Face it, The iPhone X Looks Amazing

Wow, what an incredible Apple event today! As you may have guessed the entire team here at AgileBits cozied up to their computers, iPads, Apple TVs, and iPhones to watch as the good folks at Apple took to the stage in the newly minted Steve Jobs Theater and proceeded to bring the house down. A new Apple Watch, a brand new 4K Apple TV, a new iPhone 8, the iPhone X! The hits just kept coming.

As blown away as we were by today’s product announcements we were even more blown away by our inclusion in the festivities. To see Phil Schiller on stage showing 1Password on the new iPhone X was magical. In case you missed it, here’s a screen grab we captured for posterity:

We truly can’t wait to get these new phones in our hands and into the hands of our customers. 1Password will be there on November 3rd with the new iPhone X and full support for Face ID.

It’s obvious what our favorite part of today’s announcements was, how about you? Sound off in the comments below and let’s nerd out together about this super cool new future.

59 replies
Newer Comments »
  1. Krzysztof
    Krzysztof says:

    The new phones do look amazing guys but I’m worried. I know iOS 11 has the ‘tap 5 times’ panic feature but let’s run with my thoughts on this.

    I have a strong alphanumeric unlock password for my iPhone (augmented with TouchID for convenienece), example:

    8’vK6″sa3%!z

    I use 1Password and use a strong master password to unlock my database, example:

    hKN$vB\M>?7_LpGQ9Hpy

    I’m also protected by the 1Password Secret Key but that’s not relevant for this example. So far, so good.

    Now, I’m required to input my iPhone password whenever I turn off my device (or if I use the panic feature). I also have to input my 1Password master password whenever I restart my device (my choice); it improves security and keeps my password fresh in memory.

    I would really like you to implement a feature like you have in Android (not all Androids have fingerprint sensors) which would allow me to:

    1 – unlock my 1Password database using my master password
    2 – use a short 4-6 digit PIN (hey, even user configurable!) to unlock the database

    Why would this be of benefit? If somebody manages to get hold of my phone and hold it to my face then they could unlock both the iPhone and 1Password. How about if I’m asleep or if I’m tied to a chair in James Bond style?

    You might suggest that I turn off FaceID recognition in 1Password or get iOS to demand my password each time but in my case (as I use long passwords for both) that’d be highly inconvenient whereas a short numeric PIN would be super convenient and massively increase my security.

    Please seriously consider this critical feature. It shouldn’t be difficult to implement, it could be optional and would not take place of the master password. It’d be used as an adjunct to make 1Password even more secure. Then, even if somebody unlocked my phone using FaceID, they’d still have to know my 1Password PIN. You could even have a 3 options and you’re out mode where after the third wrong PIN it reverts to demanding the full master password.

    Reply
    • Tangible
      Tangible says:

      “How about if I’m asleep or if I’m tied to a chair in James Bond style?”

      You have to be looking directly at the phone, eyes open. With regard to your Bond scenario: If you’re being held by a powerful sociopath with dreams of world conquest, just say, “Good evening, Mr. President”.

    • Leon Aves
      Leon Aves says:

      You have to be looking at the screen for it to unlock, it detects “attention”, so someone can’t just hold it to your face.

    • Michael Fey
      Michael Fey says:

      Indeed, Leon. It’s nice to know they’ve addressed the edge case of my children trying to scan my face while I’m sleeping to purchase new outfits in the Strawberry Shortcake game. 😄

    • Michael Fey
      Michael Fey says:

      Hey there Krzysztof, good to hear from you! We actually do have a PIN code feature in 1Password that appears if you don’t have Touch ID (or in the future, Face ID) enabled. It does exactly what you describe, though it’s a bit more stringent with a one-strike policy for falling back to your Master Password. However, we’re always walking that fine line between convenience and clarity in 1Password. It’s highly unlikely that we’re going to enable PIN code unlock as a secondary option in 1Password going forward.

