Quick unlock with Touch ID or PIN in iOS ( Security )

Since the first release of Enpass we got a lot of requests for quick unlock support with a PIN Code as it gives you convenience of not typing lengthy master password each time. Recently Apple's release of Touch ID API on iOS 8 to developers further strengthen this case. With the release of Enpass 4.5, quick unlock can be enabled using either Touch ID or PIN Code.

However it was not an easy job to do. We have to do all the hard work to keep perfect balance between security and convenience. Here is how we achieved this goal.

Challenges

iOS frequently closes Enpass in background to reclaim memory for other running apps. Hence, when we launch Enpass it results in a fresh start of an Enpass app and your Master Password is again required to unlock the keychain. This cause an unpredictable behavior because master password is being asked sometimes even if quick unlock is enabled. Hence, no convenience.

Solution

We need your master password to be stored somewhere so that we can unlock keychain even after Enpass is closed. Fortunately, the iOS Keychain provides a way to store your master password in a secure place that only Enpass can access. When you enable Touch ID or PIN Code on your iOS 8 device, Enpass stores an obfuscated version of your master password in iOS Keychain.

Security

Your Master Password is the only key to access Enpass and we take all precautions to secure it. When you enable Touch ID or PIN Code on iOS 8 device, your master password is saved in iOS Keychain. But before that it is first obstructed by Enpass and then is encrypted by your device's hardware encryption key. This process makes it accessible only to Enpass and too if the device is unlocked with the passcode.

Your master password does not leave the device in any case; neither during the backup of iTunes nor iCloud Keychain.

We restricted that quick unlock can only be enabled if you have set a device passcode. When you disable device passcode, quick unlock by Touch ID also gets disabled. If a quick unlock attempt is unsuccessful, Enpass erases the master password from iOS keychain and asks master password to unlock Enpass. On successful attempt it is saved in iOS keychain again. If you disable quick unlock from Enpass settings, Enpass erases the master password from iOS keychain.