMrRooni

    Team Member

    Good morning @noX1609, glad to hear you're excited about the Touch ID integration! We are looking into the trouble that folks are having enabling it within 1Password. Stay tuned!

  • rolflrolfl
    edited June 2014

    @MrRooni I got TouchID working using iOS8 upgrade path :-)

    Can you explain a bit more about the intended work flow, is TochID just for use after timeout/LockOnExit ?

    So far I believe it is like this:

    1) Requires master password at first start

    2) Unlock after timeout or LockOnExit can use TouchID

    3) Clicking LockNow in security panel again requires master password - Why?

    I'm a bit concerned that on TouchID you also allow device PIN to unlock. I don't really consider device pin to be that secure. I think we need an option here.
    Maybe the second option should be master password rather than device PIN?

    Can you make it an option to use TouchID on on first start?

  • MrRooniMrRooni

    Team Member

    Touch ID is part of the new Quick Unlock mode in 1Password 4.6 that uses the device's PIN code/Touch ID to unlock your vault. The very first time you use 1Password you will need to enter your Master Password, but once you've enabled Quick Unlock/Touch ID your Master Password is stored in the device's keychain and is accessed automatically when you authenticate with your fingerprint or device PIN code.

    Tapping Lock Now in the Security panel locks with the Master Password because that's the safest and most secure locking mode. We didn't want to lock to a lesser mode when explicitly invoked.

    We'd love more feedback on this new way of doing Quick Unlock!

  • MikeTMikeT Agile Samurai

    Team Member

    Hi guys,

    Just to clarify on MrRooni's statement on this:

    but once you've enabled Quick Unlock/Touch ID your Master Password is stored in the device's keychain and is accessed automatically when you authenticate with your fingerprint or device PIN code.

    The keychain is isolated to 1Password app and cannot be read by other apps. In addition, this is not a part of any keychain that is synced over iCloud. This is isolated to your local device, only accessible via fingerprint/unlock code and only after the device is unlocked.

  • @MrRooni @‌MikeT ,

    Can you make it an option to disable device PIN use with touchID/quickUnlock?

    I only see a toggle to enable touchID and not mention of PIN in the security screen.

    I have to use simple device PIN as I sometime use waterproof case and hence have to enter device pin and a complex PIN is not an option for me in this use mode. Hence, device PIN is not secure enough for 1PW use.

  • MrRooniMrRooni

    Team Member

    We're still considering all the implications of this new unlock style and will most likely be making some improvements to it going forward. We will certainly keep your use case in mind! Thanks for the feedback, we really appreciate it.

This discussion has been closed.