TouchID: 1Password v internet banking apps

kalash
kalash
Community Member

I've read in several posts that 1Password is not informed when changes to a device's TouchID setup are made. Hence, anyone who knows your device passcode (often a 4 digit PIN) can access a TouchID-enabled vault after adding their own fingerprint in the iOS settings panel ( = low security).
At the same time, I am using at least two Swedish internet banking iOS apps that denies one access through TouchID when a fingerprint has been added (or removed or edited). I have tried it myself. TouchID login is then no longer available, you have to provide other codes. In 1Password, this would mean your Master Password.

It seems to me that this should be a key concern with AB. Could anyone tell me how it is that banking apps are able to get this information (i.e., changes to TouchID), but not 1Password?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @kalash!

    Great question. It is possible this has changed in an iOS update. I'll check in with our developers and see what if anything we might be able to do in this regard.

    Thanks!

    Ben

  • kalash
    kalash
    Community Member

    Any updates on this @Ben ?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @kalash: Nothing to share at this time, but it's something we're exploring. :)

    ref: OPI-3419

  • kalash
    kalash
    Community Member

    So, another 9 months have passed.... Any update? I still regard it the single most compromising feature of 1Password, since there are occasions where I need to share my passcode with someone else.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @kalash: Nothing to announce at this time.

    Keep in mind that if you share your passcode with someone else (I wouldn't, but I guess it's your call), you can always change it afterward.

    It's something we're interested in, and if we can do it reliably we'll add this feature. "Banking apps" have a lot less to deal with compared to 1Password's lock mechanisms (which apply both to the main app and extension, with regard to timers, app state, and device state), so it's not as simple as you might think. ;)

  • I can’t make any promises, but I can say that this is something our developers have been taking a close look at recently.

    Ben

  • prime
    prime
    Community Member
    edited October 2017

    Personally I don’t get sharing a password of a phone with people (unless it’s my wife, but that’s it). You open yourself to some major issues and asking an app developer to fix your issue to me, isn’t the way.

    Now if you must do this, just turn off the Touch ID to 1Password and make it you have to put in your master password to unlock, and not a finger.

    An app developer can only do so much, we’re the people who needs to be careful and responsible of our own security. Internet security starts with us, the user.

  • I think the much more common scenario is sharing of an iPad, prime. Many families can’t justify the expense of an iPad for each family member, and so one may be shared. I agree it isn’t an ideal situation, as iOS is a single user platform. It really isn’t designed to have multiple users share a device. But it is a very common scenario, especially with iPads.

    Ben

  • prime
    prime
    Community Member

    @Ben true, but these people will most likely keep the fingers on the Touch ID, so the whole adding an finger and removing it all the time wouldn’t be an issue. And why I said for this, just remove Touch ID for 1Password and now the master password is needed. A person can add a finger all they want and it won’t work for 1Password, security starts with the user ;)

  • I don’t disagree, prime. :)

    Ben

  • prime
    prime
    Community Member

    @Ben should have worded it better. My apologies :)

  • I got what you’re saying. :)

    Ben

  • kalash
    kalash
    Community Member

    I suppose it may be common that users sharing an iPad all have their fingerprints enrolled, so my case doesn’t really apply there.

    My most common use case is for music control when friends are over, or a party. You’re playing music through your phone or iPad, and there’s always that guy who has to queue a few tunes. Hence, that guy ‘just has to’ have your passcode. Once you’ve given that out, just because that guy had such a strong urge to listen to his own music, you’ve basically given access to all your passwords on hundreds of sites.

    My point is, it’s a problem.

  • prime
    prime
    Community Member
    edited October 2017

    @kalash as I said, then make it so the Touch ID is off in 1Password. This makes it so you have to use the master password to get in 1Password. Unless the password to your phone password is the same for 1Password, this is the best idea.

    You can also activate Guided Access. You can lock an app so it’s the only app that can be used unless you use a passcode (different from the phone itself). I actually did this to an iPod Touch at a party. Music app was the only app anyone can access, so anyone can play music, and have zero access to the iPod Touch.

    Screenshot below

  • kalash
    kalash
    Community Member

    Theoretically, I completely agree with you, @prime, and your suggestions are sound. But then again, password managers exist because people generally aren’t very thoughtful when it comes to security, so I wouldn’t say the idea that developers shouldn’t have to babysit users really applies here, by definition. Its key selling point is smart security for dumb/lazy users. The same really goes for touchid.

    Simply put, I don’t think most 1P users (the majority of which I must assume use it with TouchID) will be mindful enough that, when briefly asked for their code by some dude who wants to be in charge of the music, they will either go into 1P and turn off touchID, or enable guided access.

  • We don’t want to encourage folks to share their passcodes, but as I mentioned our developers are taking a look into this.

    Ben

  • kalash
    kalash
    Community Member

    Cool ;)

  • prime
    prime
    Community Member
    edited October 2017

    @kalash it’s cool if they add it, but It’s never ever safe to assume your data is safe if you tell people your password to your phone. Even if AgileBits adds this feature. Just be careful.

  • :+1: :)

    Ben

  • AGAlumB
    AGAlumB
    1Password Alumni

    My most common use case is for music control when friends are over, or a party. You’re playing music through your phone or iPad, and there’s always that guy who has to queue a few tunes. Hence, that guy ‘just has to’ have your passcode. Once you’ve given that out, just because that guy had such a strong urge to listen to his own music, you’ve basically given access to all your passwords on hundreds of sites.

    @kalash: Ah that's interesting. I just set iOS Settings > Display & Brightness > Auto-Lock to Never in that case. That way no one needs my passcode, and therefore can't get into my security settings or 1Password. Guided access is great too, but either way "some dude who wants to be in charge of the music" never get's my code. :lol:

This discussion has been closed.