Touching on security and convenience

I remember watching Craig Federighi introduce the Touch ID API at WWDC this year. I remember thinking he was speaking directly to me, that Touch ID was clearly meant for 1Password. The next day, I ran out to buy an iPhone 5S, downloaded the new Xcode and iOS 8 betas, and added Touch ID to 1Password that night.

I remember how excited I felt the first time I was able to successfully unlock 1Password with Touch ID. Unlocking 1Password would never be the same.

Security and Convenience

A password manager is a combination of two occasionally conflicting concepts: Security & Convenience. First and foremost, a password manager must keep your data secure. But it also needs to give you quick, convenient access to your data.

The addition of Touch ID allowed us to take a huge step forward in convenience without sacrificing security.

Touch ID does not replace your Master Password. After unlocking with your Master Password, you can enable Touch ID. Once enabled, 1Password will present the Touch ID prompt instead of asking for the Master Password, allowing you to unlock using your fingerprint. Your data is always encrypted with your Master Password.

Thanks to Touch ID, you can now have the security of a strong, complicated Master Password with the convenience of unlocking with a fingerprint.

Turning on Touch ID

1P 5.0 iOS security settingsTurning on Touch ID in 1Password 5.0 is as simple as tapping Settings > Security and flipping the Touch ID switch.

When enabled, you can specify a “Request Fingerprint After” timeout, also known as an Auto-Lock timeout. This timeout sets how long 1Password is inactive before locking.

Those with sharp eyes may also notice a second timeout for the Master Password as well. Read on further to see how we are simplifying this for 1Password 5.1.

Now let’s take a quick look at how Touch ID was added to 1Password and what’s happening underneath the hood.

Adding Touch ID to 1Password

1P iOS Touch ID promptAdding Touch ID to 1Password started out as quite a simple task. The challenge was determining how to use Touch ID to access your 1Password data.

Apple’s Local Authentication framework made it easy to authorize a fingerprint, but the result is a simple success or fail. 1Password, however, needs your Master Password to decrypt your data after a successful authorization. To make this possible, 1Password stores your Master Password in the iOS Keychain when Touch ID is enabled.

Your Master Password is the most important password you have, and we take many precautions to keep it secure.

The iOS Keychain provides a way to store your Master Password in a secure place that only 1Password can access. The iOS Keychain item that contains your Master Password is never synced to other devices or backed up to iTunes or iCloud. It is also aggressively removed from the keychain whenever Touch ID authorization fails or if Touch ID or the device Passcode are disabled.

I hope this helps explain how Touch ID and your Master Password work in tandem to provide convenient, secure access to your data. Now, let’s talk about why adding Touch ID to 1Password turned out to be not quite so simple after all.

Improving Touch ID

1P 5.1 iOS Security settingsI had an awesome time adding Touch ID to 1Password and was overwhelmed by the hugely positive feedback that we received (no really, there was a ton of it). But it turns out that, instead of Touch ID, many people were seeing Master Password prompts far too often.

First, there was an issue in my code that caused the Master Password to be required at times instead of Touch ID. I’m happy to say this has been fixed in 1Password 5.1, which is strolling through App Store review and should be out soon.

In many cases though, the Master Password prompt was showing up in 5.0 exactly when it should, at least according to our confusing settings—we had Auto-Lock inactivity timeouts for both the Master Password and Touch ID.

In fact, even I had trouble explaining how the “Request After” and “Request Fingerprint After” settings worked together. After explaining (unsuccessfully) to so many people, I knew something had to change.

Starting in 1Password 5.1, there will be a single Auto-Lock timeout that works for both.

Auto-Lock specifies how long 1Password will wait before it locks automatically. To unlock 1Password again, you can use your fingerprint if Touch ID is enabled, otherwise enter your Master Password. Your Master Password will be required after a device restart or when Touch ID authentication fails.

Combined with Lock on Exit, this gives you a great deal of control over when, and how, 1Password locks.

Until Next Time

Touch ID has made a big difference in how I use 1Password and my phone in general. I hope it has for you as well, and yes—I can’t wait until Touch ID enabled iPads are available!

I do worry that Touch ID will make things so convenient that people will forget their Master Password. I’m tossing around the idea of requiring your Master Password once every 14 days or so. I’d love to hear your thoughts in the comments.

77 replies
Newer Comments »
  1. LKlieger
    LKlieger says:

    Love the idea of requiring the Master Password every so often. Perhaps even after the phone is turned off/on, similar to the passcode?

