Master Password needed to enable Touch ID

This discussion was created from comments split from: No touch ID on iPhone.
«1

Comments

  • cmochi
    cmochi
    Community Member

    I have this problem!!! I updated the os and now I cant login without touch id. The option isnt even there on the app to use it. I dont remember my master password and really really need to log in using touch id. How do i get it back??? Why were users not warned about this terrible design???? I am so angry and worried and upset right now.

  • cmochi
    cmochi
    Community Member

    I cannot lose access to these accounts. I absolutely cannot believe that this product did not warn us that touch id might sometimes not be there. This is a terrible thing that the app does not protect against!!!! Please please please help

  • cmochi
    cmochi
    Community Member

    Please help! My touch id icon has dissapeared and I cannot log into the app!!! I tried installing the updated OS. Tried turning on and off touch id for unlock ing phone. Nothing is working. I am very concerned and need help!

  • AGAlumB
    AGAlumB
    1Password Alumni

    @cmochi: When you setup 1Password originally, you were asked to choose a Master Password to protect your data. This is needed to access it — just like unlocking your iPhone, where you need to enter the passcode to enable Touch ID. Touch ID is a convenience feature, and the only way to enable it — and to access your 1Password data — is by entering the correct Master Password. If that were not the case, anyone could get into your 1Password vault. You will need to remember it. AgileBits has neither your 1Password data nor the Master Password used to secure it, so this isn't something we can 'reset' for you to help directly. However, please try the tips in this guide as they may help you gain access again:

    https://support.1password.com/forgot-master-password/

    If that doesn't help though, you will need to either restore from a backup, sync from another device, or simply start over. You can try as many times as you want. You won’t be “locked out”, but you will not be able to access your data unless you can enter the required Master Password correctly. Please let me know how it turns out. I'm sorry I don't have better news for you, but the security of all 1Password users depends on it working this way. :(

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited November 2017

    @cmochi: I've merged your multiple posts across different threads into a single one. We can't tell your your Master Password, but if you have any other questions please let us know.

    ref: NSP-98236-127

  • cmochi
    cmochi
    Community Member

    Can you PLEASE RESTORE TOUCH ID??? How can you take out this feature without telling the users???? That would have given me a chance to go in and change the password. YOU CANNOT JUST take out a critical feature like that. You're screwing over so many paying customers. PLEASE restore the TOUCH ID.

  • cmochi
    cmochi
    Community Member

    Will this be fixed???? I need to be able to use touch ID to get back into my account. Users should have been warned that the app would break. I WOULD NOT HAVE UPGRADED my OS if I knew this!!! I really really really need to access the bank accounts I have saved PLEASE get this feature back in.

  • cmochi
    cmochi
    Community Member

    please help... on the verge of tears if I can't access all of the accounts I have stored. I am a paying customer, please don't break the app experience like this for us...

  • Manaburner
    Manaburner
    Community Member
    edited November 2017

    @cmochi I really don't understand where you see a problem in the app. The app is working as intended so there's nothing that can be "fixed". Also Touch ID has not been "taken out" of the app whatsoever. It is working just fine.

    The issue here is not that Touch ID is not working after an iOS update (which can happen and which is not AgileBits' fault), but that you forgot your Master Password.
    It's like blaming the people that made the lock in your door that you can't get in, because you have no key.

  • cmochi
    cmochi
    Community Member

    @Manaburner clearly you lack empathy for others. If TouchID was not meant to be always there, then the feature should not be added in. OR 1password SHOULD WARN users that it will not always be there. By offering it and NOT giving the warning, it tells users that it is a way to log into the app. That trains users to use it. It's like saying you have a DIGITAL AND a PHYSICAL lock for your door, and one day someone just decides to shut down the digital one leaving you hanging. The company should WARN users that the digital one will NOT always work.

    OR THEY SHOULD JUST RESTORE IT

  • Manaburner
    Manaburner
    Community Member

    @cmochi Interesting. You know me for 5 seconds and already insult me. Nice.
    Well then I will take my non-empathy-having self out of this discussion as you clearly are not able or willing to see that again not 1Password is the problem but you forgetting the Master Password.
    I wish you all the best and that you will remember your Master Password. I certainly know mine because I know how important it is.

