Touching on security and convenience

I remember watching Craig Federighi introduce the Touch ID API at WWDC this year. I remember thinking he was speaking directly to me, that Touch ID was clearly meant for 1Password. The next day, I ran out to buy an iPhone 5S, downloaded the new Xcode and iOS 8 betas, and added Touch ID to 1Password that night.

I remember how excited I felt the first time I was able to successfully unlock 1Password with Touch ID. Unlocking 1Password would never be the same.

Security and Convenience

A password manager is a combination of two occasionally conflicting concepts: Security & Convenience. First and foremost, a password manager must keep your data secure. But it also needs to give you quick, convenient access to your data.

The addition of Touch ID allowed us to take a huge step forward in convenience without sacrificing security.

Touch ID does not replace your Master Password. After unlocking with your Master Password, you can enable Touch ID. Once enabled, 1Password will present the Touch ID prompt instead of asking for the Master Password, allowing you to unlock using your fingerprint. Your data is always encrypted with your Master Password.

Thanks to Touch ID, you can now have the security of a strong, complicated Master Password with the convenience of unlocking with a fingerprint.

Turning on Touch ID

1P 5.0 iOS security settingsTurning on Touch ID in 1Password 5.0 is as simple as tapping Settings > Security and flipping the Touch ID switch.

When enabled, you can specify a “Request Fingerprint After” timeout, also known as an Auto-Lock timeout. This timeout sets how long 1Password is inactive before locking.

Those with sharp eyes may also notice a second timeout for the Master Password as well. Read on further to see how we are simplifying this for 1Password 5.1.

Now let’s take a quick look at how Touch ID was added to 1Password and what’s happening underneath the hood.

Adding Touch ID to 1Password

1P iOS Touch ID promptAdding Touch ID to 1Password started out as quite a simple task. The challenge was determining how to use Touch ID to access your 1Password data.

Apple’s Local Authentication framework made it easy to authorize a fingerprint, but the result is a simple success or fail. 1Password, however, needs your Master Password to decrypt your data after a successful authorization. To make this possible, 1Password stores your Master Password in the iOS Keychain when Touch ID is enabled.

Your Master Password is the most important password you have, and we take many precautions to keep it secure.

The iOS Keychain provides a way to store your Master Password in a secure place that only 1Password can access. The iOS Keychain item that contains your Master Password is never synced to other devices or backed up to iTunes or iCloud. It is also aggressively removed from the keychain whenever Touch ID authorization fails or if Touch ID or the device Passcode are disabled.

I hope this helps explain how Touch ID and your Master Password work in tandem to provide convenient, secure access to your data. Now, let’s talk about why adding Touch ID to 1Password turned out to be not quite so simple after all.

Improving Touch ID

1P 5.1 iOS Security settingsI had an awesome time adding Touch ID to 1Password and was overwhelmed by the hugely positive feedback that we received (no really, there was a ton of it). But it turns out that, instead of Touch ID, many people were seeing Master Password prompts far too often.

First, there was an issue in my code that caused the Master Password to be required at times instead of Touch ID. I’m happy to say this has been fixed in 1Password 5.1, which is strolling through App Store review and should be out soon.

In many cases though, the Master Password prompt was showing up in 5.0 exactly when it should, at least according to our confusing settings—we had Auto-Lock inactivity timeouts for both the Master Password and Touch ID.

In fact, even I had trouble explaining how the “Request After” and “Request Fingerprint After” settings worked together. After explaining (unsuccessfully) to so many people, I knew something had to change.

Starting in 1Password 5.1, there will be a single Auto-Lock timeout that works for both.

Auto-Lock specifies how long 1Password will wait before it locks automatically. To unlock 1Password again, you can use your fingerprint if Touch ID is enabled, otherwise enter your Master Password. Your Master Password will be required after a device restart or when Touch ID authentication fails.

Combined with Lock on Exit, this gives you a great deal of control over when, and how, 1Password locks.

Until Next Time

Touch ID has made a big difference in how I use 1Password and my phone in general. I hope it has for you as well, and yes—I can’t wait until Touch ID enabled iPads are available!

I do worry that Touch ID will make things so convenient that people will forget their Master Password. I’m tossing around the idea of requiring your Master Password once every 14 days or so. I’d love to hear your thoughts in the comments.

77 replies
Newer Comments »
  1. LKlieger
    LKlieger says:

    Love the idea of requiring the Master Password every so often. Perhaps even after the phone is turned off/on, similar to the passcode?

    Great to hear Master Password won’t be required quite as often, though!

    Reply
    • LKlieger
      LKlieger says:

      Just realized that the “power cycle” master pass requirement is already there in the screenshots. Awesome! Also support it every 2 weeks.

    • Dave Teare
      Dave Teare says:

      Thanks for helping us set our priorities, Phillip.

      You’re right, it would be great if we had time to update the Windows Phone app. I don’t mean this as an excuse, but we’re just finishing up the 4th major update to 1Password as we speak. Updates for Android, Windows, iOS, and OS X have made it a very busy summer for us.

      These have all been major updates and required a great deal of time to complete. Unfortunately for Windows Phone, we have more updates planned for these other 4 platforms before we will be able to add anything else to our plates.

      I don’t mean to say we’ll never update Windows Phone, but I don’t want to give you false hope that we’re actively working on it. We have expanded the Windows team and hopefully we can add more to their plates in the future.

  2. MK
    MK says:

    I’m glad it’s being simplified and that bugs are being worked out. One suggestion, if iOS Keychain is still required you might want to include a little text on that security settings page that mentions that. Otherwise folks may continue to wonder why they keep on having to enter their master password after enabling TouchID.

    Reply
    • Shiner
      Shiner says:

      Thanks MK. As the iOS Keychain is required for Touch ID (or the PIN Code) to be effective we have removed the advanced option to disable it in 1Password 5.1. We added some text on the security settings page to let people know that the iOS Keychain will be used when Touch ID is enabled.

  3. Dr. John Wheeler
    Dr. John Wheeler says:

    I prefer to have the option to use Touch ID all the time on my iPhone. I use 1Password on my Mac as well, so there is zero chance of forgetting my Master Password. When I need a password or whatever info from 1Password on my iPhone, I am usually in an extreme hurry. Seconds seem like hours, so I don’t want to fumble around trying to type my complicated Master Password on my iPhone when Touch ID is perfect solution. And no, I don’t want to be bothered for it every 14 days to type in my Master Password, as it is sure to be the most inopportune time.

    Reply
    • Justin Cardinal (@justincardinal)
      Justin Cardinal (@justincardinal) says:

      I agree; the fact that the master password is already required after reboots is enough in my opinion, even for users who don’t use a corresponding desktop app. For a good user experience, things should be predictable. Being prompted for a Master Password unexpectedly is confusing and makes the user unsure of what to expect each time they open the app, and I think that results in frustration.

    • jpgoldberg
      jpgoldberg says:

      These are good points. And Indeed there would be one clear benefit of doing what you suggest: People would use stronger Master Passwords if they never had to enter them on an iPhone.

      But there is a technical and subtle reason why having 1Password unlock with TouchID only would be bad for your security. For 1Password to unlock with either TouchID or the PIN it needs to already have access to your Master Password (or keys derived from it). Storing your (obfuscated) Master Password in the iOS keychain temporarily is fine (as long as it is done carefully). But we would be much more hesitant to do so long term, as would be required to make 1Password work with Touch-ID only.

  4. Gasol
    Gasol says:

    I have one technical problem, Does this means master password is stored in somewhere? and use TouchID to unlock and retrive master password to unlock with 1Password? If not, How it works?

    Reply
    • Dave Teare
      Dave Teare says:

      Thanks for asking, Gasol.

      Jeff tried to cover this in the `Adding Touch ID to 1Password` section:

      > Apple’s Local Authentication framework made it easy to authorize a fingerprint, but the result is a simple success or fail. 1Password, however, needs your Master Password to decrypt your data after a successful authorization. To make this possible, 1Password stores your Master Password in the iOS Keychain when Touch ID is enabled.

      Jeff then goes on to talk about the safe guards we put in place to protect the Master Password as best we can.

      Please give that section another read and let us know if you have any further questions.

  5. Ron
    Ron says:

    I’d suggest not asking for a password every 2 weeks or at least allowing that option to be disabled. Instead, why not add trusted devices that can be used to reset the master password if forgotten? And while we are at it, maybe ask 2 step verification while you are add it? Still hate the fact that all my passwords are secured with.. A single password!

    Reply
    • Zach
      Zach says:

      I think two step verification would be a great addition. You have to remember that 1Password users keep their most important and secure information in one centralized location. Its needs to be secure as possible.

    • jpgoldberg
      jpgoldberg says:

      I’m going to spout some technical jargon here. So here is the jargon. Because 1Password works through encryption instead of authentication there is no authentication to begin with, thus a second factor for authentication doesn’t actually make sense. It also isn’t as necessary, because the threats against authentication systems are not the same as the threats against encryption systems.

      That was a lot of jargon, and I doubt it would be persuasive to anyone who wasn’t deeply familiar with it. So what I will say is that we are looking at how we can bring a second factor to unlocking, but if it is introduced, it won’t have the same sorts of properties that people have grown used to with two-factor authentication.

    • jpgoldberg
      jpgoldberg says:

      Deep in the design of 1Password is the fact that there is no way for us to reset the Master Password. This is because 1Password relies on encryption (instead of authentication) for your security.

      You may wish to print out your Master Password and put it in a bank safe deposit box, but if the Master Password is lost there is no way to decrypt your data.

    • Ron
      Ron says:

      OK, that’s a good thing I’d say, however I still think that just having a password is a bit weak on security. If someone would somehow guess or know my password (sees me type it or there’s a camera recording me typing it) that the security is gone which is why I think having 2 factor authentication for that part wouldn’t be a bad idea(?)

  6. Scott
    Scott says:

    I would support a *configurable* period after which the master password is required (I actually wanted a 12-hour option in version 5.0).

    Also, how about displaying the Last Edit timestamp for each item?

    Thanks!

    Reply
  7. effndc
    effndc says:

    Is there any ability to use the TouchID on an iOS device to provide an “unlock” for the OS X 1Password through handoff, over WiFi, or over Bluetooth?

    Reply
    • effndc
      effndc says:

      I should say, is there any method to implement that ability within the OSX/iOS framework. I know the “ability” doesn’t exist currently, but it sure would be handy to have TouchID for 1Password on OS X…because yes, I am that lazy ;)

    • Shiner
      Shiner says:

      It is definitely an interesting idea effndc.

      I haven’t looked into it closely at all, but I think that handoff in Yosemite would give us much of what would be needed. It gives us the ability to recognize when your iOS device is near your Mac. We could then determine if 1Password is unlocked on your device and unlock it on Mac. We’d need to store your Master Password on your Mac (likely in the keychain) so we can unlock without you entering it, but I think it is feasible.

      As you mentioned it is not something he have today. That said, with Yosemite and handoff it seems that devices and Mac’s will be interacting a lot more seamlessly, so could be something we look at for the future.

Newer Comments »

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.