    Great to hear Master Password won’t be required quite as often, though!

    • LKlieger
      LKlieger says:

      Just realized that the “power cycle” master pass requirement is already there in the screenshots. Awesome! Also support it every 2 weeks.

    • Dave Teare
      Dave Teare says:

      Thanks for helping us set our priorities, Phillip.

      You’re right, it would be great if we had time to update the Windows Phone app. I don’t mean this as an excuse, but we’re just finishing up the 4th major update to 1Password as we speak. Updates for Android, Windows, iOS, and OS X have made it a very busy summer for us.

      These have all been major updates and required a great deal of time to complete. Unfortunately for Windows Phone, we have more updates planned for these other 4 platforms before we will be able to add anything else to our plates.

      I don’t mean to say we’ll never update Windows Phone, but I don’t want to give you false hope that we’re actively working on it. We have expanded the Windows team and hopefully we can add more to their plates in the future.

  2. MK
    MK says:

    I’m glad it’s being simplified and that bugs are being worked out. One suggestion, if iOS Keychain is still required you might want to include a little text on that security settings page that mentions that. Otherwise folks may continue to wonder why they keep on having to enter their master password after enabling TouchID.

    • Shiner
      Shiner says:

      Thanks MK. As the iOS Keychain is required for Touch ID (or the PIN Code) to be effective we have removed the advanced option to disable it in 1Password 5.1. We added some text on the security settings page to let people know that the iOS Keychain will be used when Touch ID is enabled.

  3. Dr. John Wheeler
    Dr. John Wheeler says:

    I prefer to have the option to use Touch ID all the time on my iPhone. I use 1Password on my Mac as well, so there is zero chance of forgetting my Master Password. When I need a password or whatever info from 1Password on my iPhone, I am usually in an extreme hurry. Seconds seem like hours, so I don’t want to fumble around trying to type my complicated Master Password on my iPhone when Touch ID is perfect solution. And no, I don’t want to be bothered for it every 14 days to type in my Master Password, as it is sure to be the most inopportune time.

    • Justin Cardinal (@justincardinal)
      Justin Cardinal (@justincardinal) says:

      I agree; the fact that the master password is already required after reboots is enough in my opinion, even for users who don’t use a corresponding desktop app. For a good user experience, things should be predictable. Being prompted for a Master Password unexpectedly is confusing and makes the user unsure of what to expect each time they open the app, and I think that results in frustration.

    • jpgoldberg
      jpgoldberg says:

      These are good points. And Indeed there would be one clear benefit of doing what you suggest: People would use stronger Master Passwords if they never had to enter them on an iPhone.

      But there is a technical and subtle reason why having 1Password unlock with TouchID only would be bad for your security. For 1Password to unlock with either TouchID or the PIN it needs to already have access to your Master Password (or keys derived from it). Storing your (obfuscated) Master Password in the iOS keychain temporarily is fine (as long as it is done carefully). But we would be much more hesitant to do so long term, as would be required to make 1Password work with Touch-ID only.

  4. Gasol
    Gasol says:

    I have one technical problem, Does this means master password is stored in somewhere? and use TouchID to unlock and retrive master password to unlock with 1Password? If not, How it works?

    • Dave Teare
      Dave Teare says:

      Thanks for asking, Gasol.

      Jeff tried to cover this in the `Adding Touch ID to 1Password` section:

      > Apple’s Local Authentication framework made it easy to authorize a fingerprint, but the result is a simple success or fail. 1Password, however, needs your Master Password to decrypt your data after a successful authorization. To make this possible, 1Password stores your Master Password in the iOS Keychain when Touch ID is enabled.

      Jeff then goes on to talk about the safe guards we put in place to protect the Master Password as best we can.

      Please give that section another read and let us know if you have any further questions.

  5. Ron
    Ron says:

    I’d suggest not asking for a password every 2 weeks or at least allowing that option to be disabled. Instead, why not add trusted devices that can be used to reset the master password if forgotten? And while we are at it, maybe ask 2 step verification while you are add it? Still hate the fact that all my passwords are secured with.. A single password!

    • Zach
      Zach says:

      I think two step verification would be a great addition. You have to remember that 1Password users keep their most important and secure information in one centralized location. Its needs to be secure as possible.

    • jpgoldberg
      jpgoldberg says:

      I’m going to spout some technical jargon here. So here is the jargon. Because 1Password works through encryption instead of authentication there is no authentication to begin with, thus a second factor for authentication doesn’t actually make sense. It also isn’t as necessary, because the threats against authentication systems are not the same as the threats against encryption systems.

