[fr0styMatt2]

Can this be a problem on mobile?

I have a long master passphrase - too long to type on a touchscreen keyboard in any convenient amount of time and where there's a non-trivial risk that somebody peering over my shoulder (think - using it on the bus) could spy it. So in that case I resort to using the fingerprint-unlock feature (which I assume is the security equivalent of 'save master passphrase' or at least token).

I am aware that this might open me up to other attacks - an adversary dusting my fingerprints off my tablet, etc. Curious though as to whether this is an attack vector for the same or a similar type of process to what the authors are describing (haven't read their blog post, just the Black Hat description).

[mahyarm]

Fingerprint unlock on iOS puts something equivalent to the master password in the iOS keychain for 1password. Only when your fingerprint is verified does the 1password app get it.

So at the very least you still have your passwords kept in a relatively secure keychain manager and not inside the app stored in plain text of some sort.

[pstoll]

About iOS fingerprint- while a judge can not compel you to type in a password, I have heard that they can compel you to swipe your fingerprint. Something to consider when deciding whether to enable fingerprint access to your smart phone login or other sensitive credentials (e.g. Password manager keychain credentials).

http://jolt.law.harvard.edu/digest/telecommunications/court-...

(Fwiw - I use LP, no master password saved, no iOS finger print access)

[fuzzywalrus]

I wish there was a way to combine a simple 4-6 digit pin with fingerprint, it'd certainly make an attack on a physical device more cumbersome, especially if the rejection happened after the TouchID so the error was obfuscated on what failed.

[pmontra]

Your fingerprints are already on the phone, they don't need to ask. After getting access to the phone owner accounts and data they can use other investigation methods to get proofs that can be used in a trial. Tl;dr, fingerprints are a password replacement only against people that can't read them.

[neckro23]

I do the same thing.

The rationale I use personally is that the master password might be stored in a retrievable format on my phone, but the phone itself is encrypted (iOS 8). And the convenience factor is strong enough (it's really convenient!) that I'm not discouraged from using strong passwords like I otherwise might be.

Unless someone sneakily borrows my phone and fingers while I'm sleeping, I don't think I'm at much risk.

[superuser2]

iOS has pretty restrictive sandboxing; it's unlikely that an attacker could get at LastPass's data without root and unlikely that an attacker could get root in your iPhone in the first place.

It could, however, mean that your master password is in a cleartext or Apple-recoverable iTunes (local) or iCloud backup of your phone.