Touch ID depends on Mac password?
Hi,
I have set up my 1Password to use Touch ID for unlocking. Once a week it requires my Master Password to re-activate Touch ID and I really enjoy the added convenience of Touch ID.
But, one comment on you articel regarding Touch ID security in 1Password for Mac (https://support.1password.com/touch-id-security-mac/) made me a little bit worried about how secure it is to use Touch ID at all in the case of 1Password. In the last pragraph you list three methods to protect oneself when using Touch ID with one being:
"Don’t share the password you use to log in to your Mac. If you enable Touch ID in 1Password on your Mac, it’s important that you guard the password you use to log in to your Mac closely. Anyone who knows it can unlock 1Password."
Especially the last sentence is worrysome. So my question is: How can anyone who knows my computer password be able to unlock 1Password with Touch ID enabled?
Thanks for any additional insights on this topic.
1Password Version: 7.3.2
Extension Version: Not Provided
OS Version: OSX 10.15
Sync Type: Subscription
Comments
-
Hi,
does nobody have any idea what this statement means?
0 -
I apologize for the delay. I had to ask our security team to look into this, as I honestly couldn't think of what this point would be referencing. It turns out that under 1Password 6 for Mac it may have been possible for someone to add a new fingerprint to Touch ID if they knew your account password, and 1Password would continue to accept Touch ID. In that way someone could access 1Password if they knew your macOS account password. This is no longer true. 1Password now recognizes if fingerprints registered have changed and requires the Master Password when that happens. The guide is being updated accordingly.
I hope that helps!
Ben
0 -
Hi @Ben thank you for your reply and the good news that this is no longer an issue on current versions of 1Password. That is re-assuring because I really enjoy using Touch ID on my Mac. Thanks again and have a great weekend.
0 -
You're very welcome. For a lot of reasons we would still recommend against sharing your macOS account password, but this specific point is no longer a concern with modern versions of 1Password. Enjoy the weekend, and please let us know if you have any further questions.
Ben
0 -
Hi @JohnnyFJohnsson,
Thanks for asking and prodding us to look at this.
I'm the person to blame for that original text. It was correct at the time that I wrote it (for 1Password 6). With 1Password 6, it would be possible for someone with your macOS login to enroll a new fingerprint for TouchID and then unlock 1Password with that fingerprint. We've changed the way things work underlyingly with 1Password 7, so that is no longer a problem.
Obviously, we should have updated the document with the release of 1Password 7 a year and a half ago. And we are looking at how best to revise that document now. Thanks again!
–-
Jeffrey Goldberg
Chief Defender Against the Dark Arts @ 1Password
https://1password.com0 -
Hi all.
Does enabling Touch ID result in the master password or a derivative of it being stored on the device (iOS or MacOS)?
If so, where in the device would it be stored?Thanks
0 -
Hello @1pwuser31547,
In a way, yes, because that is the only way to decrypt your data, but it's not quite that simple. When you turn on Touch ID, an encrypted secret is stored in your device's Secure Enclave, a highly secure portion of your device that is used for storing secrets of this type. When your fingerprint is recognized, that secret is then decrypted and then returned to decrypt your data, all within the Secure Enclave.
You can read more about it over at https://support.1password.com/touch-id-security-mac/
0 -
Thanks.
0 -
On behalf of Corey you're most welcome. :)
Ben
0