Thursday, September 18, 2014

1Password 5: Touch ID and Safari/App Extensions

As I said, I was really excited about this. So far, it has not quite worked out the way I expected.

The Safari extension prompts me for my master password every single time, even though I have set the master password timeout to 30 days.

The app itself sometimes lets me in via Touch ID but usually asks for my master password. I understand that the app needs to be running in order to keep the master password in RAM, but something doesn’t seem right here. It happens even in situations where it seems impossible for the app to have been quit by the OS.

There is an option in the Advanced preferences to store the master password in the iOS keychain. This seems like it would address the problem, but it also seems potentially dangerous. It shouldn’t be necessary unless there is a memory shortage.

In Riposte (which I’m trying since Netbot crashes on iOS 8), there is indeed a button to access 1Password and search for “app.net”. However, there didn’t seem to be a way to get it to enter the username and password; I had to copy and paste them.

Surprisingly, 1Password lets me use third-party keyboards to type usernames and passwords, though not the master password.

Update (2014-09-23): I heard back from AgileBits support. The main issue seems to be that (a) a new instance of the 1Password extension is launched each time it’s used, so it cannot remember anything between invocations, and (b) the extension cannot communicate with the running 1Password app to get the master password. Therefore, the extension will prompt for the master password every time unless you enable the option in the 1Password app to store the master password in the iOS keychain.

Update (2014-10-04): Even when using the option to store the master password in the iOS keychain, I am finding that the 1Password app pretty regularly prompts me to enter the master password instead of offering me Touch ID.

15 Comments RSS · Twitter


have you got the 1Password app set to lock on exit?

I found that it would never prompt for Touch ID when I opened the app unless I set it to lock on exit. After that it works sometimes.


Michael, I'm sorry for the trouble you're having. Have you written to our support team at support@agilebits.com? We have been working on some bug fixes for issues that sound related to what you're describing, but it would be worth having a look just to be sure.

As for Riposte, I believe this is still using our old URL scheme based approach and not the new native extension. You can see the native extension in apps like Slack, Simple, and Instapaper among some others that are currently available: http://blog.agilebits.com/2014/09/18/1password-5-ios-8-app-extension/

If we can help with anything else, please let our awesome support team know. They're obviously dealing with very high loads right now but I will ask someone to look out for your email specifically to make sure we get to you soon.

Thanks for using 1Password!

--
Jamie Phelps
Code Wrangler @ AgileBits


Nope, even setting that option to store the master password in the iOS keychain doesn't fix it. I'm surprised it seems so poorly thought out.


Touch ID does not replace the master password in 1Password.

Instead, Touch ID is used to protect the master password stored in the iOS keychain. If you disable the "Advanced > Using iOS Keychain" setting then you will have to enter the master password every time 1Password is relaunched. The keychain item stored with the most secure keychain attributes we could use.

Unfortunately, we made a mistake in the initial release and it is affecting a lot of users. There is a timeout value for master password that is set to 10 min by default. When Touch ID is enabled, we should be increasing this value to 24 hours or maybe even 30 days. If this value is not changed then you are forced to enter the master password after 10 minutes even if Touch ID is enabled.

Dave Teare posted a screenshot of his settings here:
http://email.agilebits.com/t/ViewEmail/r/0E070B0706366D9F/C67FD2F38AC4859C/

Please see if similar settings make Touch ID work better for you.

We also found a couple of other issues that might be forcing 1Password to ask for master password instead of using Touch ID. We hope to get them fixed asap.


@Jamie Thanks for explaining the Riposte situation.

Yes, I had e-mailed your support team the day before I wrote this post. The reply from Rob was that I should increase the master password timeout, which I had already done (but perhaps not communicated clearly in my initial e-mail). At your prompting, Kyle reviewed my case and basically replied with all the information from your forum that I had already linked here. So this is still a mystery to me.


@Roustem As my post says, I have the master password set to 30 days. I am not using the iOS keychain. With these settings, I would expect that I do not have to type the master password (for either the app or the extension) as long as the 1Password app is still running (not quit by the OS). Am I misunderstanding how it’s expected to work?

Have you seen the bug that @Nicholas mentioned?


@Michael, I got some additional useful info after posting in the forum thread you linked to:

https://discussions.agilebits.com/discussion/comment/143048/#Comment_143048

Specifically:

"If you have 'Use iOS keychain' enabled in Settings > Advanced, 1Password will store the Master Password in the iOS keychain. It is stored temporarily and is never synced to your other devices. If TouchID fails, or you enter your Quick Unlock Code incorrectly, the Master Password is deleted from the keychain and the Master Password will be required immediately to unlock 1Password.

"Please note, if you choose not to enable the 'Use iOS keychain' option, you will not have as reliable an experience with TouchID or the Quick Unlock Code. This is because the iOS will occasionally need to close apps that are stored in the background to reclaim memory resources. If this happens to 1Password, you will be prompted for your Master Password the next time you switch to 1Password, despite what timeout your Security Settings have enabled."


@Nigel Thanks for quoting that in more detail, but those are exactly the points I was trying to make in the original post. The problem is that either there’s a bug so that it doesn’t actually work that way, or iOS is being overzealous and closing 1Password when there is no reason to.


It is really unclear how those timeouts relate in Settings → Security. I spent a few minutes staring at this screen yesterday and understood the individual explanations for the password and Touch ID lock, but not how they relate to one another.

However, I realize now that the explanation of the Master Password request is downright confusing. "1Password will lock and require your Master Password after 30 Days of being open and unused." Who in their right mind would think about leaving 1Password open for 30 days?

Another area of confusion is that the definition of "lock" seems to vary. The "Lock Now" button at the top of Security Settings appears to lock such that a password is required, whereas "Lock on Exit" in the Touch ID section refers to locking such that Touch ID is required.


Yeah, it's a very confusing situation. The whole idea of having a quick unlock code that's separate from the Master Password is not obvious, and it's very difficult to parse the security implications.

@Michael, I thought it was interesting that storing the Master Password in the iOS keychain is set up such that it's temporary. And also that it's not synced over iCloud. I didn't know these things were possible.


@Nigel The kSecAttrAccessibleWhenUnlockedThisDeviceOnly option to prevent a keychain item from being backed up has been available since iOS 4. I don’t think the keychain actually has support for saving passwords temporarily. Rather, 1Password (if it’s running) will try to notice when the set amount of time has passed and then specifically delete the item. So that part of the feature is kind of a hack.


It seems to me storing in the keychain should be safe if you have a long password. I mean if your phone is compromised, you've got major issues already with trusting your device and what you do on it.

Someone tell me if I'm wrong.


@John For most people, I think the 1Password master password would be much longer and more secure than the iPhone passcode that protects the keychain.


[…] 1Password 5.1 update seems to improve the situation with Touch ID. Most significantly, storing the master password in the iOS keychain seems to work […]


[…] Previously: 1Password 5: Touch ID and Safari/App Extensions. […]

Leave a Comment