      That was a lot of jargon, and I doubt it would be persuasive to anyone who wasn’t deeply familiar with it. So what I will say is that we are looking at how we can bring a second factor to unlocking, but if it is introduced, it won’t have the same sorts of properties that people have grown used to with two-factor authentication.

    • jpgoldberg
      jpgoldberg says:

      Deep in the design of 1Password is the fact that there is no way for us to reset the Master Password. This is because 1Password relies on encryption (instead of authentication) for your security.

      You may wish to print out your Master Password and put it in a bank safe deposit box, but if the Master Password is lost there is no way to decrypt your data.

    • Ron
      Ron says:

      OK, that’s a good thing I’d say, however I still think that just having a password is a bit weak on security. If someone would somehow guess or know my password (sees me type it or there’s a camera recording me typing it) that the security is gone which is why I think having 2 factor authentication for that part wouldn’t be a bad idea(?)

  6. Scott
    Scott says:

    I would support a *configurable* period after which the master password is required (I actually wanted a 12-hour option in version 5.0).

    Also, how about displaying the Last Edit timestamp for each item?


  7. effndc
    effndc says:

    Is there any ability to use the TouchID on an iOS device to provide an “unlock” for the OS X 1Password through handoff, over WiFi, or over Bluetooth?

    • effndc
      effndc says:

      I should say, is there any method to implement that ability within the OSX/iOS framework. I know the “ability” doesn’t exist currently, but it sure would be handy to have TouchID for 1Password on OS X…because yes, I am that lazy ;)

    • Shiner
      Shiner says:

      It is definitely an interesting idea effndc.

      I haven’t looked into it closely at all, but I think that handoff in Yosemite would give us much of what would be needed. It gives us the ability to recognize when your iOS device is near your Mac. We could then determine if 1Password is unlocked on your device and unlock it on Mac. We’d need to store your Master Password on your Mac (likely in the keychain) so we can unlock without you entering it, but I think it is feasible.

      As you mentioned it is not something he have today. That said, with Yosemite and handoff it seems that devices and Mac’s will be interacting a lot more seamlessly, so could be something we look at for the future.

  8. Brian
    Brian says:

    Automatic re-setting of the master password at a specified interval is probably a good idea, but it will inevitably occur at the most inconvenient time – in the same way that smoke detector batteries always die at 2am. Recommend that you place a timer on the thumb id dialog with words to the effect, “__ days until master password reset is required.” As you get close you can choose a convenient time to restart the timer.

  9. David Scheck
    David Scheck says:

    Since the master password is stored in the Keychain when TouchId (or Pin unlock) is enabled, is it a very bad idea to use the simple 4 digit phone unlock code? Is it true that the keychain is unlocked when you unlock your phone? If so, how easy would it be for someone who knows your 4 digit unlock code to acquire your master password that is being stored in the keychain? Could another 3rd party app access it? Could a stolen phone be jailbroken to access it? Do you recommend at a minimum that users turn off “Simple Passcode” in Settings->Touch ID & Passcode

    • jpgoldberg
      jpgoldberg says:

      Hi David,

      I’ve long recommended that people use passcodes that are at least six digits. Take a look at

      You are correct that 1Password 5 will store an (obfuscated) copy of your Master Password in the iOS keychain only when TouchID (or PIN) is active. That is, 1Password will try to remove the item from the keychain as soon as the time you set expires. But there are circumstances in which it may remain, and so having a good device passcode is important.

      One of the features that of iOS 8 that makes us much more comfortable doing this is that we can now enforce that a passcode is set. The TouchID feature will not work if a passcode is not set, and if you turn off your passcode, the obfuscated Master Password in the iOS keychain is immediately destroyed.

      You can read about this (and more) in this forum post:

  10. Max
    Max says:

    I really like the Touch ID option for using 1Password, but I am still a little bit concerned about the security. As you know, there are ways to bypass the Touch ID sensor with relative low effort by creating fake fingerprints.
    Considering the sensibility of the data stored in 1Password, I would appreciate the option to use the PIN code even on Touch ID enabled devices.