      Also, and this is just me, but if I’m tied to a chair James-Bond-style, I think I’ve got more pressing concerns about my well-being! 😄

    • Niels
      Niels says:

      I would like to urge to reconsider offering to enable PIN code unlock instead of TouchID/FaceID in the iOS app. When an iPhone can be unlocked with TouchID or FaceID, enabling this to unlock 1Password as well means that as soon as the iPhone is compromised (meaning: unlocked without the owner being aware of it (for example when using his finger while he is sleeping) all passwords compromised (and 2FA tokens as well when stored in 1Password alongside the logins or stored in a non secured Authenticator app like Google’s).

      Not a problem to many, but in my opinion definitely something to consider. Enabling users to set-up a PIN code for quick access to 1Password – instead of TouchID/FaceID – would leave passwords more secure when TouchID or FaceID have been bypassed somehow.

    • Michael Fey
      Michael Fey says:

      Hey there Niels, thanks for your input. It is something we’ve considered in the past, but as I mentioned above, pretty soon this will no longer be an option for us. At this point this is a feature request to which we are saying, “no”.

    • Ali Shah
      Ali Shah says:

      @Niels Actually, the iPhone can’t be unlocked while sleeping, it requires user attention. In that sense, it’s even more secure than Touch ID, which doesn’t require user attention.

    • Niels
      Niels says:

      Hi Michael,

      Sorry to keep going on about this, but the more I think about this, the more I think a fundamentally wrong decision has been made on this issue (and the less secure I feel about my choice for 1Password as the safest solution for my passwords).

      My thoughts:
      On devices with no TouchID, the password for unlocking the phone is different from the password or PIN code to unlock 1Password data (or at least it should be set up that way). With TouchID set-up, both passwords are virtually the same: my fingerprint. Meaning when a hacker has access to my phone (for example with a fake fingerprint, cut-off finger or just carefully with me sleeping), he or she automatically has access to all my passwords. In a way, the device without TouchID is more secure.

      The only solution is turning TouchID off. This can be done in three ways:

      Turn it for for unlocking but leave it on for 1Password. This is of course ridiculous cause a user needs to unlock his phone a lot more times a day than enter a password.
      Turn it off for 1Password but leave it for unlocking. This forces the user to type in the master password every. single. time. he wants to look up a password.
      Turn TouchID it off completely. Keep entering PIN codes for unlocking the iPhone like it’s 2007 again to enjoy the convenience of PIN codes again in 1Password.

      Basically what you’re telling a user of a Touch ID enabled device is: you can have the convenience of Touch ID everywhere (with the above, imo pretty big security-tradeoff), or you can have it nowhere at all.

      I would argue that the best option is missing: the combination of protecting the iPhone with TouchID that requires a physical part of me (fingerprint) as well as a part of my knowledge (for the 1Password PIN code). This would imo by far be the safest way to go, and still be incredibly convenient in day to day use.

      Wouldn’t you agree?

      Lastly, I don’t really see how this would make the application significantly more difficult to use or more complicated to set-up. The toggle to enable (and set up) a PIN code could just appear under the ‘Use TouchID’ toggle in the Security settings if the latter is disabled. Authenticator app Authy has implemented a choice for users in a similar way, and it works fine and easy.

    • Michael Fey
      Michael Fey says:

      Good evening Niels. You make some wonderful points. Let me have some conversations internally here and get back to you. Thanks!

    • Niels
      Niels says:

      @Ali iPhones with TouchID can still be unlocked while sleeping. And there are still millions of such iPhones out there, with millions more still to be sold (iPhone 8).

  2. Ali Shah
    Ali Shah says:

    Wow! It’s great to see you guys will be supporting Face ID. I’ll be sure to pre-order the iPhone X!

    Guess you guys worked with them prior to the event or something?

    I noted that the 1Password they showed is the 6.9 beta build ;)

    No wonder you guys made the minimum requirement iOS 11!
    I saw the other day someone asking the 1Password twitter account if you guys will support Face ID and you said not at the moment but that you’ll pass along on the feedback to the developers.
    Looks like you will be!

