1) Play Store Beta distribution vs. HockeyApp 2) fingerprint reader 3) entering the master password

deanmucdeanmuc
edited January 2016 in Android Beta

With the latest beta versions being distributed via Google Play Store I am wondering how can I test the beta without having it to run on all my devices? With HockeyApp I was able to test the beta on a selected phone that never left my house. Now I have the Google Play Store beta on my EDC phone too and it is easy to image what happens should there be any serious bug or my phone gets stolen or lost.
Play Store betas are OK for "normal" apps but not for ones that take your privacy at risk.

The fingerprint feature is nice but there should be an option to use the fingerprint only as an replacement for the short time PIN. At the moment the fingerprint "replaces" your master password. Should the fingerprint reader of your phone be compromised or someone manages to spoof your fingerprint, all the data within the vault would be compromised too. There is no second line of defence like an additional password.

Is using two vaults (one quick-access-vault that can be used with the fingerprint reader and an extra secure one that is master password only) the only option or do I just miss something?

BTW there should be an option to show the master password before submitting - some apps have a small eye icon and show the password as long as you press the eye. My master password is quite long and I have to switch the keyboard layout two times, this makes it very hard to enter the password without errors, especially when there is no way to check the whole thing before submitting.

I am using the German app version hence some terms might not be 100% correctt

Comments

  • saadsaad

    Team Member
    edited January 2016

    Hey @deanmuc! Thanks for being part of our beta family. I would be happy to answer your questions.

    Once you are registered as a tester for 1Password on Google Play, your account will only have access to the latest version available, which will likely be the beta version. You will not be able to switch between beta and stable using the same account.

    However if you wish to have access to both the stable and beta versions, you’re welcome to register a different Google account for just the beta updates. Google Play allows you to switch accounts before downloading an app, so you can use your secondary account to install the beta and your primary for stable.

    Fingerprint Unlock is a huge convenience feature. It’s one of the fastest methods to unlock your vault on Android! It’s difficult to go back to entering the master password once you start using it. But while it may seem to be that way, Fingerprint Unlock does not replace your master password. @mverde wrote a great post on how Fingerprint Unlock works. It’s worth a read!

    Your suggestion for a timeout will be something I will bring up to the team. I think it’s worth looking over.

    Is using two vaults (one quick-access-vault that can be used with the fingerprint reader and an extra secure one that is master password only) the only option or do I just miss something?

    My apologies. I am having a difficult time understanding the two vault scenario. Could you explain again?

    BTW there should be an option to show the master password before submitting - some apps have a small eye icon and show the password as long as you press the eye. My master password is quite long and I have to switch the keyboard layout two times, this makes it very hard to enter the password without errors, especially when there is no way to check the whole thing before submitting.

    Great suggestion. I will pass this on to the team as well. Thank you for the amazing feedback!

    ref: OPA-761

  • @saad this timout option should then be optional so users can turn it off or on. Because in my optionen it is perfect the way it is at the moment, on android. I would hate it to have enter my masterpassword every time after the timeout just to re enable fingerprint auth. Because the fingerprint feature was implentet for convinence that then would go missing. And a pin is well less secure than the fingerprint. And good luck spoofing your fingerprint and stealing your phone.

  • saadsaad

    Team Member
    edited January 2016

    @ntimo Yes, I have to agree with the setting being an optional one like we have for other locking preferences. I also have the same preference as you when it comes to Fingerprint Unlock.

  • deanmucdeanmuc
    edited January 2016

    @saad

    a different Google account for just the beta updates

    I have to try this with one of my other accounts, thank you.

    Fingerprint Unlock is a huge convenience feature

    But you are losing a lot of security in return - and security is the key feature when it comes to password managers.

    While you can change your master password every day you cannot change your fingerprint if someone uses a fake copy of your fingerprint.
    Hence fingerprints like any other biometric feature should never be used as a sole key to unlock important data.

    Faking fingerprints has a very long tradition. Using a fingerprint scanner on a smartphone is an even greater risk as the owner's "original" fingerprints are all over the phone and can easily be used to produce an copy of the fingerprint.
    http://arstechnica.com/security/2013/09/touchid-hack-was-no-challenge-at-all-hacker-tells-ars/

    Apple on TouchID:
    With one finger enrolled, the chance of a random match with someone else is 1 in 50,000
    https://www.apple.com/euro/privacy/d/generic/docs/iOS_Security_Guide.pdf page 8, second paragraph

    That's why I thought using two vaults could give the users some convenience without losing too much security.

    One vault is unlockable by the fingerprint scanner and only contains less secure data like logins to webpages.
    The other vault can only be unlocked by the master password and contains logins to shopping sites, credit cards, secure notes and so on.

    There should be an option where Fingerprint Unlock does not replace entering of the master password but only of the PIN.

  • @deanmuc Hi, I totally get your point. But I think this then should still be optional so you can go with "unsecure" if you want more convinence. Oh and this is an Document from Apple you know we are talking about Android :D And still you use the faked fingerprint someone would need physical access to your phone. Good luck getting that so easy.

