Limited fingerprint to specific vaults.
I just switched to using 1password. Mostly quite happy with all the abilities. However since typing my master password on mobile phone is a pain, I was hoping to use fingerprint for android 1password app unlock.
However since in general fingerprint scanners are not very reliable, and can be spoofed relatively easy I was hoping to be able to disable a few faults for finger print unlock.
I have found a way to disable some vaults on the android app, but there is no master pass requirement when I enable the vault again. Would my desired behavior be possible? Alternatively I am okay with having some vaults never enabled on the mobile device.
1Password Version: 7.1.1
Extension Version: Not Provided
OS Version: 8.0.0
Sync Type: Not Provided
Comments
-
@dwarrel What you want to do isn't possible but a better and more secure option is available.
For added security I recommend you disable fingerprint authentication for 1Password and enable PIN access.
You can still open your Android lock screen with your fingerprint but to access your 1Password vaults you'll need to enter your PIN.
This way even if an attacker manages to bypass your fingerprint sensor he'll still need your PIN - and too many incorrect PINs will lock the vault and require the master password instead.
0 -
Thank you. While still not optimal, this is indeed a safe and efficient enough middle way.
0 -
I don't quite agree that it's "easy" to spoof fingerprints as a general rule, but certainly it can depend on the hardware used. And I disagree that a PIN code is more secure. (Note that fingerprint unlock will be unavailable after 5 failed tries as well.) Someone who steals your phone would have a much harder time replicating your fingerprint than guessing a short numeric password, especially since there will probably be traces on the screen from you entering it; latent fingerprints are also likely present, but require significantly more effort to make use of them. It's more a matter of what you're comfortable with based on your own personal threat model, so it's good to have options. :)
0 -
And I disagree that a PIN code is more secure.
Maybe I misunderstand your comment @brenty but assume that you're using:
- fingerprint unlock on the Android lock screen
- PIN unlock for 1Password
If an attacker manages to bypass the fingerprint-protected lock screen (e.g. with a latex fingerprint) then he's going to bypass 1Password with the same method.
How, in this scenario, is using a PIN less secure?
As far as I can see even if an attacker bypassed the fingerprint-protected lock screen he'd still need to contend with the PIN unlock.
I may agree with your comment if you were talking about using a PIN alone (i.e. for lock screen and 1Password) but that's not my suggestion. Though if somebody was that way inclined I'd suggest using two separate PINs.
0 -
@gazu: A "PIN" is generally defined as a short numerical-only password. That's going to be weaker than a all but the weakest Master Passwords (e.g. someone might actually use a short, numerical-only Master Password...)
I don't disagree with your point in a broader context, but our concern here is the security of 1Password. We have no control over the security of the system as a whole, and cannot assume that anyone using weak security for 1Password will be sure to use strong security for the OS -- more often then not, the opposite is true. So my comments are regarding only 1Password, since that's my focus, and the focus of this discussion and support forum in general. :)
0