    Reply
    • Michael Fey
      Michael Fey says:

      Thanks for the comment, Ali! We are really excited about all the possibilities Face ID opens up for us and we think it’s going to be a great, natural addition to 1Password. Much like when Apple announced Touch ID a few years ago, today’s announcement really felt like Christmas for us. I certainly can’t wait to get my hands on iPhone X. Cheers!

    • Ali Shah
      Ali Shah says:

      Share it around with the team! I hope they all get to see it, it’s awesome. I have a question, how come he is required to do Face ID twice? Once while opening the app and then the second time while clicking on a favorite?

    • Michael Fey
      Michael Fey says:

      Hey Ali, the rest of the team did indeed see it. As to why he was required to do Face ID twice…I really can’t say at the moment. I may be able to say more about that in the future, though.

    • Michael Fey
      Michael Fey says:

      Good evening Kirk, thanks for taking the time to leave a comment. Improvements to Secure Notes is actually something we’ve been talking about recently, so stay tuned!

  3. Ali Shah
    Ali Shah says:

    One more comment, I don’t know if you guys know this or not but I was watching a hands-on video of the iPhone X on the verge youtube channel.

    And the iPhone X in the video (1:50 mark) has 1Password on it! So I guess you guys already support Face ID? I wonder how you guys got all that sorted out that they have 1Password pre-loaded.

    Reply
    • Michael Fey
      Michael Fey says:

      Hey Ali, I saw the same thing! I love that Apple preloaded 1Password onto those press demo machines. I’ve been keeping an eye out to see if anyone captured any footage of what Face ID looks like when unlocking 1Password. Keep me posted if you find it before I do. 😃

    • Ali Shah
      Ali Shah says:

      ;) Sounds good! Excited to see what you guys have in store for us.

      One last question, although slightly unrelated. I’m running the TestFlight build of 1PW and the first update that we all got for 6.9 was beta 5. Does this mean beta 1-4 was done internally?

      My question is, are there other builds being tested internally or from a smaller pool? Which is totally cool and fine I get it, I’m just curious. :)

      Keep up the awesome work! I love 1Password and AgileBits so much, honestly, if I could donate, I would.

    • Michael Fey
      Michael Fey says:

      Hi Ali. :) Yes, we did push out some internal builds that went to just the members of our development team before we pushed a public beta. Cheers!

  4. Matt B
    Matt B says:

    The iPhone 8 for me! I think Face ID is pretty terrible, from a usability and security perspective, at least compared to Touch ID.

    Reply
    • Michael Fey
      Michael Fey says:

      Good evening, Matt! To each their own, but I will say this: Apple wouldn’t push out something this huge unless it was rock solid both from a usability and security perspective. I’m guessing that within minutes it’s going to feel quite natural to unlock with Face ID. We’ll all know for sure on November 3rd.

  5. Catalin
    Catalin says:

    FaceID is going to work only on iPhone X, which comes with iOS 11. I love iOS 11 and I plan to upgrade my iPhone 6s to iOS 11. My question is, what are the minimum requirements going to be for 1Password 6.9 once it is released to the public? I hope it won’t require iOS 11 and up as I still have a iPhone 5 with iOS 10.3.3.
    As you may know, iPhone 5 isn’t going to support iOS 11 which is okay with me because the device is 5 years old, but I am thinking about other people that can’t afford a new device. I see that the current beta of 1Password 6.9 requires iOS 11. If this won’t change, users that are on iOS 9 and 10 will be let out. If users are going to be left out, this is not a good way to move forward yet.

    Please dismiss my earlier post as it had some typos and unfinished sentences.

    Reply
    • Michael Fey
      Michael Fey says:

      Hi Catalin, thanks for jumping in here. 1Password 6.9 (whose version number is almost certainly not final) will require iOS 11 when we ship it. It’s true that some older devices will not run iOS 11, but the version of 1Password they will be left with (6.8.2) is quite solid and will continue to function on those devices just the same as it does today.

  6. Patrick
    Patrick says:

    Great!

