Finally a good use for Touch ID: 1Password

Finally a good use for Touch ID: 1Password

Summary: The folks at AgileBits are one of the first developers out of the gate with three powerful uses for the fingerprint sensor built into the iPhone 5s.

SHARE:
TOPICS: Apple
21

At WWDC14 Apple announced that it was opening up Touch ID to all developers. AgileBits, developer popular password vault 1Password, has demonstrated several promising new applications of the biometric fingerprint sensor built into the home button on the iPhone 5s.

Special Feature

Why business leaders must be security leaders

Why business leaders must be security leaders

Why do many boards leave IT security primarily to security technicians, and why can’t techies convince their boards to spend scarce cash on protecting stakeholder information? We offer guidance on how to close the IT security governance gap.

In a blog post and accompanying video, AgileBits shows how Touch ID can be used to:

  1. unlock the 1Password app (replacing the master password)
  2. enter passwords in Safari (via the 1Password browser extension), and
  3. enter login credentials into third-party iOS apps (via the 1Password app extension)

Make no mistake about it, this is revolutionary. These three features alone make Touch ID a viable and powerful security technology, a generation ahead of the anemic unlock code and App Store purchases that Touch ID is limited to today. 

Some caveats: the new wizardry requires an iPhone 5s (the only iOS device with Touch ID, currently), iOS 8 (currently only available to developers), the 1Password beta for iOS (the beta program is full) and a bit of courage. After I saw the video above, I immediately backed up my jive and installed iOS 8 beta 5 on my iPhone 5s. I had to have it because I use 1Password at least 10 times per day. 

Having a unique password for everything is important and there's no easy way to use an iPhone securely without constantly having to launch 1Password to look up your logins. Sure, you can save website passwords in iCloud Keychain, but it only works with Safari and it doesn't work with app logins.

For me, iOS 7's automatic app updates are the primary culprit. My apps update themselves all the time and log me out in the process necessitating a trip to 1Password to find my login information. In fact, if you're not constantly looking up app logins in a password manager you either, a) have a great memory, or b) you're using the same password(s) to log into all of your apps. Which is why the three new Touch ID features in the new 1Password beta are so powerful.

AgileBits developers and fearless leader Dave Teare deserve major kudos for hitting this one out of the park. It's amazing. Being able to unlock 1Password, enter passwords in Safari and in third-party apps with your finger (thanks to Touch ID) is a revolution for personal security. And to wrap it all up with a giant bow, AgileBits has published their 1Password App Extension code on Github so that any developer can add it to their app. Developers, please take advantage of this trail that AgileBits has blazed and implement the 1Password App Extension into your apps. This is a major feature that will be the standard by which all iOS 8 apps will be judged, especially when all new iOS devices ship with Touch ID. 

Here's the video of it in action:

If you'd like to see a live demo of the future of password security I'll be demoing the new 1Password beta for iOS at the Atlantic City Macintosh User Group (ACAMUG) tonight, Friday, August 8, 2014 at 7:00 p.m., in Linwood, NJ. I hope to see you there.  

Topic: Apple

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

21 comments
Log in or register to join the discussion
  • I wouldn't use it

    You've got a device with your fingerprints all over it unlocked by a fingerprint. I wouldn't use it at all.
    Buster Friendly
    • Pffft...

      Silly boy, I'll bet you have your passwords taped to the underside of your keyboard and written in a notebook.
      If they have your machine, all bets are off...but you will already borked it remotely or do you really think someone is following you around with a matching rubber finger, just on the off chance?
      frogspaw
      • Nifty but how realistic?

        For personal use potentially. For work ..... chuckle - Nope. If biometrics are ustilized, fp scanners are persona non grata.
        rhonin
      • Big market in stolen phones

        There's a big market in stolen phones. If they can also get all your passwords with a fairly simply fingerprint lift that's even more lucrative. You could find your phone gone and your bank account empty.
        Buster Friendly
        • You haven't been paying attention

          Tried and failed. Good luck stealing my fingerprint and making a spoof work. The only successful implementation of this is, as outlined below, was in a lab and highly controlled environment... The Apple implementation of finger print authentication has held up to the scrutiny. It's not at all the same as the Android vendors have implemented.
          baerjamin1
          • That's false

            No, that's complete false. Don't lie about security issues especially.
            Buster Friendly
          • You also need to pay attention

            Look up the FIDO alliance. Apple is at risk of falling behind...
            Batcatcher
        • You just report your phone stolen

          Your fingerprint never leaves your device...
          If you want to learn more - look up the FIDO alliance.

