Quick Unlock: TouchID timeout

[PatrickR]

 

The introduction of Quick Unlock by TouchID is a huge step forward for the usability of Enpass. However, in my opinion the promised perfect balance between convenience and security is still unmet due to the lack of a critical part: TouchID timeout.

TouchID is not 100% secure as demonstrated by security researchers who were e. g. able to replicate working fingerprints for TouchID. The logical consequence would be to disable TouchID in Enpass completely. However, this would not only eliminate the convenience benefit but also increase the risk of shoulder surfing.

The solution is an adjustable timeout deciding whether TouchID will unlock Enpass or if the master password is required. In my previous password manager, I set it to one hour which is the perfect security/convenience tradeoff in my use cases.

Patrick

Note: I have suggested this security fix in 2017 where @Anshu kumar announced it being part of the next major update. Unfortunately, it still does not seem to be present in the current iOS version:

Since the old thread is now locked, I had to create a new one.

 

Edited June 5, 2022 by PatrickR