    Is the FaceID another implementation or for the app is transparent?
    I’m just worried with possible bugs. I use too much the 1Password.: -)

    Thanks,
    Patrick

    Reply
    • Michael Fey
      Michael Fey says:

      Good afternoon, Patrick. From what we’ve been able to glean, Face ID works exactly the same as Touch ID under the hood, meaning there’s really very little we need to do to support Face ID in 1Password. Thanks for the question. 😃

    • Michael Fey
      Michael Fey says:

      Hey there Naveen, thanks for taking the time to leave a comment. I don’t quite follow what you’re asking, however. Could you expand a bit?

  7. Krzysztof
    Krzysztof says:

    “We actually do have a PIN code feature in 1Password that appears if you don’t have Touch ID (or in the future, Face ID) enabled. It does exactly what you describe…”

    But this is not “exactly what [I] describe”. I don’t want to disable TouchID or FaceID because they’re convenient to unlock the iPhone.

    What I want, and you say 1Password already has it, is the ability to activate the PIN feature even though I’m using TouchID or FaceID!

    Simply:

    I want to be able to unlock my phone with TouchID or FaceID
    I want to be able to unlock 1Password with a PIN

    If the feature is already present then I’d like to know why 1Password have hidden it and made it visible only when TouchID or FaceID is disabled? Are there any plans to make it visible so that users like myself can increase my security?

    I use a secure phone password exactly because I can type it in only once daily. There’s no way I’d use a secure phone password if I didn’t have TouchID or FaceID because it’d be too inconvenient.

    That doesn’t mean I should have to decrease my security (by turning off TouchID and changing to a simpler password) in order to activate your ‘hidden’ feature.

    I’m less concerned about the contents of my phone being stolen than the contents of my vaults.

    You’re 1Password, if you really care about user security then this is a no-brainer. Activate the feature.

    Reply
    • Michael Fey
      Michael Fey says:

      Good morning Krzysztof, good to hear from you again. You’re right in that it’s not exactly what you’re looking for since it would require you to disable Touch ID/Face ID. While we could technically implement the ability to allow PIN right now, pretty soon that’s no longer going to be an option for us. I wish I had a better answer for you, but as of right now this isn’t something we’re going to add.

    • Ali Shah
      Ali Shah says:

      With all due respect, I actually disagree, I don’t see why you would need a PIN. I think a PIN is only needed if your device doesn’t support touch ID which has been on devices for years now. Touch ID is more convenient and secure I think it would be pointless to enable the pin at the same time as the Touch/Face ID

      Too many options and configuration is overwhelming and confusing for the user, sometimes trade offs must be made and I think in this scenario Touch ID or Face ID covers it better than a PIN in every way in both security and ease of use.

      Yes if someone kidnaps you it’s easier for them to unlock your device by forcing your finger to it, but realistically is that even plausible? That’s a huge edge case that’d never happen. If you were tied to a chair James Bond style you have bigger things to worry about it and they honestly could just beat you to tell them the pin lol. The pin is almost redundant in my opinion in conjunction with Face/Touch ID.

      As for police being able to use your face as a biometric means to unlock your device just activate SOS by clicking the side button and volume button and then you have to enter the pin which they can’t get from you legally.

      Again, didn’t mean to come off rude or offensive, just stating my thoughts.

  8. Zachary
    Zachary says:

    the 10 looks very slick but I have zero interest in picking one up. I’m still one of those lingering folks who prefer the smaller screen and I still love my SE. If they can squeeze the screen and guts of the 10 into the body of an SE next year then I can easily see myself upgrading then.

    Reply
    • Michael Fey
      Michael Fey says:

      Hey there Zachary, thanks for writing in. iPhone X does look very slick. It will be interesting to see where they take the SE model from here. I know you’re certainly not alone in loving the smaller form factor of that particular device.

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      I love the size and feel of the SE, too. Though I am sort of drooling over the X myself. I think that I’m like Captain Jack Sparrow and don’t know what I want.

  9. Danny
    Danny says:

    It’s so sad to see how disrespectful you are towards your customers. We’ll be reaching out to cancel our Teams Pro membership – we’ll send a message from our Admin Email address.

    You’ve been asked questions by customers and you’ve deliberately not answered them and answered something else.

    If you don’t know the answer, say so.