  • cmochi
    cmochi
    Community Member

    @Manaburner you insulted me in your first post by insinuating that 1Password was at zero fault for this situation. Good for you that you remember your Master Password. I wish no ill on you but please realize how stressed many users are when they realize that TouchID has all of a sudden disappeared. We are paying customers who have been long time users of the app. We trusted the app with a lot of important data and always used TouchID to log in. All of a sudden now, we can't access our very important passwords. Some of us have time sensitive matters we need to deal with. If you can't realize how stressful that is to a customer, please don't stand on your podium and proclaim how we used the product incorrectly.

  • Manaburner
    Manaburner
    Community Member
    edited November 2017

    @cmochi just out of curiosity: who is this "we" you are talking about all the time? Are there more people having the same problem and you're the one who is asking on behalf of them?

  • cmochi
    cmochi
    Community Member

    @Manaburner Yes, if you search the forums and the web, there are many people with this issue. Some of our threads are being merged together by the company. In fact I did not start a new thread, I added my thoughts to a previous one. There were several threads that had been opened in the last 3 months.

  • Lars
    Lars
    1Password Alumni
    edited November 2017

    Hi @cmochi - I'm really sorry to hear you're having trouble accessing your data! Unfortunately, however, @Manaburner is correct that we can't simply "restore" Touch ID. That feature is a part of iOS itself, which Apple allows us to use for 1Password for iOS, for those users who wish to enable it. However, it does not and indeed cannot replace your Master Password, a fact that we do definitely document for users, both in the Mac version and (like in your case) the iOS version of Touch ID.

    As brenty mentioned above, Touch ID is a convenience feature; you can't use ONLY Touch ID to unlock your phone. You know how your phone sometimes (like after restarts or upgrades of iOS) requires you to enter your passcode in order to unlock the device and re-enable Touch ID? Same with 1Password. Your Master Password is what is used to mathematically derive the actual AES256 encryption key which encrypts your data. When you enable Touch ID, you're storing an obfuscated version of your Master Password in the iOS keychain, so that Touch ID can access it. But the process is still the same: you put your fingerprint on the home button, Touch ID reads it and, if it's a match, fetches your Master Password from the system keychain, with which it unlocks 1Password. When Touch ID crashes or is disabled, the Master Password is removed for security from the iOS system keychain and you're required to enter your Master Password again to unlock your data and re-enable Touch ID...just like when you go to unlock your phone.

    Did you try the steps brenty suggested to try to jog your memory? If so, were you successful?

  • cmochi
    cmochi
    Community Member

    @Lars , you document it but there's no way a normal average user would go looking through your documentation to learn that TouchID would one day be stripped away from them without any warning. This warning NEEDS to go into the app. I've searched twitter and the web. I am NOT the only one with this issue. Adding TouchID trains the user to think that it will always be a log in option. You can't just document this in some web page that a user will only discover upon failing to log in. That is a cover your ass (CYA) response. It's not what a top tier company that truly cares about its users would do. You know this.

    I'm extremely disappointed and upset at this "solution" I have paid so much money for this app and it leaves me in a tramautized state (like many other users I found on Twitter who also forgot their passwords since they used TouchID). It's terrifying to believe I've lost access to so many things. I saw some users on other forums mention that the TouchID randomly reappeared for them after awhile. Those users were able to go in and change their password immediately. I am waiting for a few days to see if that will happen for me. I'm devastated, your company has let me down. I'm angry, upset, concerned, and everything in between. You can't understand the amount of trouble your product has caused.

  • danco
    danco
    Volunteer Moderator

    As far as I can recall (it's a long time since I set it up) you cannot use Touch ID for 1Password without explicitly turning it on in the settings. And then there are several options for how long TouchID is available for. Isn't it specifically stated during this setup that certain situations will always require the master password?

    The master password is an essential part of 1PW, and MUST be remembered , even though it may be required only rarely. AgileBits do make this clear, but possibly they should throw up several huge warnings, not just the one.