    Thanks anyway for such a great product, I’m a big fan ;)

  11. Locke
    Locke says:

    I definitely wouldn’t like to have to type in the master password every 14 days or in random intervals. Remember that when people use 1Password, they generally want what they’re getting at fast. Expecting to use their thumb and be greeted with a TYPE YOUR PASSWORD SO YOU DONT FORGET IT would suck if you’re trying to log in to a website in a hurry to pre-order tickets or something. If you do include it, could you make it so that it is an option to be turned off by people who remember their password? Or people who also use the Mac/PC versions who have to type in their passwords anyway.

    • Shiner
      Shiner says:

      Hi Jeff,

      Yes, you should have that option on any device running 1Password 5. If you tap on the settings gear at the bottom of 1Password (when unlocked) you should see a list of options, including Security. Please let me know if you do not see that option.

    • Jeff Grant
      Jeff Grant says:

      My mistake, I thought that you meant the IOS settings. Now that I have got the right settings, I still don’t have anything to do with touch. Where your screen shot has touch id I have Pin code.

    • Shiner
      Shiner says:

      Hi Jeff,

      Touch ID will display in the security settings if you are on a Touch ID enabled device and have Touch ID configured for that device. If you do not have Touch ID enabled on the device then you will see the PIN Code instead.

  12. Ali Hamze
    Ali Hamze says:

    Instead of requiring you to enter your Master Password every 14 days, you could do something similar to Authy. It prompts you every once in a while to enter your backup code just to make sure you haven’t forgotten it. However, it also gives you the option to skip it. I never enter it due to the fact that I don’t know it. I randomly generated it and it is store in 1Password. So to make it balanced, I believe it should be an option in settings that you can toggle off if not needed. (I already use 1Password on my mac daily. There is no way I’m forgetting my Master Password.) The default should be on, as in to prompt every x amount of days, so people new to the app won’t forget theirs, but users who use the Mac version can simply turn it off.

  13. @steven1
    @steven1 says:

    I **hate** the fact that the touch ID is basically ON until restart.

    I guess I didn’t have a problem understanding the two options….I feel like this is a major potential security gap. I truly felt like you struck gold with the balance of security and convenience with the last version…two timeouts.

    Any way you would consider adding a timeout requiring the master password (which defaults to NEVER, replicating your current setup) in Advanced settings?

    • Shiner
      Shiner says:

      Thanks for your feedback @steven1.

      The challenge we had with two options is that most people, unlike yourself, did not understand them. Many who enabled Touch ID would ignore the Master Password setting assuming that it wasn’t active once Touch ID was enabled. They would then be surprised when the Master Password screen showed up. On the other hand, we had people who would set the Master Password timeout to one day (with Touch ID enabled) and then be concerned a day later when Touch ID was still showing up. They didn’t realize that unlocking with Touch ID in the interim was resetting the Master Password timeout.

      We did consider various solutions that kept the two settings but ultimately decided it would be best to use a single Auto-Lock timeout, along with the Lock on Exit timeout. We have no plans at this time to bring back the second timeout, but we are always watching the feedback from our customers to help us judge what we should and shouldn’t implement.

      One option that could use is “Lock Now” from the Security Setting. I understand it doesn’t replace the timeout value, but it will lock 1Password immediately and require the Master Password to unlock.

    • Kush
      Kush says:

      I agree with @steven1. I’m not comfortable with the new settings. I had no problem understanding the previous settings and thought it was an excellent implementation. But, apparently that was not the case for many other 1Password users. So, how about implanting an option like @Scott and @steven1 suggested? A configurable period after which the master password is required. It can be set to “never” as a default for those using Touch ID.

    • @steven1
      @steven1 says:

      You need to constantly remember that my 1Password data is more valuable to me than *any* other data on my phone. You encourage people to store all kinds of information. Therefore, I expect there to be more controls than even the iOS allows.

      A *hard*, configurable, timeout on the app is absolutely essential.

  14. Kevin Wang
    Kevin Wang says:

    I’ve been using 1Password for years with the same master password, so to me it has become something like 1+1=2. Please make “2 weeks timeout” an option if you do add it — an opt-out option is fine.

  15. somainer
    somainer says:

    YES, please add back something like you had in v 5.0 along the lines of “Request Master Password After” with options = Never, 1 day, 7 days, 2 weeks, 1 month. That way those who want to occasionally have to enter it will be able to do so – and those who don’t need to use their master password (for example, because they do so all the time on another device) can opt out.

  16. Martin
    Martin says:

    I also preferred the previous combination of settings. IMHO, TouchID is a replacement for the PIN but less secure than requiring the real master password.

Newer Comments »

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *