First off, I want to echo the frustrations voiced by many on losing control of when to require the master password to be input, whether it be "Never" or, as 1p7 allowed, 1 hr, 1 day, ..., "After Device Restart". It is this last one ("After Device Restart") that I miss the most. I want to be sure that if I turn off the phone, the master password will be required the next time. What's worse? Unlike what the moderators are saying, on iOS on my phone, Face ID always remains available, regardless of the number of incorrect tries. You can try this on your phone...close your eyes and try to unlock with Face ID. After a couple of attempts, it gives you the option to enter the master password, but the invoke FaceID button remains on the right, and you can click it and try again, and again, and again..... At least on the Mac 1p8, it does indeed force you to enter the master password after a couple of incorrect TouchID attempts. This is a horrible situation for people that may be in vulnerable positions, with someone trying an unlimited attempts to unlock your 1pW. Please tell me you know about this and are fixing it! Oh, and please sync last unlock (agree with others that being forced to unexpectedly enter the password in strange locations is not good) across devices, and please please bring back the option to require master password After Device Restart. 1Password Version: 8.9.0 Extension Version: Not Provided OS Version: iOS 15.6 Browser:_ Not Provided

Wow, allowing FaceID after several failed attempts is a major issue. There’s a reason iOS and pretty much any other app only give you a few tries.

If you care about your security posture, delete 1pw8 immediately and use 1p7 until this is fixed. The radio silence on many of these critical issues points to 'we don't really care about you users anymore'. Sigh.

Please bring back the options to allow users to: - set when to require the master password to be re-entered (why is this hardcoded to two weeks in 1p8?) - force lock the app manually, which should require the master password to unlock (just like the behaviour in 1p7) Those two features were present in 1p7, but not having them in v8 feels like a major security oversight.

Former Member

4 years ago

Security Regressions in 1Password 8 for iOS

First off, I want to echo the frustrations voiced by many on losing control of when to require the master password to be input, whether it be "Never" or, as 1p7 allowed, 1 hr, 1 day, ..., "After Device Restart".
It is this last one ("After Device Restart") that I miss the most. I want to be sure that if I turn off the phone, the master password will be required the next time.
What's worse? Unlike what the moderators are saying, on iOS on my phone, Face ID always remains available, regardless of the number of incorrect tries.
You can try this on your phone...close your eyes and try to unlock with Face ID. After a couple of attempts, it gives you the option to enter the master password, but the invoke FaceID button remains on the right, and you can click it and try again, and again, and again.....
At least on the Mac 1p8, it does indeed force you to enter the master password after a couple of incorrect TouchID attempts.

This is a horrible situation for people that may be in vulnerable positions, with someone trying an unlimited attempts to unlock your 1pW.

Please tell me you know about this and are fixing it!

Oh, and please sync last unlock (agree with others that being forced to unexpectedly enter the password in strange locations is not good) across devices, and please please bring back the option to require master password After Device Restart.

1Password Version: 8.9.0
Extension Version: Not Provided
OS Version: iOS 15.6
Browser:_ Not Provided

ios

15 Replies

Former Member
4 years ago
Please bring back the options to allow users to:
- set when to require the master password to be re-entered (why is this hardcoded to two weeks in 1p8?)
- force lock the app manually, which should require the master password to unlock (just like the behaviour in 1p7)

Those two features were present in 1p7, but not having them in v8 feels like a major security oversight.
mburnett
Occasional Contributor
4 years ago
+1000000
Former Member
4 years ago
If you care about your security posture, delete 1pw8 immediately and use 1p7 until this is fixed. The radio silence on many of these critical issues points to 'we don't really care about you users anymore'.
Sigh.
Former Member
4 years ago
Agree with both points!
AMonitorDarkly
Super Contributor
4 years ago
Wow, allowing FaceID after several failed attempts is a major issue. There’s a reason iOS and pretty much any other app only give you a few tries.

Forum Discussion

Security Regressions in 1Password 8 for iOS

15 Replies

Featured discussions

September at 1Password: Browser versions, enhanced security, and new integrations

Recent discussions

UGOS UGreen NAS MFA

Windows 11 setting default password generation

1Password fails to provide applicable password for some well known sites with requirements

Android 1password face biometrics

Safar extension - "Connection Error"