  • Remembering your Master Password is a critical part of using 1Password, and we make that clear when you first establish your vault. There is a second warning about this when enabling Touch ID. If for any reason Touch ID fails your Master Password is required:

    We can't simply enable Touch ID for 1Password for you on your device because 1Password needs your Master Password in order to decrypt your data. When using Touch ID your Master Password is protected by Touch ID. If Touch ID authentication fails, you install a device update, the device restarts, etc... Touch ID may be disabled, and will forget your Master Password. In such a case the only way to re-enable Touch ID usage is to enter your Master Password.

    With a 1Password.com membership we provide customers with an Emergency Kit that can help in the event the Master Password is forgotten:

    About your Emergency Kit

    It may also be possible, if using the 1Password Families or 1Password Teams service, for another person on your membership to assist you with recovering your credentials:

    Recover accounts for family or team members - 1Password Support

    Beyond that -- We never know anyone's Master Password, and have no ability to reset it. You'll need to remember your Master Password in order to recover your data.

    That said... could we perhaps do better in the future in assisting customers with remembering their Master Password? Perhaps, and we have done some brainstorming around that. We're certainly open to suggestions in this area, and appreciate feedback. Making it such that the Master Password never has to be entered is simply not a real solution.

    Thanks.

    Ben

  • @cmochi it isn't that the regular users (non-staff) don't feel for you, it's just that perhaps we have a better appreciation that passwords should not be recoverable outside of what we the user know and that the key to the kingdom is the master password.

    I don't want 1Password to be able to reset my account because then anyone can. That said, they do place that message everywhere where a setting is set that affects the master password, whether you are signing up for the first time or enabling one touch or changing it.

    I think you mentioned somewhere you had a second device, and it seemed like that one was able to connect. The 1Password item in there might have your master password. Were you able to recover your master password in the end?

    And to your point, the master password, which every password manager I know of requires, is the major gotchya here and for other vendors. Once upon a time, LastPass had a recover option, but they, um, were storing a secret recover code in your browser where anyone could get to it. I prefer something stricter.

  • danco
    danco
    Volunteer Moderator

    @Ben
    That message "Your Master Password will only be required if Touch ID authentication fails" doesn't seem quite enough. If it is needed on an update of the OS that does need to be stated. They may not know that Touch ID can't be used in those circumstances until they have run into trouble. Yes, of course users should remember their Master Password.

    @cmochi no-one has shut down or removed any functionality of TouchID. You can't use TouchID to unlock the device after an udate of the OS, you have to use your passcode and after that Touch ID is available. Same with 1PW; once the master password is entered (which you have forgotten) Touch ID would come back.

  • Thanks for the feedback, @danco. I see your point. :)

    Ben

  • cmochi
    cmochi
    Community Member

    Ben I don't think that warning works. It said Master Password is required if Touch ID fails. I agree with @danco completely. It's an INSUFFICIENT message.

    I was under the impression that TouchID option would always be there. There was never anything in the app that would have led me to believe otherwise.

    And worst of all, I see a lot of users around the web facing the same problem. Why hasn't 1Password acknowledged this is a HUGE product oversight and do something to fix it?????

  • I think you're right, @cmochi. Our message is inaccurate as you've pointed out. I've filed a bug in our tracker (OPI-4332) so that the iOS development team can get that rectified.

    The iOS team has been working on the general problem of Touch ID and users forgetting their Master Password. It's not as easy a problem as it may appear to be. The reality is that when the user is initially configuring the phone, they aren't likely to take seriously a dialog that goes "No really, if you forget your Master Password you're in trouble." The user isn't in the right mindset at this point to understand the implications. Adding a big dialog would perhaps make us feel a little better about it, but we don't think it would actually have a true impact.

    A better system would be to only let a user use Touch ID after they've sufficiently used their Master Password. Maybe something like every time they successfully use Touch ID for the first 10 times we force them to also use the Master Password. It would make the initial experience of a new user worse, but it would have a better impact.

    A good first step was taken when we switched the default from "Never" requiring the Master Password, to requiring it after a reboot of the phone. I get that this probably hurts to read as this is specifically the scenario that bit you. This behavior more closely matches how Apple handles Touch ID on both iOS and the Mac. This change increases the odds that a user will need to recall their Master Password soon before having created it, and so it increases the odds that they'll remember it and commit it to long term memory.

    We need to go further than this. We know this. I'm really sorry that you've been caught by it.

