I remember watching Craig Federighi introduce the Touch ID API at WWDC this year. I remember thinking he was speaking directly to me, that Touch ID was clearly meant for 1Password. The next day, I ran out to buy an iPhone 5S, downloaded the new Xcode and iOS 8 betas, and added Touch ID to 1Password that night.
I remember how excited I felt the first time I was able to successfully unlock 1Password with Touch ID. Unlocking 1Password would never be the same.
Security and Convenience
A password manager is a combination of two occasionally conflicting concepts: Security & Convenience. First and foremost, a password manager must keep your data secure. But it also needs to give you quick, convenient access to your data.
The addition of Touch ID allowed us to take a huge step forward in convenience without sacrificing security.
Touch ID does not replace your Master Password. After unlocking with your Master Password, you can enable Touch ID. Once enabled, 1Password will present the Touch ID prompt instead of asking for the Master Password, allowing you to unlock using your fingerprint. Your data is always encrypted with your Master Password.
Thanks to Touch ID, you can now have the security of a strong, complicated Master Password with the convenience of unlocking with a fingerprint.
Turning on Touch ID
Turning on Touch ID in 1Password 5.0 is as simple as tapping Settings > Security and flipping the Touch ID switch.
When enabled, you can specify a “Request Fingerprint After” timeout, also known as an Auto-Lock timeout. This timeout sets how long 1Password is inactive before locking.
Those with sharp eyes may also notice a second timeout for the Master Password as well. Read on further to see how we are simplifying this for 1Password 5.1.
Now let’s take a quick look at how Touch ID was added to 1Password and what’s happening underneath the hood.
Adding Touch ID to 1Password
Adding Touch ID to 1Password started out as quite a simple task. The challenge was determining how to use Touch ID to access your 1Password data.
Apple’s Local Authentication framework made it easy to authorize a fingerprint, but the result is a simple success or fail. 1Password, however, needs your Master Password to decrypt your data after a successful authorization. To make this possible, 1Password stores your Master Password in the iOS Keychain when Touch ID is enabled.
Your Master Password is the most important password you have, and we take many precautions to keep it secure.
The iOS Keychain provides a way to store your Master Password in a secure place that only 1Password can access. The iOS Keychain item that contains your Master Password is never synced to other devices or backed up to iTunes or iCloud. It is also aggressively removed from the keychain whenever Touch ID authorization fails or if Touch ID or the device Passcode are disabled.
I hope this helps explain how Touch ID and your Master Password work in tandem to provide convenient, secure access to your data. Now, let’s talk about why adding Touch ID to 1Password turned out to be not quite so simple after all.
Improving Touch ID
I had an awesome time adding Touch ID to 1Password and was overwhelmed by the hugely positive feedback that we received (no really, there was a ton of it). But it turns out that, instead of Touch ID, many people were seeing Master Password prompts far too often.
First, there was an issue in my code that caused the Master Password to be required at times instead of Touch ID. I’m happy to say this has been fixed in 1Password 5.1, which is strolling through App Store review and should be out soon.
In many cases though, the Master Password prompt was showing up in 5.0 exactly when it should, at least according to our confusing settings—we had Auto-Lock inactivity timeouts for both the Master Password and Touch ID.
In fact, even I had trouble explaining how the “Request After” and “Request Fingerprint After” settings worked together. After explaining (unsuccessfully) to so many people, I knew something had to change.
Starting in 1Password 5.1, there will be a single Auto-Lock timeout that works for both.
Auto-Lock specifies how long 1Password will wait before it locks automatically. To unlock 1Password again, you can use your fingerprint if Touch ID is enabled, otherwise enter your Master Password. Your Master Password will be required after a device restart or when Touch ID authentication fails.
Combined with Lock on Exit, this gives you a great deal of control over when, and how, 1Password locks.
Until Next Time
Touch ID has made a big difference in how I use 1Password and my phone in general. I hope it has for you as well, and yes—I can’t wait until Touch ID enabled iPads are available!
I do worry that Touch ID will make things so convenient that people will forget their Master Password. I’m tossing around the idea of requiring your Master Password once every 14 days or so. I’d love to hear your thoughts in the comments.