    If you can’t answer because of an NDR or other contractual requirement, say so.

    Don’t just ignore the question.

    1Password have been knocked in the professional security community for this doublespeak. We have to trust you to look after our data and responses like yours Michael Fey make us think that trust is misplaced.

    I don’t want to come across as rude but I’ve read a number of posts by AgileBits and they never seem to answer the question directly. The requirement for posts to be pre-approved raises my suspicions.

    As a business proprietor myself I have to ask myself very serious questions when I can’t get a straight answer from a company.

    Reply
    • Will Moore
      Will Moore says:

      Hi Danny,

      Thanks so much for taking the time to add your comments here, and I want to say sorry you have not had the experience you were expecting.

      Without knowing the details surrounding this comment, I can’t address them here. What I am going to do is reach out to the email address that you have made this comment on and try and personally resolve this issue for you.

      I’ll be in touch shortly

      Thanks

      Will

  10. Tangible
    Tangible says:

    Will, I understand exactly what Danny is saying. On other forums, user comments appear immediately. On yours, comments don’t appear until you have a response ready, and that response is often repetitive boilerplate that doesn’t address the issue. This is most apparent with regard to anyone who has anything negative to say about your new subscription model.

    Reply
    • Will Moore
      Will Moore says:

      Hi Tangible,

      Thanks to you for the response.

      We take the readability of the content on our blog very seriously.

      Our blog comments are often littered with spam comments and bot responses, and without moderation, the genuine conversation would be lost in the noise. We have a team of people who spend a good part of their time checking our blog for new comments, and we aim to push them live as soon as humanly possible (literally!).

      As some background, for a number of years we had our comments wide open, and did not require moderation. The previous spam filter did a good job of blocking the clutter that would get posted, but unfortunately spam-bots only get smarter and the posts are making their way through the filter. By having our comments moderated, we can make sure that the conversation doesn’t get cluttered with ads for sunglasses and the like.

      There are a few trade-offs though, and we know that, as people very much like to have instant acknowledgement that a comment is posted, like in a forum setting. We also see people making statements of us only publishing the good comments – unless a comment is spam, or extremely offensive, we post them. As a security company, we expect people to be critical of how we create 1Password and are always looking for opportunities to discuss why we think we have the best solution.

      Thanks again for your comment.

      Will

  11. Krzysztof
    Krzysztof says:

    “While we could technically implement the ability to allow PIN right now, pretty soon that’s no longer going to be an option for us.”

    That’s interesting Michael, can I ask why?

    I’ve not seen anything in the Apple Developer APIs that say they’re planning to restrict access to the keybags, keychains or anything else along those line.

    Naturally if Apple are going to remove a feature then I can’t blame 1Password for this so I’d be really interested in hearing what the planned changes are.

    Are you saying that Apple are proposing to restrict the ability of developers to use a PIN to access keybags, keychain and force them to rely on FaceID to unlock the keybag/keychain? :shock

    Reply
    • Michael Fey
      Michael Fey says:

      Hi Krzysztof. Apple isn’t changing or removing any features that we currently use, but the way in which we use them will be changing. Currently when you opt in to some form of quick unlock we store your Master Password in the device keychain. This is incredibly secure in its own right, but we can go deeper and actually store it in the device’s secure enclave. Once we do this the only way to retrieve it will be by authenticating yourself via Face ID, Touch ID, or the device passcode.

  12. Krzysztof
    Krzysztof says:

    Thanks for the additional information Michael. I can understand the design decision now you’ve explained your future projecting of storing the master password within the secure enclave.

    I suppose for convenience I could reduce the length of my master password because the entropy is adequately compensated for in the Secret Key but it’s something I’ll have to have a think about.

    Here’s hoping that Apple have got FaceID right and it’s not going to be another Steve Jobs Antennagate when he infamously told people they were holding their phone the wrong way.

    Some commentators are already criticising Apple for FaceID. The Touch Bar has been a flop on the MacBook Pro and may even be removed in the next generation.

    I don’t know why they didn’t abolish the iPhone 8 and just produce an iPhone X instead. They’re offering too much choice at the moment but that’s a discussion for another day.

    Ali Shah, the police can compel you to hand over your password in the United States. Google the case of “Francis Rawls” a former Philadelphia cop. He’s been in jail for two years and will remain there indefinitely until he hands over his password!

    The same holds true for other jurisdictions; the United Kingdom is another place where citizens can be compelled to cough up passwords or face jail.

    Very much like the Travel Mode in 1Password: CBP officers, who know of its existence, can demand you login in and deactivate it the feature. When crossing borders the safest course of action is to just delete the app and then reinstall it once in the country. Travel Mode is a good feature Ali but when it comes to security you need a rich feature set to stay secure.

    I’m pleased that Apple have introduced their new panic mode because it offers an additional level of security and I’d like to see 1Password keep up by constantly adding additional features to keep everybody safer.

    I agree with other people on here, moderated comments are not pleasant. Google reCAPTCHA is very reliable these days and is difficult for spambots to circumvent.

    On the issue of Google, I have a Google Drive account and their new login screens spanning three pages isn’t very easy to use with 1Password. You get your username, password and then 2SV prompt. Even though 1Password auto-fills the fields you’ve got to keep pressing the Next button. Is there anyway to automate this?

    Reply
  13. Krzysztof
    Krzysztof says:

    Niels makes some excellent points which exactly mirror my thinking. I hadn’t seen his reply when I typed my last message, perhaps it hadn’t been approved or I missed his reply.

    The current situation is that if a criminal manages to bypass TouchID or FaceID then 1Password have handed them the golden master key into my vaults.

    If 1Password could be protected by an independent PIN then a criminal would have to bypass two levels of protection which is much more difficult. And a ‘1/2/3 strikes and you’re out’ before requiring the master password would make 1Password very secure.

    I understand your point about the secure enclave Michael but this is easily overcome by offering a non-default option to have a separate PIN, i.e. the master password has to be stored in the keychain which isn’t a a big security risk.

    The security risk of using TouchID / FaceID to unlock the phone and 1Password (a skeleton key that gives Access All Areas) is much more insecure than storing the master key in the keychain.

    Technical users can then make their own risk assessment based upon their threat model whilst non-technical users are unlikely ever to look at the options and in any case they’d be protected by your default mode.

    Even if a non-technical user were to activate the separate PIN then they’re not realistically going to lose any security.

    By adding the already existing, but disabled, option all you are doing is increasing security. There’s really no reason not give users the choice.

    “Let me have some conversations internally here and get back to you.”

    Please do. I’m as interested as Niels in the outcome of this and it’d be fantastic if you choose to improve your security as a result of user feedback.

    Reply
  14. Krzysztof
    Krzysztof says:

    I forget to add this to my previous post Michael. You originally said:

    “It is something we’ve considered in the past, but as I mentioned above, pretty soon this will no longer be an option for us.”

    What will happen to those users who choose to rely on a traditional PIN or password to unlock their phone? You’ll be getting rid of a lot of 1Password users.

    If 1Password demand its users use TouchID or FaceID then you’ll lose many users because government departments, police departments, local municipalities, high-security industries normally have policies forbidding TouchID (and soon to be: FaceID) because it’s not considered as secure as a PIN.

    Reply
    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      You and Neils make extremely good points and these are difficult questions.

      The case as you make that it would be nice to have a sort of middle road between Touch/Face ID unlock for 1Password on one end of the scale and full Master Password on the other end. And a short numeric code would fill that requirement. We certainly know this.

      We know this because we’ve been there before. When TouchID was first made available to apps, that is the direction we took. We offered TouchID unlock along side PIN quick unlock. As our (and users’) confidence grew in the acceptability of TouchID for unlocking 1Password, we removed the PIN option for devices with TouchID.

      Our sophisticated users (that’s you all commenting on this blog post) appreciate that sort of granularity in the options and controls we offer you. But we are trying to bring top notch security to everyone. And we know that the more choices we present, particularly about security, intimidates users. They can feel that an app that presents them with a bunch of complicated security choices that they don’t understand is not for them.

