Touch ID and IOS pin code security conflict !

loscarweb · October 2018

Hi

I am on a trial with 1password coming form Kypass. I have all my sensitive bank information on 1password protected by Face ID and if someone tries to open the app, Face ID will fail and 1password will ask for the master password (10+ complicated one), perfect.

However on my iPhones 6s, if I use Touch ID and Touch ID fails, 1password asks me for my IOS pin code, with is only a 6 digits that people could have seen me dial before. with Touch ID enabled I am basically protecting all any sensitive data with my 4 or 6 IOS pin code. This seems crazy insecure to me...I am surprised the app even offer the use of Touch ID without BIG RED WARNING NOT RECOMMENDED..

Am I doing something wrong? is there a way to make a failed Touch ID ask for the 1password master password like Face ID does and not the IOS ?

other than that , I like the easiness of sharing of 1password which keepass solution do not have yet.

thanks

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Touch ID pin code

Ben · October 2018

Hi @loscarweb

I'm not aware of any situation where 1Password itself asks for your iOS PIN code. Would you be able to record a video of this for us? Apple has a guide on recording your screen here:

https://support.apple.com/en-us/HT207935

Please either upload this to a video sharing site (e.x. YouTube) and post the link here or email us the video at support+forum@1password.com. If you email it please post the support ID that you get back from BitBot here.

Please be sure not to show any sensitive details in the video. For example, please do not enter your iOS PIN code while recording.

Thanks!

Ben

loscarweb · October 2018

Hi

thanks for the prompt reply. Sorry I did not explain myself correctly. It is not 1password that asks for IOS PIN. 1password asks for Touch ID to access 1password. if Touch ID fails, IOS asks for IOS PIN as backup, if the user puts the right IOS PIN, it gains access to 1password....this seems very insecure to me if that is the way it is intended.

Carlos

Ben · October 2018

That isn't expected behavior. If possible I'd like to see a video of that happening. Thanks.

Ben

loscarweb · October 2018

I forgot to say I run IOS 12.01 the latest 1password

Ben · October 2018

Okay. Did you see my message above?

Ben

loscarweb · October 2018

I send you a URL for a video, it said waiting to verified ...you did not get it?

loscarweb · October 2018

https://www.youtube.com/watch?v=9oWIzUuOmWc

Ben · October 2018

@loscarweb

Got it now, thanks. That's a function of the Password AutoFill feature in iOS 12. 1Password is simply a data provider for Password AutoFill at that point. All of the UI that you're interacting with is Password AutoFill, not 1Password. You may be able to get this to function as you expect by changing the 1Password > Settings > Advanced > Security > Always show lock screen for Password AutoFill setting to ON.

Please let me know if that helps.

Ben

loscarweb · October 2018

as you can see when I go to bank of America, 1password automatically fills my login and asks for Touch ID to validate. If Touch ID fails (someone else has my phone), IOS prompts to enter IOS PIN (not 1password master password)....I put my IOS pin and gain access to bank fo America with 1password login/password info. basically if someone steels my phone, and found my IOS PIN, they can go to my bank account with the info in 1password !

loscarweb · October 2018

thanks, will try tonight. hope it helps...should that make a failed Touch ID ask for 1password master or would it make it always ask fro 1password master even if Touch ID worked?

Ben · October 2018

thanks, will try tonight. hope it helps...should that make a failed Touch ID ask for 1password master or would it make it always ask fro 1password master even if Touch ID worked?

It should work exactly the same way the main 1Password app does. :+1:

Ben

loscarweb · October 2018

Ben

here is a link with the video https://youtu.be/9oWIzUuOmWc https://youtu.be/9oWIzUuOmWc

it is poor quality but you get the point.
My Touch ID is activated and opens 1password. Now let's say someone stole my phone and konows my IOS PIN code. they go to "bank of America" and try to log in. 1password will automatically propose to fill my ID and asks to validate with Touch ID. Touch ID will fail because it is not me, but IOS will prompt to enter the IOS PIN code (not 1password master password), the thief will enter my IOS PIN code and voila they gained access to my bank account. 1password did not protect me in this case.

Ben · October 2018

@loscarweb

It appears that may have posted twice. No big deal, but it might explain why you had posted it earlier but I hadn’t seen it. In any event, please let me know how you make out with the suggestion above.

Ben

loscarweb · October 2018

Hi Ben,

I tried your suggestion and it works as intended, if Touch ID fails IOS auto fill asks for 1password master password and not for IOS pin only. This is good, many thanks.
However I would suggest you do not leave this features in Advance settings but more along with touch ID settings and leave it on by default. Who would want by default to allow IOS PIN to give access to websites with 1password logins. it look counterintuitive to me.

thanks

Ben · October 2018

Thanks for the update and for the suggestion, @loscarweb. :)

Ben

Touch ID and IOS pin code security conflict !

Comments