  • deanmucdeanmuc
    edited January 2016

    @ntimo

    someone would need physical access to your phone

    Yes, e.g. when it gets lost or stolen.

    Document from Apple

    I know, but Huawei was not able to supply me with any information about their fingerprint scanner - I am using an Honor 7. I assume that other scanners are about as good as Apple's.

    I wanted to point out that with all theoretical attack scenarios aside a fingerprint scanner is not a 100% failsafe product. I am afraid that a lot of smartphone users tend to see the fingerprint scanner as a convenient way so solve their security issues for them. They forget that it is much easier to copy their fingerprint in a few hours than to hack a 20+ char password with brute force methodes.

    And as along as they don't understand the risks of biometric systems they cannot make the right decisions what kind of data they are willing to secure by something that can be easily hacked and what data deserves a more secure but less convenient way of protection.

    Hence my suggestions how fingerprint unlock should be used in 1Password to avoid that a user loses all his private data with his phone.

    Knowing that users have the tendencies to use weak passwords and to choose convenience over security there should be very clear information what using fingerprint unlock means to the security of your data.

  • mverdemverde

    Team Member

    @deanmuc Your suggestion about providing clear information about the impact that using fingerprint has on the security of your data is an excellent one. We've added that to our list of things to do in preparation for releasing 1Password 6. Thanks for the feedback!

  • @mverde i would suggest an optional 2-step type solution: fingerprint+ so to speak.

    you can either simply use a fingerprint (if so equipped) OR a fingerprint and then either a pin or your master pw.

  • mverdemverde

    Team Member

    I'll pass along the suggestion for "fingerprint+" to our development team. It's not currently part of our development roadmap, but that is something that we can review as we continue to work on the beta. Thanks for the suggestion!

  • @mverde @saad

    Your suggestion about providing clear information

    But will Fingerprint Unlock be usable as a replacement for entering the short time PIN -and only the PIN- too or will Fingerprint Unlock replace the PIN and entering the master password at the same time like it does in the Beta?

    I have read in other threads that the Beta only handles one vault at a time, if It could handle at least two vaults with different security settings (!) the users would be able to have different vaults for different security needs.

    In the current implementation Fingerprint Unlock is useless for users with business critical data or with more than login data for the My Little Pony forum in their vault.

    You should take into account that until now you had everything under control - you wrote the encrypting/decrypting routines and as you didn't trust the system services for handling the keyboard input and the clipboard you did that as well.
    But now you lay the security of your users in the hands of the same operating system (Android handles the Fingerprint sensor) and hardware manufactures (the one who supply the sensors) you haven't trusted before.

    Frankly speaking I think that the security of the vault is the very heart of 1Password. Should someone lose important data just because he used an unsuitable way of securing his vault, I really doubt that he will blame himself - and finger-pointing from your company to Google and Google to the hardware manufactures will make things even worse for everyone - except Gizmodo & Co.

    And as a software developer you will certainly agree that nothing breaks Murphy's law.

    I have turned Fingerprint Unlock off for now. But it would be of big help when switching back and forth between 1Password and other apps.

  • @deanmc you got some serious problems. If this data is so important than don't even store it on your phone?

  • deanmucdeanmuc
    edited January 2016

    @ntimo
    What do you mean by "some serious problems" - where was I wrong? (these were only rhetorical questions)

    I thought that everyone who uses 1PW is interested in securing his data and with categories like Logins, Credit Card, Identities, Secure notes, Software Licences and Password and the slogan "Keep your information safe and secure" I thought that we are all standing on the same side.

    I cannot understand why people would use a password manager in the first place when they are only to willing to open a less secure backdoor- a chain is only as strong as its weakest link

    But if one of the developers will just make a short list of data that should not be stored in 1PW because they can't guarantee the security of the data even with a 20+ char master password, we have a totally different discussion here.

  • @deanmc Yes thats right, that we all stand on the same side. When it comes to our data security. For me fingerprint unlocking is perfect the way it is at the moment. Because I have an encrypted phone that when it gets stolen is well kind of hard to break. But I can understand that for you fingerprint unlock is more unsecure, than only using the master password. But the same applys for a pin code witch is more unsecure than a fingerprint. And I would say that you can trust the Android system in handeling the fingerprint authentication at least on an nexus phone.

    But we will have to see how the final 6.0 version will look like.

  • mverdemverde

    Team Member

    Aside from adding Fingerprint Unlock support to the 1Password Keyboard, we don't currently have any plans to change the way that Fingerprint Unlock works in 1Password 6. You will have the same choice between using either your Master Password, PIN Code, or fingerprint to unlock your vault as you currently do in the beta. Although suggestions like "fingerprint+" aren't being considered for this release, we will review the idea when considering features for subsequent updates.

  • @mverde
    Thank you for the feedback.

  • mverdemverde

    Team Member

    @deanmuc You are very welcome :) Please let me know if you have any other questions!

This discussion has been closed.