I might misunderstand you, but why do you think, that you could not select your own passwords for each app?
When you turn on biometrics to log into an app you can by pass the Face/Touch ID with the phones password. I’m suggest each app you want to sign into would have its own password to bypass the biometric ID. That way if someone has your phones password then they can’t login to all of the apps that have biometrics enabled.
1 Like
While I let Keychain save some passwords 1Password is my vault of record. I always change the passwords there. With our family account my wife and I can access each others vaults but don’t have to worry about getting things confused with any sort of merged vault.
When I went to all unique, strong passwords it was a royal pain but I felt it was necessary. I would hate to have to do that now with over 500 logins saved it would be a huge task.
I’ll throw another option into the ring that may or may not meet your needs: SafeInCloud. Pay once. Syncs to multiple cloud providers. Other features. It isn’t perfect, but it’s met my needs for the past 5 years or so, and replaced iCloud Keychain entirely.
1 Like
Just saw this:
1 Like
this is one reason while I am sticking with 1password. I think the secret key provides additional protection against hacking
1 Like
I just set myself up with Proton to use a free account for my banking emails.
I’m tempted by Fastmail, since I’m moving back to 1Password. Having used this for a while, how highly do you rate Fastmail (with 1P integration)?
1 Like
I haven’t used this integration that much yet (did not create that many new accounts lately), but I’m a long time (happy) Fastmail user.
1 Like
So you want to have a “normal” password for each App, and in addition one that you use if you are going to bypass FaceID?
Wouldn’t this be a massive overkill!?
Just curious why you would do keychain and 1Password as backup?
1P (or any other pw manager worth anything) have a very good OS integration through Apple’s API’s at the moment, so would it not be easier to just do the one solution? (either keychain or 1P?)
I’m just trying to stick with Apples options for apps and services right now. It might just be a phase but I’m trying it out.
I am staying with 1Password because I like it’s ability to have attachments and other information that isn’t a website password, along with the ability to print out my passwords in a much nicer looking format that the Numbers document Keychain offers.
1 Like
I don’t think it would be massive overkill. Your phone password shouldn’t be able to be used to get into apps. Each app should have its own password connected to the biometric login and have nothing to do with your phone password.
Sorry if I’m not explain that very well through text. I’m my head I know what I want to say, I’m just not sure if it’s coming out in text correctly.
2 Likes
I may be wrong but if reset FaceID with the passcode, each app that uses FaceID must reauthenticte with the app account password. I would have to login to my banking app via userid/password and 2FA then re-enable FaceID for that app.
Not really, I think (I’m very much a hobbyist here).
For biometrics, apps need to connect to a LocalAuthentaction context. When users update their biometrics, the State changes. Apps can interrogate the State of the LocalAuthentication context to check if it changed and act accordingly. Or, not check.
So, all good banking and password apps should be doing this, but it is not required.
1 Like
For what it’s worth, none of the FaceID apps on my phone would let me in with FaceID after I changed the face. They all required me to re-enable FaceID and that required the use of the normal app-specific password.
Edit: I just saw @GraemeS’s post that it’s not required functionality. I think that it should be, but at least it seems that it is for 1Password, my banking app, and a bunch of less sensitive ones.
Making it compulsory could be heavy-handed, at least at the moment.
I’m making an app that optionally lets users lock the app using biometrics. In my use case, at the moment, if a bad actor has the user’s phone they can circumvent my security by disabling Screen Time. So, even if my app checked for changes to the biometrics and enforced use of a passcode, the bad actor could just ignore my app entirely and get in through Screen Time.
If Apple changes that, then it may be worth me reconsidering. Convenience vs. security vs. complexity will still be a consideration.
So, making that check for changes to biometrics compulsory is overkill right now I think, but I’ll be testing my banking apps’ behaviours this weekend and I’ll be unhappy with any that don’t check for changes.
1 Like
Does your app use both biometrics and a passcode, or just biometrics? If it’s the latter (or if the latter is possible) then I’d be willing to amend my statement so that it should be compulsory only for apps that require a passcode and use biometrics as a convenience rather than for apps that use biometrics as a sole means of identification.
@Ben_Wah is not wrong, and talking about something different.
If your FaceID is not going thru, either because of the wrong Face, or you are tilting the phone simply away from you, you can unlock the Apps by entering your phone Password, that in most cases would have been the 4-Digit-Password.
So, if someone has get this, what could be prohibited by certain measures already all in these Threads, this person is able to get access also toward Apps protected by FaceID!
That is something Apple might really address, and maybe change it at least into the KeyChain Password.
P.S.: This should have been a general reply, and not special to the last post from ACautionaryTale, sorry for that!
2 Likes
I feel attacked!!! 
(I’m kidding, just in case anyone takes me seriously, which is almost never a good idea)
I did missunderstand Ben’s point though and thought that it referenced the fact that a phone passcode could be used to change (and therefore bypass) biometric authentication.
Is this universal? I just tried it on one app and it didn’t work; the app logged me out after it didn’t recognize my face after two attempts.
Interesting Question, I tried it with DayOne and two other Apps, and they asked me only for the Phone Code, but with your Question I also tried DTTG and my Banking Apps and those are requiring their individual password to continue without the FaceID.
So it depends obviously on the Developers of the Apps how this is handled.
1 Like