          This is the future - like it or not...
          Batcatcher
        • Wrong

          If your phone is stolen, and they restart it, they have to know your four-number password as well. iOS requires it before it will allow it to unlock anything with a fingerprint. Second, the minute you know your photo is stolen, you lock it and wipe it. There's no way to stop it once the command is given. Once the phone sees the Internet, it checks home and then wipes. Not even Apple can prevent it from happening once you've issued the commend. Happened to me when I thought I left my iPad on a plane.

          I could hardly blame Apple for my having to restore my iPad from a backup. Which leads to, make sure you have everything backed up all the time!
          ewelch
    • Speak up when you know...

      ...what you're talking about.

      This is what I've been waiting for. 1Password is the best password manager on the planet. It works in iOS, OS X, Android and Windows. So all your devices can be securely managed with good passwords with minimal fuss. And this just put the iPhone 5s in front of everything else out there at Apple and elsewhere for this particular need.

      I'm stoked. I'd almost pay the $99 to get into the paid developer program to get iOS 8 and try this, but I think I'll wait for the final product.

      By the way, 1Password has a sale going on right now. And the iOS 8 update will be free. Worth taking a look. I have no connection to Agilebits other than being a satisfied customer most of the time (annoyed a bit occasionally when a bug rears its ugly head). My stuff is way more secure thanks to them.
      ewelch
  • Ah, it can't be done with just a fingerprint

    First it needs to be a very legible print. Then it needs to be built up into a good 3D image. Next the image is used to make a mold, which is the used for a thin latex copy. Last, the latex copy has to be positioned just right on a living person's digit. That is what the hackers did. I don't think you'd get a very legible print off a phone.
    romad@...
    • Yes, you an do it easily

      Just look at your phone at and angle and you'll spot several clear prints. It's been done. There's videos on how to do it. If there's money in it people will do it. No amount of lying or spin will change those facts. Apple should have never used that obsolete technology but they needed a new gadget to sell.
      Buster Friendly
      • define "easily."

        "There's videos on how to do it."

        AFAIK, they all require some equipment beyond what most people have.

        Sure, if somebody really wants your phone bad enough, they'll go to great lengths to crack it. But then again, they'll likely just jailbreak or root the phone, no rubber fingers required.

        Also, having to login via a rubber finger every time may arouse suspicion (you can't reset the phone to a fresh, resellable state without the password as well).

        "No amount of lying or spin will change those facts."

        Nobody's lying or spinning, you've simply got a different idea of what "easily" is. The goalposts for "easily" are in different positions, you haven't agreed upon a common definition.
        CobraA1
        • Defined as

          Easy is defined as you could probably do it right now with stuff you already owned. You need a digital camera, a laser printer, and some glue. It's explained in this zdnet article:

          http://www.zdnet.com/apple-iphone-fingerprint-reader-confirmed-as-easy-to-hack-7000021065/
          Buster Friendly
  • There is no burglar proof safe

    and there is no hacker proof authentication method. No safe will stand up to nitroglycerin or oxyacetylene torch. Similarly, no digital authentication will stand up to sufficiently skilled well-financed hackers. Locks are only good to take temptation away from honest people.
    arminw
    • Problem is

      The problem is it can be hacked by a low skilled, unfinanced hacker.
      Buster Friendly
  • Information storage and multiple purchases

    It looks like you need to purchase the PC or Mac version and utilize the sync function or else you'll need to do a lot of typing on your iPhone.

    My bigger concern though is if your information is viewable in plain English on Dropbox or iCloud? Say you only have the iPhone version and your phone becomes lost, stolen or destroyed? Will you be able to view your login information?
    MajorlyCool
    • encryption and access w/o client

      @MajorlyCool 1password files are stored encrypted on dropbox/icloud. As I understand it they are encrypted before even transferring- so all of that should be very safe. I think there is an option to include a primitive password manager in the synced files so all you need to get at your stored passwords is the proper login to dropbox/icloud and the additional password for 1password from any device.
      tearfang@...
  • better security for the way ppl actually use their phones.

    This is great bc it finally allows a practical way to have unique passwords for everyone. This is a feature once your phone is unlocked. And instead of typing in a password for your password manager (which is so cumbersome most ppl won't do) you can use your finger print which is smooth enough ppl will actually do it. The concerns raised here about using the fingerprint for unlocking the phone is a separate discussion- this is a feature for once your phone is already unlocked.
    tearfang@...
  • "Revolutionary?"

    You've got to be kidding me. Looks like nothing more that a password vault that requires a bunch of extra steps (to pull up a fingerprint dialog) before it'll put in your pre-saved userid and password.

    VERY clumsy and time consuming.
    techrepublic@...