    Rick

    ref: OPI-4332

  • darrenNZ
    darrenNZ
    Community Member

    The clue is in the name: 1Password. You'll only ever need to remember one password.

    The warnings are sufficiently clear so that a reasonable user will understand that if you forget the password, you're screwed.

    I would be annoyed if 1Password implemented rickfillion's example:

    "Maybe something like every time they successfully use Touch ID for the first 10 times we force them to also use the Master Password"

    After the first 10 times a user might successfully login 1,000 times using only TouchID or FaceID and then they'll forget their password. All his suggestion would do is frustrate users.

    The only thing I can think which would help is a non-bypassable alert for new users that stays on the screen for 20 seconds (and can't be closed) warning people of the consequences of forgetting their master password. To progress I'd want to see a button saying "I understand".

    If a user doesn't "take seriously a dialog that goes "No really, if you forget your Master Password you're in trouble" then that's their own fault.

  • Manaburner
    Manaburner
    Community Member

    AB already does something similar when setting up a new 1Password.com account in the browser. It forces you to at least type your master password again once. Plus there’s the emergency kit.
    IMHO AB can only do so much in telling people that the master password is important

  • I will say that I didn't fully appreciate the importance of the secret key when I first became a customer, I think I treated it as an account ID, so did not think much of it though I DID download my emergency kit.

    but the password... oh, that is a different story... those are always important.

    If there is a way to hopefully improve the workflow so that users better appreciate either the secret key and the master password, then help tickets would drop immensely. The product would seem more usable to many. Though I agree, there isn't much you can do to protect all users in the password area. But I think your run of the mill non-techie has been trained to think that everything is recoverable or should be recoverable, even super secret no one can ever know passwords.

  • cmochi
    cmochi
    Community Member

    @rickfillion I should have received a warning before you guys implemented this:

    "A good first step was taken when we switched the default from "Never" requiring the Master Password, to requiring it after a reboot of the phone. I get that this probably hurts to read as this is specifically the scenario that bit you."

    If you sent ANY warning at all that you were going to make that change, I would have changed my password immediately. You didn't warn your users before you made a huge change. Do you know how much stress a user goes through when they can't log into their account?

    To all the readers attempting to fault me for this, listen. The only kind of person who PAYS for this app are those that care about security. Of course I know passwords are important. But the app made me believe (FALSELY) that touchID would always be a way to log in. IT NEVER SAID IT WOULD DISAPPEAR WITHOUT WARNING. THE COMPANY SHARES THE BLAME. AND THE FACT THAT MANY USERS EXPERIENCE THIS MEANS IT IS A FORESEEABLE PROBLEM.

    I'm angry, the company is only now showing a remorseful tone, previous responses were cold and just downright non-empathetic.

  • AGAlumB
    AGAlumB
    1Password Alumni

    The clue is in the name: 1Password. You'll only ever need to remember one password.
    The warnings are sufficiently clear so that a reasonable user will understand that if you forget the password, you're screwed.

    @darrenNZ: I have to disagree with you here in one sense: Everyone is different, and what seems "clear and reasonable" to one person will not to another, depending on the context. For example, while I know a bit about technology, nothing about the world of finance seems clear or reasonable to me. So what might seem straightforward and obvious to you may be completely baffling to me...

    I would be annoyed if 1Password implemented rickfillion's example:
    "Maybe something like every time they successfully use Touch ID for the first 10 times we force them to also use the Master Password"
    After the first 10 times a user might successfully login 1,000 times using only TouchID or FaceID and then they'll forget their password. All his suggestion would do is frustrate users.

    And I think this is a great, concrete, contrary example about how hard it is to account for different people's expectations. I could go either way on this, but you're at one end of the spectrum and another person is at another. 1Password isn't perfect, and can't be perfectly in tune with each user's preferences, so part of our job is striking the best balance we can. And we don't always get it right, relatively speaking. We can never get it to a point where it will meet everyone's needs equally, but we are committed to continually striving for that anyway.

    The only thing I can think which would help is a non-bypassable alert for new users that stays on the screen for 20 seconds (and can't be closed) warning people of the consequences of forgetting their master password. To progress I'd want to see a button saying "I understand". If a user doesn't "take seriously a dialog that goes "No really, if you forget your Master Password you're in trouble" then that's their own fault.