      Furthermore, we’ve seen people very much misunderstand the security properties of various choices in ways that led to behaviors that where very much not in their own security and privacy interests. (Long ago, we offered “Security Levels” with a PIN for the lower level. It led to terrible confusion.) So these are the sorts of concerns we need to balance against the advantage of offering a PIN unlock instead of Touch/Face unlock on devices where Touch/Face is available.

      I’m not saying that this means that we won’t offer such a PIN. Nor am I saying that we will. It would be really nice if we had a chance to understand just how easy (or hard) it is to use Face unlock without the user’s consent. If it turns out that maliciously getting someone to “pay attention” to their phone in a way that triggers an unlock is too easy, then that would weigh heavily into our decision. I would love to see Apple’s research on this, but I doubt that that will happen. But I am confident that they have done a great deal of research on it.

      When I saw the announcement, I was hoping we could take a “wait and see” approach about adding a PIN option. It would be nice to have real experience with them prior to changing things up. And we still might do this. If we find that a lot of iPhone X users need (for security reasons) to disable FaceID for 1Password unlock and so are forced to enter their Master Passwords frequently, then we would have to offer them something like a PIN. I’m not convinced that we need to offer this to them on day one, though.

  15. Krzysztof
    Krzysztof says:

    Thank you for the considered reply Jeffrey. We will indeed have to wait and see although it’s clear what side of the fence I’m on in this debate :)

    Coincidentally Troy Hunt has been writing about this very matter today:

    https://www.troyhunt.com/face-id-touch-id-pins-no-id-and-pragmatic-security/

    I notice a few people in his comment section have made reference to 1Password – one of whom said:

    “The closest analogy is that 1Password are saying that two locks on your front door are unnecessary, all you need is one key and that gives you access to everything. It doesn’t take a genius to figure that this is highly undesirable.”

    Clearly security is nuanced but it’s true to say that the FaceID technology is getting people exercised.

    On my business phone we have a corporate policy (and is pushed to the device) that disallows TouchID; we have to use a 6 digit PIN and the wipe device after 10 incorrect attempts is enabled. For our encrypted cloud storage we again have to use a PIN.

    On my personal phone I have an alphanumeric password (I realise I’m in the minority) along with TouchID. Whilst I’m happy to unlock my phone for convenience with TouchID it’s somebody getting access to my 1Password vaults which concerns me. For my personal cloud storage I choose to use a PIN instead of TouchID so that if somebody bypasses TouchID they can’t gain access to my cloud.

    Even my bank insists on a PIN for authorising new payees. I can pay existing payees with TouchID alone.

    As 1Password contains our most precious secrets you can see why I’m concerned and why I prefer defence in depth.

    Reply
    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      When you use a bot to post spam to blogs, you should at least know which parameters and customizations go where. The URL you are promoting should go into the poster’s web page (I have edited out what was there), while some generic text like “great post!” or “wow that was really informative!” should go in the body.

      These spamming tools are not hard to use, but you do need to at least read the instructions.

  16. Robert
    Robert says:

    Just curious, the new ‘panic mode’ – I believe pushing the power button five times (I think), locks out touch/face ID and requires your PIN. Does it also effect 1Password such that you need your full master password? In other words, does panic mode behave like a phone restart from 1Password perspective. Thanks – love your product!

    Reply
    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      I suspect that it will behave as expected. That is “panic mode” for the phone will force that the full Master Password will be required to unlock 1Password. But I am not entirely sure at this point. We do allow for TouchID to unlock a phone after restart, and so we will need to see how these all interact.

    • Michael Fey
      Michael Fey says:

      Hey there mobilelyme. :) It’s certainly the most expensive iPhone, but it turns out there’s a whole other world of “high end” designer phones out there. I will admit that a phone wrapped in marble looks pretty awesome, though.

      I am really looking forward to getting my hands on iPhone X. Not having a home button will undoubtedly take a little getting used to, but my guess is that clicking a home button on another phone will feel awkward before too long. Are you going to be queueing up on October 27th to preorder one?

Newer Comments »

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *