why does 1Password require manual login for every app on my iphone?

AMCarter3
AMCarter3
Community Member
edited September 2019 in iOS

Virtually every time I want to log into an app on my iPhone, 1Password pops up appropriately, but requires that I manually log into 1Password to have it enter the username and then log in to 1P again to get it to enter the password for the app. Then, if I close that app and open another app, I have to go through the exact same manual steps again. This is despite the fact that 1Password on my phone is configured for Face ID. What does it take to get 1P to use Face ID to make app logins easier?

In addition, after tediously using 1P to log into an app or two, later if I want to open the 1P app, I again have to manually log into it. I don't understand why Face ID is not more accessable to logging in to 1P or to other apps.


1Password Version: 7.3.2
Extension Version: 4.7.5.90
OS Version: OS X 10.14.6
Sync Type: iCloud
Referrer: forum-search:manual login required apps on phone?

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @AMCarter3!

    What does it take to get 1P to use Face ID to make app logins easier?

    If you unlock the main 1Password app first, AutoFill should also prompt you to unlock 1Password with FaceID from that point on ;) You just need to unlock the main 1Password app with your Master Password at least once.

  • AMCarter3
    AMCarter3
    Community Member

    I missed seeing your reply back in Sept. When you say "You just need to unlock the main 1Password app with your Master Password at least once", what exactly does that mean? Do you mean the 1P app must be running in the background in order to work with other apps? Do you mean open it once in a lifetime, once a year, month, week, day, or once every time I open my phone? Please be more concrete.

  • ag_ana
    ag_ana
    1Password Alumni

    @AMCarter3:

    When you say "You just need to unlock the main 1Password app with your Master Password at least once", what exactly does that mean?

    It means that you should open the 1Password app on your device and unlock it with your Master Password. Once it has been unlocked this way, it can be unlocked with Face ID the following times.

    Do you mean open it once in a lifetime, once a year, month, week, day, or once every time I open my phone?

    Once after turning on your device, or rebooting it.

  • AMCarter3
    AMCarter3
    Community Member
    edited November 2019

    And then what? Leave it on in the background? Or fully close it? I'm not comfortable with leaving 1Password open in the background... doesn't that create a vulnerability if my phone is lost?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @AMCarter3: It does not, for a few reasons.

    It's actually best not to force quit apps on i(Pad)OS. There are very few cases where that should be done -- like when an app is completely frozen and that's the only option. The OS manages resources and automatically suspends apps to free them up as needed. Then apps have a limited window in which to save any work as needed and finish up background processes like checking for changes online, etc. This avoids data loss, corruption, and also preserves battery life since apps can often restore from a suspended state without needing to launch entirely from scratch, the way they do after a reboot, or you killing them. Running in the background also allows limited functionality to happen periodically so an app has more up to date information, and is more responsive when you next use it since it was opening from a suspended state and not launching from zero.

    There is no security benefit in general regarding having an app not running in the background, as all apps on iOS are sandboxed anyway: they do not have access to each other's data or memory. That's why we often have to jump through so many hoops to access one app's files in another (though Apple has added some great features recently that make it easier without sacrificing security by making it work like a desktop OS, where any app can access anything).

    But with regard to 1Password specifically, not only is its data encrypted in the sandbox provided by the OS, but it is also encrypted yet again using the Master Password you use to protect it. "1Password running in the background" also does not mean "1Password unlocked in the background". Apps are isolated from each other, but it's conceivable that a flaw could be found that allowed one app to "peek" at another's data in certain situations. To be clear, that has not happened. But if it did, even unlocked, all of your 1Password data is encrypted except that which you have opened -- e.g. you're viewing a Secure Note, which would need to be decrypted for you to see it.

    However, even in the case of your phone being lost, presuming that you did not have it locked at all requiring a passcode just to get to the home screen, 1Password has an auto-lock feature which only goes up to 1 hour max. So even if you had it on the maximum setting, unlocked 1Password, and left your device unlocked as well before it was lost or stolen, someone would have less than an hour to find it and access your data in 1Password before it locked on its own. I think the default is 5 or 10 minutes, but you can set it to as low as 1 minute, and/or enable the "Lock on exit" option which makes 1Password lock as soon as you switch to another app just to be on the safe side.

    All of that said, getting back to the original issue, there are two things worth clarifying:

    • Every time you want to fill login credentials from 1Password using iOS Password Autofill, you will need to unlock 1Password. That's just how the feature works. That way if you didn't unlock 1Password itself, you would not be putting all of your login credentials at risk just by using it once. Filling again will also require unlocking.

    • How you unlock when using iOS Password Autofill depends on whether you unlocked the main 1Password app. As Ana mentioned, if you unlock the main 1Password app using your Master Password first, that can enable biometric unlock for both the 1Password app and iOS Password Autofill. If you did not already unlock the main 1Password app with the Master Password, iOS Password Autofill will also require the Master Password each time to unlock it.

    I hope this helps. Be sure to let me know if you have any other questions! :)

  • williakz
    williakz
    Community Member

    Saved to disk.

  • AMCarter3
    AMCarter3
    Community Member
    edited November 2019

    Brenty, as always, very helpful. My original question was actually focused on why 1P on my phone sometimes requires me to manually enter or re-enter my 1P password in order to open a 3rd party app DESPITE the fact that 1P is open in the background.