    I think you're right in principle, but that still sucks, and we still want to try to do better. On the one hand we tell people upfront when setting up 1Password for the first time that they need to choose a Master Password to protect their data and not forget it, but regardless of how big we make the text, etc., months or years down the road if you forget it anyway it's unlikely that you'll even remember seeing that, and it doesn't actually help you anyway at that point. So we will continue to try to find creative ways to help 1Password users, sort of like backing up some 1Password.com account credentials in iCloud Keychain. Due to our practices protecting user privacy, it isn't possible for us to get numbers on how helpful that it, but anecdotally it seems to have made a noticeable difference.

    AB already does something similar when setting up a new 1Password.com account in the browser. It forces you to at least type your master password again once. Plus there’s the emergency kit. IMHO AB can only do so much in telling people that the master password is important

    I agree that there are often diminishing returns. Attention is precious, and there's a fine line between nagging someone to the point where they ignore you, and reaching a threshold when resentment kicks in. That said, we're not going to stop trying, because if we can find a way to get a few people to better protect their data that makes all the difference in the world to them. Security is really important to us, but remarkably useless when it means you can't access your own data. :(

    I will say that I didn't fully appreciate the importance of the secret key when I first became a customer, I think I treated it as an account ID, so did not think much of it though I DID download my emergency kit.

    @AlwaysSortaCurious: I really appreciate you mentioning this.

    but the password... oh, that is a different story... those are always important.
    If there is a way to hopefully improve the workflow so that users better appreciate either the secret key and the master password, then help tickets would drop immensely. The product would seem more usable to many. Though I agree, there isn't much you can do to protect all users in the password area. But I think your run of the mill non-techie has been trained to think that everything is recoverable or should be recoverable, even super secret no one can ever know passwords.

    You hit the nail on the head. It's important to consider that there are a lot of things out there sending the opposite message to people — namely, almost ever website ever: "Forgot your password? No problem! Just reset it." So that's something we need to be cognizant of in our design as well: not only helping people understand how they can use 1Password to protect their data, but also making them aware that there is no escape hatch if they lose their data and/or the keys to decrypt it. We do this, but we aren't able to reach everyone with this message (backup, for example). So we need to keep working at it. :blush:

  • AGAlumB
    AGAlumB
    1Password Alumni

    @cmochi: I think you misunderstood what Rick meant. When we changed the default setting, this did not affect you, as you were already using 1Password. Your settings remained as you had configured them. But a new user setting up 1Password today for the first time will have the new default setting unless they change it.

    I'm sorry if you got the impression that we don't care. We do. I can't speak for others personally, but I've lost data myself and it makes me sick when something like this happens to anyone else. If I could come to your house and bang a drum shouting "Backup your data! Remember your Master Password!" I absolutely would. It bothers me that much. But even my friends and family get sick of me preaching at them, so you can imagine that strangers are less receptive to my zealotry (to put it mildly).

    No matter what we do, we cannot make you safeguard your data and your Master Password, but that doesn't mean we're going to stop trying to inform people. There just is no one-size-fits-all, sure-fire method to make everyone take notice and take to heart that the Master Password is used to secure their data, and therefore needed to access it. We can't know specifically what would have help you, for example, until it's too late and you give us this feedback. We can only take that into account as we develop future versions, and while that may be enough to help someone else down the road it isn't enough to help you now, and I am sorry for that.

    I also want to apologize to you personally if what I said earlier made you feel like I don't care. I do, but that isn't going to allow you to get into your data without your Master Password. And I think it's important to be straightforward about that and not give you or anyone else false hope. I think that's probably the only thing worse than losing access to your important data: being misled into thinking there is a safety net. :(

  • danco
    danco
    Volunteer Moderator

    @cmochi Only the responses marked as from AgileBits are from staff. Most of the responses that you find cold and non-empathetic are from users. That's no comfort to you, but I am anxious that you only blame AgileBits for things that are said by their staff and not what ordinary forum users say. We perhaps feel that you should have known to keep your Master Password. After all, even with the current message that you will only need the master password if TouchID fails, you can't be sure that TouchID will work all the time, there are a number of situations in which it doesn't work.

This discussion has been closed.