    I understand if 1P is not open, it will require a manual enter of the master password ONCE to open a 3rd party app. What I do NOT understand is why I am required to manually enter my 1P master password later to open an app (like a bank app) when 1P is open in the background. This happens often enough to be annoying. I'm guessing about 30% of the time. The rest of the time, 1P auto enters the login data smoothly using FaceID. It just seems that the mechanism for logging into 3rd party apps operates in an inconsistent manner. It's confusing and annoying.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @AMCarter3: It depends on how you have things setup. Can you walk me through the specific steps you're taking and what's happening? it really sounds like you just haven't unlocked the main 1Password app with your Master Password beforehand to enable biometrics:

    why I am required to manually enter my 1P master password later to open an app (like a bank app) when [...] The rest of the time, 1P auto enters the login data smoothly using FaceID.

  • AMCarter3
    AMCarter3
    Community Member

    I suspect you are right. I also know I do NOT have a habit to start the 1P app or verify it is running in the background BEFORE starting other apps. Since FaceID does work most of the time, I think it's best if I wait until I see the issue again and then get back to you with some facts.

  • AMCarter3
    AMCarter3
    Community Member

    Brenty, I've re-read your explanation several times (including reading it out loud to my wife). I appreciate you sending it... AND it's a lot to absorb. I now get the importance of being required to enter my master password. I think I was assuming I should be able to rely entirely on FaceID to "ask" 1P to input login credentials to a 3rd party app. I think you are saying NO... that is not how it works. I think what is also making this confusing is that I just don't know for sure whether my 1P app has been ON or OFF in the background when I've been required to manually enter my master password. For example, I just opened my 4 bank and credit card apps. All of them opened with immediately with FaceID; none required accessing 1P and manually entering my master password (1P was ON in the background).

  • AGAlumB
    AGAlumB
    1Password Alumni

    I suspect you are right. I also know I do NOT have a habit to start the 1P app or verify it is running in the background BEFORE starting other apps. Since FaceID does work most of the time, I think it's best if I wait until I see the issue again and then get back to you with some facts.

    @AMCarter3: I won't pass judgement until we have more information. Just let me know the specific steps if it happens again, and we'll go from there. :)

    Brenty, I've re-read your explanation several times (including reading it out loud to my wife). I appreciate you sending it... AND it's a lot to absorb.

    Yeah, but...sorry about that. :lol: I'd like it to have been shorter, but not knowing exactly what context we're dealing with here, I wanted to be thorough and cover all the bases, in case something rings a bell for you and we can connect the dots that way. Thanks for bearing with me -- your wife too! :lol:

    I now get the importance of being required to enter my master password. I think I was assuming I should be able to rely entirely on FaceID to "ask" 1P to input login credentials to a 3rd party app. I think you are saying NO... that is not how it works.

    I think the key here is that you're dealing with two different pieces of software. On the one hand, if you've been using 1Password for a while, how it works is probably pretty much second nature to you for the most part, including unlocking (though there are still a few scenarios where it can get confusing). However, when you're using iOS Password Autofill, you're actually dealing with Apple's software; 1Password is just being used as a "vendor"/data provider for login credentials. I can't speak for Apple, but my sense of it is that since you're accessing sensitive data (to fill) outside of the app you're using to secure it, they want to take extra precautions -- hence requiring unlock via either password or biometrics each use. Maybe they will loosen that in the future. I really don't know. It's still a relatively new feature (last year), and I think it's always good to be cautious.

    The risk factor that comes to mind is something that was a feature request for a while, until we were able to do it in 1Password: If you're using biometrics to unlock 1Password, what if someone else adds their fingerprint/face to the device? A while back Apple made it possible for us to know if a new fingerprint/face has been registered, and disable biometrics for 1Password until the Master Password is entered again. That way someone's kid they've given the device passcode to can't use it to add their fingerprint and leverage that to get into 1Password. So while that's not going to be a direct analogue, it's possible that Apple has security end-runs like that in mind when requiring unlock for every iOS Password Autofill use.

    I think what is also making this confusing is that I just don't know for sure whether my 1P app has been ON or OFF in the background when I've been required to manually enter my master password.

    I'm sorry for not clarifying this earlier, but while it's best to just let apps run in the background and the OS handle them in most cases, it's not particularly relevant to unlocking 1Password. Even if 1Password has been suspended, you should still be able to unlock using biometrics if it was already unlocked using the Master Password. There is some variance in that based on your settings, etc., but for the most part it has no impact because we store a secret in the Keychain which allows you to unlock using biometrics. That's only removed if you fail to unlock successfully too many times, you reboot/update, the "require Master Password" time has elapsed, or you explicitly lock. So for the most part, when you unlock the 1Password app with the Master Password, you should be able to use biometrics afterward. It's possible there are some edge cases we're not aware of with iOS Password Autofill though, and that's handled entirely by the OS.

    For example, I just opened my 4 bank and credit card apps. All of them opened with immediately with FaceID; none required accessing 1P and manually entering my master password (1P was ON in the background).

    I'm not sure if this is what you meant, but if you are expecting 1Password to have any bearing on using Face ID to unlock other apps, that is not the case. They are completely separate and unrelated. The only way 1Password would come into play at all is if you are logging into an app for the first time:

    1. Open 3rd party app
    2. At the login prompt, bring up iOS Password Autofill
    3. Select the login credentials to fill from 1Password
    4. Unlock using Master Password or biometrics (if available)

    Once you've successfully signed in, most apps will let you unlock them going forward using biometrics instead of having to enter your password every time. And at that point 1Password is not involved at all, since you do not need to get the password from it.

    Sorry again for the information overload, but hopefully this helps...and I'm happy to answer any followup questions. :)

This discussion has been closed.